How about prioritising evaluation for PRs with the 1.severity: security label?
That could speed up the process of patching vulnerabilities.

Related: #397

Another idea: At least for PRs with the security label, ofborg could create automatic backport PRs right away instead of waiting for the original PR to be merged.
This would also start the evaluation right away.

Not entirely sure how problematic that would be with referencing commit hashes in the cherry picked commits.
Perhaps the PR could be created as a draft (which still invokes evaluation) and once the original PR is merged it could be updated & marked as ready. Ideally without causing another evaluation.

This would simplify & speed up backports of security fixes even further.

Related: #437

automatic backports would be more suitable for a github action because ofborg doesn't create commits.

Oh, you're right. I kinda thought those were created by ofborg as well, but I mixed that up.
It might still require some kind of coordination between ofborg & the backport GitHub action.

What happens when a force-push only updates commit messages, and contents remain unchanged from before?
Does that cause a reevaluation by ofborg? Could that be avoided?

ofborg could create automatic backport PRs right away instead of waiting for the original PR to be merged.

Security responses for the stable release are usually different from that we take for unstable. This means we often cannot backport the change we did to master.