feat(skills): reconcile GitHub repository security advisories in security-issue-sync#775
Merged
Merged
Conversation
…rity-issue-sync GHSA-sourced trackers (reports filed via GitHub "Report a vulnerability") were assumed to have "no GitHub API", so every reporter reply was relayed by email to the hosting security team. GitHub's repository security advisories REST API now exposes the advisory record for read + field-edit at the advisory-collaborator tier. Add skills/security-issue-sync/github-advisory.md: a self-contained contract for reconciling the advisory record with the tracker — an access-tier probe (collaborator = read + field-edit; collaborator-mgmt and publish need admin/security-manager), Step 1 field/state/access drift detection plus recording the advisory link as a clickable tracker field, Step 4 field reconcile (cve_id/severity/cwe/affected/credits) with an admin hand-off for the gated ops, and a direct-post reply path (open the advisory thread + copy-pastable block; no comment API at any tier) with the email relay kept as the no-access fallback. Generated-by: Claude Code (Claude Opus 4.8)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
skills/security-issue-sync/github-advisory.md+ a pointer fromSKILL.mdStep 1.repository security advisory on
<upstream>), the sync now reconciles the advisoryrecord directly via the GitHub repository security advisories REST API instead of
assuming no API and relaying every reply by email.
cve_id,severity,cwe_ids,vulnerabilities,credits); collaborator-management and publish/state requireadmin/security-manager and are surfaced as hand-offs, never blind-fired (a
state=publishedsuccess is permanent + public).the discussion thread has no REST API at any tier), with the
asf-relayemail relay keptas the no-collaborator fallback. Non-GitHub forwarders unaffected.
Motivation
In real Apache Airflow sync runs the operator is an advisory collaborator on
apache/airflow's repository advisories, so reporter replies and CVE-field reconciliation nolonger need to be relayed through the ASF security team. Verified end-to-end: read +
field-edit work at the collaborator tier (linked a tracker's CVE onto its advisory);
collaborator-management returned
403 "requires administrative/security management rights"—exactly why the gated ops are documented as admin hand-offs, not sync writes.
Originated as an adopter override (
.apache-magpie-overrides/security-issue-sync.md,"Sync GitHub repository security advisories with the tracker").
Migration path for existing adopters
Additive + opt-in. Adopters whose
<upstream>is not on GitHub, or whose operator is not anadvisory collaborator, fall through to the existing email-relay path unchanged. No config
knob, no default flip; the subdoc only activates for GHSA-sourced trackers when advisory API
access is present.
Test plan
SKIP=lychee prek run --files skills/security-issue-sync/github-advisory.md skills/security-issue-sync/SKILL.md→ all hooks pass (markdownlint, typos, check-placeholders, skill-and-tool-validate, vendor-neutrality).
tier; collaborator-management + publish confirmed 403 (→ hand-off).
🤖 Generated with Claude Code