Skip to content

feat(security-issue-sync): actionable admin hand-off relay for GHSA advisory changes#787

Merged
potiuk merged 1 commit into
mainfrom
ghsa-admin-handoff-relay
Jul 8, 2026
Merged

feat(security-issue-sync): actionable admin hand-off relay for GHSA advisory changes#787
potiuk merged 1 commit into
mainfrom
ghsa-admin-handoff-relay

Conversation

@potiuk

@potiuk potiuk commented Jul 8, 2026

Copy link
Copy Markdown
Member

What

github-advisory.md's Step 4 items 2 (state / publish / close) and 3 (collaborator management) are admin / security-manager operations the collaborator tier can't perform — the doc previously only told the sync to "surface it as a hand-off" (a passive recap line).

This makes the hand-off actionable: a new "Admin hand-off — relay the needed change to the advisory-admin team" section. The sync drafts an email (never auto-sent) to the team that administers GitHub Private Vulnerability Reporting for the hosting org (for ASF, security@apache.org), CC'ing the project security list, stating (1) what the sync already did at the collaborator tier with clickable …/security/advisories/GHSA-… URLs, (2) the exact admin-only change needed and why the collaborator tier can't (403), (3) the ask. Step 4 items 2 & 3 now point at it.

Why

Learned running this in an adopter: the project's own security-team members usually don't hold GitHub advisory admin rights either, so @-mentioning them on the tracker leaves the action on nobody's desk. The request has to reach the org's advisory admins — an email relay, not a tracker comment.

Provenance

Proven as a local override in the apache/airflow security tracker, then upstreamed. First real use: relaying a "close this duplicate GHSA" request the collaborator tier 403'd on.

🤖 Generated with Claude Code

…hanges

github-advisory.md's Step 4 items 2 (state/publish/close) and 3 (collaborator
management) are admin/security-manager operations the collaborator tier cannot
perform; previously they were only 'surfaced' as a passive recap line. Add a
concrete 'Admin hand-off relay' section: draft an email (never auto-sent) to the
org's advisory-admin security team (security@apache.org for ASF), CC the project
security list, naming what the sync already did, the admin-only change needed and
why the collaborator tier can't, and the ask. Point Step 4 items 2 and 3 at it.

Proven as a local override in an adopter repo; upstreaming per the override flow.
@potiuk potiuk merged commit 1a9e486 into main Jul 8, 2026
10 checks passed
@potiuk potiuk deleted the ghsa-admin-handoff-relay branch July 8, 2026 17:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant