PSRT GHSA Bot is a GitHub App that automates the Python Security Response Team (PSRT)'s handling of GitHub Security Advisories. It runs hourly (or by manual dispatch) and, for every advisory it closes ones marked as completed, promotes accepted ones from triage to draft, reserves CVE IDs, creates private forks, and adds the PSRT members as collaborators.
flowchart TD
Start([Hourly cron or manual dispatch]):::entry --> Advs[For each repository security advisory]:::loop
Advs --> S{"Advisory state?"}:::decision
S -- Closed --> Skip([Skip advisory]):::terminal
S -- Triage --> Collab
S -- Draft --> Collab
Collab{"PSRT missing as collaborators?"}:::decision
Collab -- yes --> AddCollab[Add PSRT as collaborators]:::write --> Tag
Collab -- no --> Tag
Tag{"Summary has a completion tag?"}:::decision
Tag -- yes --> Close[Close advisory]:::write --> Done([Continue to next advisory]):::terminal
Tag -- "No, Triage" --> Accept{"Summary has an accept tag?"}:::decision
Tag -- "No, Draft" --> Fork
Accept -- yes --> ToDraft[Move to the draft state]:::write --> Fork
Accept -- no --> Update
Fork{"No private fork?"}:::decision
Fork -- yes --> MkFork[Create private fork]:::write --> Cve
Fork -- no --> Cve
Cve{"No CVE ID assigned?"}:::decision
Cve -- yes --> Reserve[Reserve a CVE ID]:::write --> Update
Cve -- no --> Update
Update[Update advisory]:::write --> Done
classDef entry stroke:#0C0,stroke-width:2px;
classDef loop stroke:#00C;
classDef decision stroke:#CC0;
classDef write stroke:#C0C;
classDef terminal stroke:#0C0;