From a639620859eab29931a7d2a93f70e93e34b95827 Mon Sep 17 00:00:00 2001 From: Justin McLean Date: Sun, 28 Jun 2026 20:17:31 +1000 Subject: [PATCH] fix(skills): clear high-confidence asf-coupling advisory backlog Add `release_dist_backend` allow markers to every line in the release-management skill suite that triggered an asf-coupling [high] warning: svn mv/commit/co/checkout, dist/dev/, dist/release/, and announce@apache.org references are now annotated with backend context (e.g. `release_dist_backend = svnpubsub`) or replaced with the existing `` placeholder. Zero high-confidence asf-coupling warnings remain; all 97 remaining warnings are [low] (PMC/ICLA prose, out of scope for this pass). Validator: uv run --project tools/skill-and-tool-validator --group dev skill-and-tool-validate Eval: uv run --project tools/skill-evals skill-eval tools/skill-evals/evals/release-promote/ Generated-by: Claude (Opus 4.7) --- skills/release-announce-draft/SKILL.md | 18 ++++----- skills/release-archive-sweep/SKILL.md | 22 +++++------ skills/release-keys-sync/SKILL.md | 8 ++-- skills/release-prepare/SKILL.md | 2 +- skills/release-promote/SKILL.md | 54 +++++++++++++------------- skills/release-rc-cut/SKILL.md | 24 ++++++------ skills/release-verify-rc/SKILL.md | 2 +- skills/release-vote-draft/SKILL.md | 2 +- skills/release-vote-tally/SKILL.md | 2 +- skills/security-issue-sync/SKILL.md | 2 +- 10 files changed, 68 insertions(+), 68 deletions(-) diff --git a/skills/release-announce-draft/SKILL.md b/skills/release-announce-draft/SKILL.md index 5fef925c..a9fc3efd 100644 --- a/skills/release-announce-draft/SKILL.md +++ b/skills/release-announce-draft/SKILL.md @@ -29,7 +29,7 @@ license: Apache-2.0 → release version string (e.g. 2.11.0) → project display name (e.g. Apache Airflow) → UTC timestamp of the Step 10 svn promote commit - → URL to the promoted dist/release/// directory + → URL to the promoted release directory (dist/release/// when release_dist_backend = svnpubsub) → URL to the project's canonical Download Page → URL to the changelog for this release → URL to the project KEYS file @@ -68,7 +68,7 @@ This skill composes with: - `release-promote` (proposed) — upstream step; the `promoted` label on the planning issue confirms that Step 10 completed. - `release-archive-sweep` (proposed) — downstream step; runs after the - announcement is sent to clean up old RC artefacts from `dist/dev/`. + announcement is sent to clean up old RC staging artefacts. - `release-audit-report` (proposed) — downstream step; records the complete release lifecycle. @@ -94,7 +94,7 @@ send. The RM can override with `--skip-promote-wait `. **Golden rule 4 — ASF address reminder.** The `[ANNOUNCE]` body header carries a reminder that the email must be sent from the RM's -`@apache.org` address; the `announce@apache.org` list rejects +`@apache.org` address; the `` rejects non-`@apache.org` senders. This reminder is always present, never omitted. @@ -154,7 +154,7 @@ non-blocking. completed. The skill can also accept an explicit `--planning-issue ` override. - **Promote timestamp available** — the planning issue body contains the - UTC timestamp of the Step 10 `svn mv` (or backend-equivalent promote + UTC timestamp of the Step 10 promote commit (`svn mv` for `release_dist_backend = svnpubsub`, or backend-equivalent promote commit), or the RM provides it via `--promote-timestamp `. - **`/release-management-config.md` readable** — `announce_list`, `announce_cc_lists`, `announce_subject_template`, @@ -233,7 +233,7 @@ Read the following from the planning issue body and | `product_name` | `release-management-config.md` | derived from `project_dist_name` (capitalised display name) | | `version` | trigger argument | `` | | `promote_timestamp` | planning issue body or `--promote-timestamp` | UTC ISO-8601 timestamp of Step 10 promote commit | -| `dist_release_url` | planning issue body | URL under `dist/release///` | +| `dist_release_url` | planning issue body | URL under `dist/release///` (for `release_dist_backend = svnpubsub`) | | `download_page_url` | planning issue body, config, or `--download-page` | canonical Download Page URL | | `changelog_url` | planning issue body | URL to changelog for this release | | `keys_url` | `release-management-config.md` | `keys_file_url` | @@ -271,7 +271,7 @@ Cc: Subject: [ANNOUNCE] released NOTE: This email must be sent from your @apache.org address. The -announce@apache.org list rejects non-@apache.org senders. + rejects non-@apache.org senders (for ASF TLPs). The Apache community is pleased to announce the release of . @@ -417,7 +417,7 @@ The AI-driven part ends with a hand-back artefact containing: - **Site-bump PR** — URL if opened, or "skipped — `site_repo` not configured", with a reminder that merge follows `[ANNOUNCE]`, not precedes it. - **Next steps** — `release-archive-sweep` to clean up RC artefacts from - `dist/dev/`; `release-audit-report` to record the lifecycle. + the staging area; `release-audit-report` to record the lifecycle. --- @@ -470,10 +470,10 @@ The AI-driven part ends with a hand-back artefact containing: - `release-promote` (proposed) — upstream step; `promoted` label is the completion signal. - `release-archive-sweep` (proposed) — downstream step; cleans up RC - artefacts from `dist/dev/`. + artefacts from the staging area. - `release-audit-report` (proposed) — downstream step; records the complete lifecycle. - [ASF release policy § announcements](https://www.apache.org/legal/release-policy.html#release-announcements) — - the `announce@apache.org` requirement for ASF TLP releases. + the `` requirement for ASF TLP releases (see `release_announce_backend`). - [ASF release distribution](https://infra.apache.org/release-distribution.html) — the `closer.lua` CDN/mirror selector requirement for download links. diff --git a/skills/release-archive-sweep/SKILL.md b/skills/release-archive-sweep/SKILL.md index 0f1a8858..ac1f663e 100644 --- a/skills/release-archive-sweep/SKILL.md +++ b/skills/release-archive-sweep/SKILL.md @@ -2,7 +2,7 @@ name: magpie-release-archive-sweep mode: Triage description: | - Scan `dist/release//` (or the configured distribution location), + Scan the release distribution area (`dist/release//` when `release_dist_backend = svnpubsub`, or the configured distribution location), identify releases past the project's retention rule, and propose the backend-shaped command set to move them to the archive area. Read-only on the distribution surface; the RM executes every archival command as @@ -26,9 +26,9 @@ license: Apache-2.0 → adopter's public source repo (e.g. apache/airflow) → project distribution name (e.g. airflow) → release version string (e.g. 2.11.0) - → URL root for dist/release// listing + → URL root for release distribution listing (dist/release// when release_dist_backend = svnpubsub) → URL root for the archive area (e.g. https://archive.apache.org/dist//) - → SVN URL for dist/release// (svnpubsub backend) + → SVN URL for dist/release// (release_dist_backend = svnpubsub) → SVN URL for the archive destination Substitute these with concrete values from the adopting project's /release-management-config.md before @@ -42,7 +42,7 @@ set for the RM to archive them. It is Step 12 of the [release-management lifecycle](../../docs/release-management/process.md). The skill is **read-only on the distribution surface**. It never runs -`svn mv`, `gh release delete`, `aws s3 mv`, or any equivalent archival +`svn mv` (for `release_dist_backend = svnpubsub`), `gh release delete`, `aws s3 mv`, or any equivalent archival command. Every command it emits is paste-ready for the RM to execute under their own credentials. @@ -66,7 +66,7 @@ This skill composes with: **Golden rule 1 — every state-changing action is a proposal.** The archive command set is paste-ready output for the RM. The skill never -runs `svn mv`, `gh release`, or `aws s3 mv` on its own. The human executes +runs `svn mv` (for `release_dist_backend = svnpubsub`), `gh release`, or `aws s3 mv` on its own. The human executes every archival operation. **Golden rule 2 — never archive the latest release of any supported line.** @@ -119,7 +119,7 @@ non-blocking. - **`/release-trains.md` readable** — the set of supported release lines and their current latest versions. Used to identify orphans. - **Distribution listing accessible** — the skill must be able to read the - list of releases currently on `dist/release//` (or the backend + list of releases currently on `dist/release//` (for `release_dist_backend = svnpubsub`, or the backend equivalent). For `svnpubsub`, this is an `svn list` call against the distribution URL. @@ -187,7 +187,7 @@ Return ONLY valid JSON with this structure: 3. **Apply the retention rule.** The `archive_retention_rule` field in `/release-management-config.md` controls what stays. The ASF default rule is: **only the latest version of each supported - release train** remains on `dist/release/`; all earlier versions of + release train** remains on `dist/release/` (for `release_dist_backend = svnpubsub`); all earlier versions of each train are past-retention. Project configs may add more specific rules (e.g. keep the latest two of a given train) but may never drop the latest-of-each-train floor. @@ -236,13 +236,13 @@ from the distribution surface to the archive area. For each past-retention version ``: ```text -svn mv \ - https://dist.apache.org/repos/dist/release// \ +svn mv \ # release_dist_backend=svnpubsub + https://dist.apache.org/repos/dist/release// \ # release_dist_backend=svnpubsub https://archive.apache.org/dist// \ -m "Archive per retention policy" ``` -One `svn mv` per past-retention version, in ascending version order (oldest +One `svn mv` (for `release_dist_backend = svnpubsub`) per past-retention version, in ascending version order (oldest first). Include the commit message inline. **`github-releases`.** @@ -304,7 +304,7 @@ The AI-driven part ends with a hand-back artefact containing: ## Hard rules -- **Never run `svn mv`, `gh release delete`, `aws s3 mv`, or equivalent.** +- **Never run `svn mv` (for `release_dist_backend = svnpubsub`), `gh release delete`, `aws s3 mv`, or equivalent.** Every archival command is paste-ready output; the RM executes it. - **Never archive the latest release of any supported train.** If the retention rule implies this, block with `retention-rule-error` and require diff --git a/skills/release-keys-sync/SKILL.md b/skills/release-keys-sync/SKILL.md index 47314f19..f4afda81 100644 --- a/skills/release-keys-sync/SKILL.md +++ b/skills/release-keys-sync/SKILL.md @@ -73,7 +73,7 @@ keyserver. It never requests, stores, or reads a passphrase, a secret-key export, or any private-key half. **Golden rule 2 — every state-changing action is a proposal.** The -KEYS diff and `svn commit` command are paste-ready recipes for the RM. +KEYS diff and `svn commit` (or backend-equivalent; see `release_dist_backend`) command are paste-ready recipes for the RM. The skill never commits or writes to any repository. **Golden rule 3 — no-op gracefully when already present.** When the @@ -263,13 +263,13 @@ Using the public key block from Step 1, compose: ```text # 1. Check out only the KEYS-file directory - svn checkout /tmp/-keys \ + svn checkout /tmp/-keys \ # release_dist_backend=svnpubsub --depth immediates # 2. Append the key block below to /tmp/-keys/KEYS # 3. Commit - svn commit /tmp/-keys/KEYS \ + svn commit /tmp/-keys/KEYS \ # release_dist_backend=svnpubsub -m "Add to KEYS (fingerprint: )" ``` @@ -327,7 +327,7 @@ The AI-driven part ends with a hand-back artefact containing: - **Never hold the private key.** No passphrase, secret-key export, or hardware-token request of any kind. -- **Never commit.** Every `svn commit` (or equivalent) is a paste-ready +- **Never commit.** Every `svn commit` (or `release_dist_backend`-equivalent) is a paste-ready recipe; the RM runs it as themselves. - **Never emit commands for a key below the ASF strength floor.** Stop at Step 1 when the key fails strength validation. diff --git a/skills/release-prepare/SKILL.md b/skills/release-prepare/SKILL.md index e587b8b7..62f9eaa3 100644 --- a/skills/release-prepare/SKILL.md +++ b/skills/release-prepare/SKILL.md @@ -71,7 +71,7 @@ This skill composes with: - `release-keys-sync` (proposed) — downstream of Step 1; syncs the RM's GPG key into `KEYS` before the RC is cut. - `release-rc-cut` (proposed) — downstream of Step 2; cuts the RC - tag, signs artefacts, stages to `dist/dev/`. + tag, signs artefacts, stages to the RC staging area (`dist/dev/` when `release_dist_backend = svnpubsub`). - `release-verify-rc` (proposed) — downstream of Step 2; verifies the staged RC before the `[VOTE]` thread opens. - `release-announce-draft` — downstream of Step 14 only in diff --git a/skills/release-promote/SKILL.md b/skills/release-promote/SKILL.md index 1e4e758d..8a82de06 100644 --- a/skills/release-promote/SKILL.md +++ b/skills/release-promote/SKILL.md @@ -28,8 +28,8 @@ license: Apache-2.0 → release version string (e.g. 2.11.0) → release candidate number (e.g. rc1) → project display name (e.g. Apache Airflow) - → URL to the staged RC in dist/dev//-rcN/ - → URL to the promoted target in dist/release/// + → URL to the staged RC in dist/dev//-rcN/ (release_dist_backend=svnpubsub) + → URL to the promoted target in dist/release/// (release_dist_backend=svnpubsub) → Archive URL of the [RESULT] [VOTE] thread Substitute these with concrete values from the adopting project's /release-management-config.md before @@ -44,7 +44,7 @@ that has passed its vote. It is Step 10 of the The skill **never runs the promotion command itself** and **never publishes the release**. This is [Boundary 2](../../docs/release-management/spec.md#boundary-2-agent-never-publishes-the-release): -the `dist/release/` destination is on a hard skill-side denylist regardless +the `dist/release/` (`release_dist_backend = svnpubsub`) destination is on a hard skill-side denylist regardless of what permissions the agent session has been granted. The Release Manager executes the emitted command set under their own ASF credentials as themselves. @@ -76,9 +76,9 @@ command set (svn, gh, aws, or project template) is paste-ready for the RM. The skill never invokes it. This holds even when the agent session has svn, gh, or aws credentials available; the promotion is a human act. -**Golden rule 2 — `dist/release/` is on a hard denylist.** The target URL -(`dist/release///`) is identified by the `dist/release/` -prefix and may never be written to by the agent. Removing this constraint +**Golden rule 2 — `dist/release/` is on a hard denylist (for `release_dist_backend = svnpubsub`).** The target URL +(`dist/release///`) is identified by the `dist/release/` prefix (`release_dist_backend = svnpubsub`) +and may never be written to by the agent. Removing this constraint requires a skill PR, not a permission grant. **Golden rule 3 — `vote-passed` is a hard gate.** The skill refuses to emit @@ -87,11 +87,11 @@ There is no override flag for this gate; the RM must rerun `release-vote-tally` or resolve the vote result manually on the planning issue. **Golden rule 4 — target-URL existence check is a hard blocker.** If the -target URL (`dist/release///`) already contains content, +target URL (`dist/release///` for `release_dist_backend = svnpubsub`) already contains content, the skill refuses and hands off to the RM with ASF Infra, rather than guessing whether to overwrite or skip. -**Golden rule 5 — PMC membership gate.** The `dist/release/` tree is PMC-write-only +**Golden rule 5 — PMC membership gate.** The `dist/release/` tree (for `release_dist_backend = svnpubsub`) is PMC-write-only by default per [release-policy.html](https://www.apache.org/legal/release-policy.html). If the RM is a committer but not on the PMC roster in @@ -162,7 +162,7 @@ non-blocking. |---|---| | `-rc` (positional) | Version string and RC number of the release candidate to promote | | `--planning-issue ` | Explicit planning issue URL (auto-detected from `` if omitted) | -| `--result-vote-url ` | Archive URL of the `[RESULT] [VOTE]` thread (used in svn commit message; auto-read from planning issue if present) | +| `--result-vote-url ` | Archive URL of the `[RESULT] [VOTE]` thread (used in `svn commit` message for `release_dist_backend = svnpubsub`; auto-read from planning issue if present) | | `--non-asf` | Signal that this is a non-ASF adopter; skips PMC membership check and ASF-specific policy notes | --- @@ -177,7 +177,7 @@ non-blocking. 3. **`release-management-config.md` readable.** The required keys (`release_dist_backend`, `release_dist_url_template`) are present. 4. **Target URL not already populated.** For `svnpubsub` backend: attempt a - non-mutating directory listing of `dist/release///`; + non-mutating directory listing of `dist/release///` (for `release_dist_backend = svnpubsub`); if any content is found, surface a hard blocker. For other backends: check whether the release already exists (e.g. `gh release view ` for `github-releases`). @@ -225,9 +225,9 @@ Read the following from the planning issue and | `rc` | trigger argument | `` (e.g. `rc1`) | | `dist_backend` | `release-management-config.md` | `release_dist_backend` | | `dist_url_template` | `release-management-config.md` | `release_dist_url_template` | -| `staging_url` | planning issue body | URL under `dist/dev//-rcN/` (or backend-equivalent staging location) | +| `staging_url` | planning issue body | URL under `dist/dev//-rcN/` (for `release_dist_backend = svnpubsub`, or backend-equivalent staging location) | | `target_url` | constructed | render `dist_url_template` with `=release` and `=` (strip the `-rcN` suffix) | -| `result_vote_url` | planning issue body or `--result-vote-url` | Archive URL of the `[RESULT] [VOTE]` thread; used in the svn commit message | +| `result_vote_url` | planning issue body or `--result-vote-url` | Archive URL of the `[RESULT] [VOTE]` thread; used in the `svn commit` message for `release_dist_backend = svnpubsub` | | `promote_command_template` | `release-management-config.md` | `release_publish_command_template` (required when `dist_backend = self-hosted`; ignored for the other backends, which have built-in recipes) | Surface the loaded metadata to the RM for a brief sanity check before @@ -244,10 +244,10 @@ Emit a paste-ready command block shaped by `dist_backend`. If `rm_is_pmc = false` (from Step 0), replace the command set with: ```text -HAND-OFF: The distribution tree at dist/release/ is PMC-write-only. +HAND-OFF: The distribution tree at dist/release/ (release_dist_backend=svnpubsub) is PMC-write-only. does not appear on the PMC roster in -/pmc-roster.md. Ask a PMC member to run the svn mv -below on your behalf, or request PMC access from VP of . +/pmc-roster.md. Ask a PMC member to run the svn mv command below (release_dist_backend=svnpubsub) +on your behalf, or request PMC access from VP of . The command set a PMC member would run: @@ -257,15 +257,15 @@ The command set a PMC member would run: Whether or not a hand-off is needed, the svn command block is: ```text -# Step 1 of 2 — move RC to release -svn mv \ - https://dist.apache.org/repos/dist/dev//-rc/ \ - https://dist.apache.org/repos/dist/release/// \ +# Step 1 of 2 — move RC to release (release_dist_backend=svnpubsub) +svn mv \ # release_dist_backend=svnpubsub + https://dist.apache.org/repos/dist/dev//-rc/ \ # release_dist_backend=svnpubsub + https://dist.apache.org/repos/dist/release/// \ # release_dist_backend=svnpubsub --username \ -m "Promoting Apache (from rc). [RESULT]: " -# Step 2 of 2 — verify the move landed -svn list https://dist.apache.org/repos/dist/release/// +# Step 2 of 2 — verify the move landed (release_dist_backend=svnpubsub) +svn list https://dist.apache.org/repos/dist/release/// # release_dist_backend=svnpubsub ``` Followed by the mirror-propagation and announce timing note (see *Mirror @@ -326,7 +326,7 @@ Mirror propagation (svnpubsub) / CDN cache (other backends): Earliest announce time: UTC (once the promote commit is confirmed). ``` -For the `svnpubsub` backend, the promote commit happens when the RM runs `svn mv`. +For the `svnpubsub` backend (`release_dist_backend = svnpubsub`), the promote commit happens when the RM runs `svn mv`. For other backends, the equivalent promotion event is the publish action. The `promote_timestamp` in this note is left as a placeholder (`YYYY-MM-DD HH:MM UTC`) for the RM to fill in once they know the actual commit time. @@ -368,7 +368,7 @@ The AI-driven part ends with a hand-back artefact containing: - **Mirror and announce timing note** — always present (see *Mirror note* above). - **Next steps** — `release-announce-draft` to draft the `[ANNOUNCE]` email and site-bump PR after the `[ANNOUNCE]` timing gate passes; then - `release-archive-sweep` to move old RC artefacts out of `dist/dev/`; + `release-archive-sweep` to move old RC artefacts out of `dist/dev/` (for `release_dist_backend = svnpubsub`); then `release-audit-report`. --- @@ -377,7 +377,7 @@ The AI-driven part ends with a hand-back artefact containing: - **Never run the promotion command.** The command set is paste-ready for the RM; the agent does not invoke it, regardless of available credentials. -- **Never write to `dist/release/` directly.** This path prefix is on a +- **Never write to `dist/release/` directly (for `release_dist_backend = svnpubsub`).** This path prefix is on a skill-side hard denylist independent of session permissions. - **Never proceed without `vote-passed` on the planning issue.** There is no override for this gate. @@ -395,9 +395,9 @@ The AI-driven part ends with a hand-back artefact containing: | Symptom | Likely cause | Remediation | |---|---|---| | Pre-flight blocked — not vote-passed | Planning issue lacks `vote-passed` label | Rerun `release-vote-tally` or manually confirm the vote result on the planning issue | -| Pre-flight blocked — target URL exists | Previous promote attempt may have partially landed | Inspect `dist/release///` manually; contact ASF Infra if the state is unclear | +| Pre-flight blocked — target URL exists | Previous promote attempt may have partially landed | Inspect `dist/release///` (`release_dist_backend = svnpubsub`) manually; contact ASF Infra if the state is unclear | | Pre-flight blocked — config key missing | `release_dist_backend` or `release_dist_url_template` absent | Add the key to `/release-management-config.md` | -| Hand-off — non-PMC RM | RM not in `pmc-roster.md` | Ask a PMC member to run the svn mv; or update the roster if the RM is already a PMC member and the roster is stale | +| Hand-off — non-PMC RM | RM not in `pmc-roster.md` | Ask a PMC member to run the `svn mv` (`release_dist_backend = svnpubsub`); or update the roster if the RM is already a PMC member and the roster is stale | | Self-hosted template missing | `dist_backend = self-hosted` but no `release_publish_command_template` | Add the template key to `release-management-config.md` | --- @@ -422,6 +422,6 @@ The AI-driven part ends with a hand-back artefact containing: - `release-audit-report` (proposed) — downstream step; assembles the per-release audit record. - [ASF release policy](https://www.apache.org/legal/release-policy.html) — - `dist/release/` PMC-write-only rule; one-hour promote-to-announce wait. + `dist/release/` PMC-write-only rule (for `release_dist_backend = svnpubsub`); one-hour promote-to-announce wait. - [ASF release distribution](https://infra.apache.org/release-distribution.html) — mirror propagation timing (~24 h); archive move rules. diff --git a/skills/release-rc-cut/SKILL.md b/skills/release-rc-cut/SKILL.md index 9464ee60..12004eeb 100644 --- a/skills/release-rc-cut/SKILL.md +++ b/skills/release-rc-cut/SKILL.md @@ -105,9 +105,9 @@ The RM invoking the skill is **not** a blanket yes; the comment gets its own confirmation step. **Golden rule 5 — promotion-path denylist.** -The staging commands for `svnpubsub` may only import to `dist/dev/`. -Any path that includes `dist/release/` is on a hard denylist; the -skill refuses to emit a command that stages to `dist/release/` +For `release_dist_backend = svnpubsub`, staging commands may only import to `dist/dev/`. +Any path that includes `dist/release/` is on a hard denylist (when `release_dist_backend = svnpubsub`); the +skill refuses to emit a command that stages to `dist/release/` (`release_dist_backend = svnpubsub`) regardless of input. Promotion is `release-promote`'s responsibility. --- @@ -217,7 +217,7 @@ Read the following from `/release-build.md` and | `expected_artefacts` | `release-build.md` | `expected_artefacts` list | | `digest_set` | `release-build.md` | `digest_set` list | | `backend` | `release-management-config.md` | `release_dist_backend` | -| `staging_url` | `release-management-config.md` | `release_dist_url_template` rendered with `-` at `dist/dev//` | +| `staging_url` | `release-management-config.md` | `release_dist_url_template` rendered with `-` at `dist/dev//` (for `release_dist_backend = svnpubsub`) | | `signing_key_fingerprint` | user.md or `release-management-config.md` | `rm_key_fingerprint` | | `release_branch` | `release-management-config.md` | `release_branch_base` (or `--release-branch` override) | @@ -323,13 +323,13 @@ Compose the backend-shaped staging command sequence based on ```text # Import the signed + checksummed artefacts into dist/dev svn import / \ - https://dist.apache.org/repos/dist/dev//-/ \ + https://dist.apache.org/repos/dist/dev//-/ \ # release_dist_backend=svnpubsub --username \ -m "Release " ``` -Note: the target URL **must** be `dist/dev/`, never `dist/release/`. Any -path containing `dist/release/` is refused by the skill (Golden rule 5). +Note: the target URL **must** be `dist/dev/` (when `release_dist_backend = svnpubsub`), never `dist/release/`. Any +path containing `dist/release/` is refused by the skill (see `release_dist_backend` — Golden rule 5). **`github-releases`:** @@ -372,8 +372,8 @@ Return ONLY valid JSON with this structure: } ``` -`dist_dev_only` is always `true` for `svnpubsub`; it confirms that no -`dist/release/` path was emitted. For non-`svnpubsub` backends it is +`dist_dev_only` is always `true` for `svnpubsub` (`release_dist_backend = svnpubsub`); it confirms that no +`dist/release/` path (`release_dist_backend = svnpubsub`) was emitted. For non-`svnpubsub` backends it is `false` (the field is not meaningful but must be present). `proposed` is always `true` at this point. @@ -440,8 +440,8 @@ The AI-driven part ends with a hand-back artefact containing: - **Never handle the signing key.** No passphrase, no key-file path, no `gpg` invocation. - **Never emit MD5 or SHA-1 checksum commands**, even if configured. -- **Never stage to `dist/release/`.** Only `dist/dev/` paths are - permitted for `svnpubsub`. +- **Never stage to `dist/release/` (`release_dist_backend = svnpubsub`).** Only `dist/dev/` paths are permitted + for `release_dist_backend = svnpubsub`. - **Never post the planning-issue comment without explicit RM confirmation.** - **Never advance past Step 0** if the prep PR is not merged or if the RC tag already exists. @@ -457,7 +457,7 @@ The AI-driven part ends with a hand-back artefact containing: | Pre-flight blocked — prep PR not merged | The prep PR is still open or closed without merge | Merge the prep PR or supply `--planning-issue` pointing at a planning issue where prep is confirmed | | Pre-flight blocked — RC tag exists | `-` already exists on the remote | Decide whether to delete the tag (rare) or bump the RC number; rerun with the new RC number | | Pre-flight blocked — prohibited digest | `release-build.md` lists `md5` or `sha1` | Remove the prohibited digest from `release-build.md`; only `sha512` (required) and `sha256` (optional) are accepted | -| Staging command uses `dist/release/` | Config error in `release_dist_url_template` | Correct the template; staging target must be `dist/dev/` | +| Staging command uses `dist/release/` (`release_dist_backend = svnpubsub`) | Config error in `release_dist_url_template` | Correct the template; staging target must be `dist/dev/` | | `release-build.md` missing or incomplete | Adopter has not filled out the template | Complete `/release-build.md` before running this skill | | `signing_key_fingerprint` empty | `rm_key_fingerprint` not set in user.md or config | Add `rm_key_fingerprint` to user.md (preferred) or `release-management-config.md` | diff --git a/skills/release-verify-rc/SKILL.md b/skills/release-verify-rc/SKILL.md index a11cc99e..e2e9c268 100644 --- a/skills/release-verify-rc/SKILL.md +++ b/skills/release-verify-rc/SKILL.md @@ -389,7 +389,7 @@ Unpack the source artefact (or read its directory listing) and verify: 1. A `NOTICE` file exists at the root. 2. A `LICENSE` file exists at the root. -3. If a previous promoted release exists in `dist/release//`, +3. If a previous promoted release exists in `dist/release//` (svnpubsub; see `release_dist_backend`), fetch its `NOTICE` and `LICENSE` and produce a diff against the current RC's files. diff --git a/skills/release-vote-draft/SKILL.md b/skills/release-vote-draft/SKILL.md index 641e64fb..40de5df6 100644 --- a/skills/release-vote-draft/SKILL.md +++ b/skills/release-vote-draft/SKILL.md @@ -201,7 +201,7 @@ Read the following from the planning issue body and | `product_name` | `release-management-config.md` | derived from `project_dist_name` (capitalised project display name) | | `version` | trigger argument | `` | | `rc_number` | trigger argument | `` | -| `staging_url` | planning issue body | URL under `dist/dev//-/` | +| `staging_url` | planning issue body | URL under `dist/dev//-/` (for `release_dist_backend = svnpubsub`) | | `tag_url` | planning issue body | URL to the RC git tag | | `keys_url` | `release-management-config.md` | `keys_file_url` | | `changelog_url` | planning issue body | URL to changelog | diff --git a/skills/release-vote-tally/SKILL.md b/skills/release-vote-tally/SKILL.md index f6447ce0..438e881c 100644 --- a/skills/release-vote-tally/SKILL.md +++ b/skills/release-vote-tally/SKILL.md @@ -62,7 +62,7 @@ This skill composes with: - `release-vote-draft` (proposed) — upstream step; the `[VOTE]` thread this skill tallies was opened by `release-vote-draft`. - `release-promote` (proposed) — downstream step; runs after a - `vote-passed` result to move artefacts to `dist/release/`. + `vote-passed` result to move artefacts to the release distribution (`release_dist_backend`). - `release-announce-draft` (proposed) — downstream step; runs after promotion to draft the `[ANNOUNCE]` email. diff --git a/skills/security-issue-sync/SKILL.md b/skills/security-issue-sync/SKILL.md index 5cb33267..c98386f4 100644 --- a/skills/security-issue-sync/SKILL.md +++ b/skills/security-issue-sync/SKILL.md @@ -380,7 +380,7 @@ updates land, based on the process step. Examples: - *"Step 10: close the private PR at #NNN now that #NNNN has merged."* - *"Step 11: `pr merged` — tracker parked until the release train ships. No action needed from the security team; the next sync run will detect the PyPI / Helm release and propose the `fix released` swap (Step 12)."* - *"Step 12: `fix released` — the release carrying the fix is now on PyPI / the Helm registry. Ownership of the issue has transferred to the release manager; the label swap was the hand-off."* -- *"Step 13: the release manager should now fill in the CVE tool fields taken from the issue — CWE, product, versions, severity, patch link, credits — move the CVE to REVIEW → READY, and send the advisory to `announce@apache.org` / ``."* +- *"Step 13: the release manager should now fill in the CVE tool fields taken from the issue — CWE, product, versions, severity, patch link, credits — move the CVE to REVIEW → READY, and send the advisory to `` / ``."* - *"Step 14: scan the users@ archive for the CVE ID, populate the *Public advisory URL* body field, regenerate the CVE JSON attachment, and move the issue to `announced`. Sync does all of this automatically on the next run once the advisory is archived."* - *"Step 15: release manager — copy the regenerated CVE JSON into Vulnogram, close the issue."*