TODO:

April 29, 2026 · View on GitHub

Fast-moving project state. Update every time a release ships, a new release branch opens, or a security-team member joins / rotates off.

Release branches currently in flight

TODO: list the project's active release branches. For each branch:

  • the branch name (e.g. v1-2-test);
  • which next release is expected to cut from it (e.g. 1.2.3);
  • whether new security fixes should default to this branch or a different one.

Example shape:

  • main — becomes the next minor release (X.Y+1.0 eventually).
  • v1-2-test — patch branch for the 1.2.x series. Next patch is 1.2.3.
  • v1-1-test — no further 1.1.x releases planned.

Current release managers

TODO: describe how to authoritatively identify the release manager for a given cut. Two sources usually work:

  1. TODO: the project's release-plan wiki / schedule page.
  2. TODO: the [RESULT][VOTE] thread on the project's <dev-list>. The sender of the [RESULT][VOTE] … message is the release manager for that specific cut.

Known release-manager rotations

TODO: list any active rotation rosters (providers / components / core / chart / …).

Release managers for releases currently relevant to the security tracker

TODO: for each recently-shipped or upcoming release carrying security fixes, record:

  • the release name + date;
  • the release manager (with email + GitHub handle);
  • the source of that attribution (archive URL to the [RESULT][VOTE] thread);
  • which CVEs shipped in it.

When this list becomes stale, the sync skill will surface it as a blocker.

Security team roster

TODO: the authoritative source is the collaborator list of the tracker repository — anyone listed as a collaborator, regardless of permission level, is on the security team.

gh api repos/<tracker>/collaborators --jq '.[].login'

Snapshot (update in the same change as member joins / rotates):

TODO: list of GitHub handles.

What this means for sync and fix skills

TODO: explicit defaults for the generic skills:

  • Default milestone for a new patch-train security issue.
  • Which backport labels the fix skill should apply by default.
  • Legacy / do-not-use milestones (branches that have been retired).
  • Any other sync-surfaced blockers specific to this project.