Skip to content

feat(skills): reconcile GitHub repository security advisories in security-issue-sync#775

Merged
potiuk merged 1 commit into
apache:mainfrom
potiuk:feat/github-advisory-reconcile
Jul 7, 2026
Merged

feat(skills): reconcile GitHub repository security advisories in security-issue-sync#775
potiuk merged 1 commit into
apache:mainfrom
potiuk:feat/github-advisory-reconcile

Conversation

@potiuk

@potiuk potiuk commented Jul 7, 2026

Copy link
Copy Markdown
Member

Summary

  • New subdoc skills/security-issue-sync/github-advisory.md + a pointer from SKILL.md Step 1.
  • For GHSA-sourced trackers (reports filed via GitHub "Report a vulnerability" → a
    repository security advisory on <upstream>), the sync now reconciles the advisory
    record directly via the GitHub repository security advisories REST API instead of
    assuming no API and relaying every reply by email.
  • Access-tier aware: advisory collaborator = read + field-edit (cve_id, severity,
    cwe_ids, vulnerabilities, credits); collaborator-management and publish/state require
    admin/security-manager and are surfaced as hand-offs, never blind-fired (a
    state=published success is permanent + public).
  • Reply path: direct-post primary (open the advisory discussion + copy-pastable block;
    the discussion thread has no REST API at any tier), with the asf-relay email relay kept
    as the no-collaborator fallback. Non-GitHub forwarders unaffected.
  • Records the advisory link(s) as a dedicated clickable tracker field.

Motivation

In real Apache Airflow sync runs the operator is an advisory collaborator on
apache/airflow's repository advisories, so reporter replies and CVE-field reconciliation no
longer need to be relayed through the ASF security team. Verified end-to-end: read +
field-edit work at the collaborator tier (linked a tracker's CVE onto its advisory);
collaborator-management returned 403 "requires administrative/security management rights"
exactly why the gated ops are documented as admin hand-offs, not sync writes.

Originated as an adopter override (.apache-magpie-overrides/security-issue-sync.md,
"Sync GitHub repository security advisories with the tracker").

Migration path for existing adopters

Additive + opt-in. Adopters whose <upstream> is not on GitHub, or whose operator is not an
advisory collaborator, fall through to the existing email-relay path unchanged. No config
knob, no default flip; the subdoc only activates for GHSA-sourced trackers when advisory API
access is present.

Test plan

  • SKIP=lychee prek run --files skills/security-issue-sync/github-advisory.md skills/security-issue-sync/SKILL.md
    → all hooks pass (markdownlint, typos, check-placeholders, skill-and-tool-validate, vendor-neutrality).
  • All intra-repo relative links in the new subdoc resolve.
  • Exercised in the originating adopter: advisory read; field-edit (cve_id link) at collaborator
    tier; collaborator-management + publish confirmed 403 (→ hand-off).

🤖 Generated with Claude Code

…rity-issue-sync

GHSA-sourced trackers (reports filed via GitHub "Report a vulnerability")
were assumed to have "no GitHub API", so every reporter reply was relayed
by email to the hosting security team. GitHub's repository security
advisories REST API now exposes the advisory record for read + field-edit
at the advisory-collaborator tier.

Add skills/security-issue-sync/github-advisory.md: a self-contained
contract for reconciling the advisory record with the tracker — an
access-tier probe (collaborator = read + field-edit; collaborator-mgmt
and publish need admin/security-manager), Step 1 field/state/access drift
detection plus recording the advisory link as a clickable tracker field,
Step 4 field reconcile (cve_id/severity/cwe/affected/credits) with an
admin hand-off for the gated ops, and a direct-post reply path (open the
advisory thread + copy-pastable block; no comment API at any tier) with
the email relay kept as the no-access fallback.

Generated-by: Claude Code (Claude Opus 4.8)
@potiuk potiuk added family:security security-* skills capability:intake Import external signal + sync tracker state labels Jul 7, 2026
@potiuk potiuk merged commit 2f0a21c into apache:main Jul 7, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

capability:intake Import external signal + sync tracker state family:security security-* skills

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant