From 36a8c07677310db25e95eb48c80031f0acc01fd7 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 22 Jan 2026 20:26:58 +0000 Subject: [PATCH 1/3] Initial plan From cba3096f4b64a3093744ab35043483d2faeff268 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 22 Jan 2026 20:37:41 +0000 Subject: [PATCH 2/3] fix: add campaign labels to worker workflows for discovery Add required agentic-campaign and z_campaign_security-alert-burndown labels to all worker workflows in the security-alert-burndown campaign. This ensures that PRs and issues created by these workflows are properly discovered by the campaign orchestrator. - code-scanning-fixer: Add campaign labels to create-pull-request - dependabot-bundler: Add campaign labels to create-pull-request - secret-scanning-triage: Add campaign labels to create-issue and create-pull-request - Fix reviewers syntax to use array format [copilot] instead of string Without these labels, the campaign discovery precomputation step cannot find campaign items since it searches primarily by the z_campaign_* label. Co-authored-by: mnkiefer <8320933+mnkiefer@users.noreply.github.com> --- .github/workflows/code-scanning-fixer.lock.yml | 4 ++-- .github/workflows/code-scanning-fixer.md | 4 ++-- .github/workflows/dependabot-bundler.lock.yml | 4 ++-- .github/workflows/dependabot-bundler.md | 4 ++-- .github/workflows/secret-scanning-triage.lock.yml | 6 +++--- .github/workflows/secret-scanning-triage.md | 6 +++--- 6 files changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index c4f5a73d1a..a8ebc39069 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -185,7 +185,7 @@ jobs: cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { - "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Reviewers [copilot] will be assigned.", + "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[code-scanning-fix] \". Labels [security automated-fix agentic-campaign z_campaign_security-alert-burndown] will be automatically added. Reviewers [copilot] will be assigned.", "inputSchema": { "additionalProperties": false, "properties": { @@ -1445,7 +1445,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_pull_request\":{\"base_branch\":\"${{ github.ref_name }}\",\"max\":1,\"max_patch_size\":1024},\"missing_data\":{},\"missing_tool\":{}}" + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_pull_request\":{\"base_branch\":\"${{ github.ref_name }}\",\"labels\":[\"security\",\"automated-fix\",\"agentic-campaign\",\"z_campaign_security-alert-burndown\"],\"max\":1,\"max_patch_size\":1024,\"title_prefix\":\"[code-scanning-fix] \"},\"missing_data\":{},\"missing_tool\":{}}" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/code-scanning-fixer.md b/.github/workflows/code-scanning-fixer.md index 9d62a33318..3fe9ef51fc 100644 --- a/.github/workflows/code-scanning-fixer.md +++ b/.github/workflows/code-scanning-fixer.md @@ -24,8 +24,8 @@ tools: safe-outputs: create-pull-request: title-prefix: "[code-scanning-fix] " - labels: [security, automated-fix] - reviewers: copilot + labels: [security, automated-fix, agentic-campaign, z_campaign_security-alert-burndown] + reviewers: [copilot] timeout-minutes: 20 --- diff --git a/.github/workflows/dependabot-bundler.lock.yml b/.github/workflows/dependabot-bundler.lock.yml index 6288bc3f7d..35ccc2622b 100644 --- a/.github/workflows/dependabot-bundler.lock.yml +++ b/.github/workflows/dependabot-bundler.lock.yml @@ -185,7 +185,7 @@ jobs: cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { - "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Reviewers [copilot] will be assigned.", + "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[dependabot-bundle] \". Labels [security dependencies dependabot automated-fix agentic-campaign z_campaign_security-alert-burndown] will be automatically added. Reviewers [copilot] will be assigned.", "inputSchema": { "additionalProperties": false, "properties": { @@ -1347,7 +1347,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_pull_request\":{\"base_branch\":\"${{ github.ref_name }}\",\"max\":1,\"max_patch_size\":1024},\"missing_data\":{},\"missing_tool\":{}}" + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_pull_request\":{\"base_branch\":\"${{ github.ref_name }}\",\"labels\":[\"security\",\"dependencies\",\"dependabot\",\"automated-fix\",\"agentic-campaign\",\"z_campaign_security-alert-burndown\"],\"max\":1,\"max_patch_size\":1024,\"title_prefix\":\"[dependabot-bundle] \"},\"missing_data\":{},\"missing_tool\":{}}" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/dependabot-bundler.md b/.github/workflows/dependabot-bundler.md index d8966f6aa4..0b078aa2a9 100644 --- a/.github/workflows/dependabot-bundler.md +++ b/.github/workflows/dependabot-bundler.md @@ -24,8 +24,8 @@ tools: safe-outputs: create-pull-request: title-prefix: "[dependabot-bundle] " - labels: [security, dependencies, dependabot, automated-fix] - reviewers: copilot + labels: [security, dependencies, dependabot, automated-fix, agentic-campaign, z_campaign_security-alert-burndown] + reviewers: [copilot] timeout-minutes: 25 --- diff --git a/.github/workflows/secret-scanning-triage.lock.yml b/.github/workflows/secret-scanning-triage.lock.yml index 032f4567d4..1b98295776 100644 --- a/.github/workflows/secret-scanning-triage.lock.yml +++ b/.github/workflows/secret-scanning-triage.lock.yml @@ -183,7 +183,7 @@ jobs: cat > /opt/gh-aw/safeoutputs/tools.json << 'EOF' [ { - "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[secret-triage] \". Labels [security secret-scanning triage] will be automatically added.", + "description": "Create a new GitHub issue for tracking bugs, feature requests, or tasks. Use this for actionable work items that need assignment, labeling, and status tracking. For reports, announcements, or status updates that don't require task tracking, use create_discussion instead. CONSTRAINTS: Maximum 1 issue(s) can be created. Title will be prefixed with \"[secret-triage] \". Labels [security secret-scanning triage agentic-campaign z_campaign_security-alert-burndown] will be automatically added.", "inputSchema": { "additionalProperties": false, "properties": { @@ -223,7 +223,7 @@ jobs: "name": "create_issue" }, { - "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Reviewers [copilot] will be assigned.", + "description": "Create a new GitHub pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. For code review comments on an existing PR, use create_pull_request_review_comment instead. CONSTRAINTS: Maximum 1 pull request(s) can be created. Title will be prefixed with \"[secret-removal] \". Labels [security secret-scanning automated-fix agentic-campaign z_campaign_security-alert-burndown] will be automatically added. Reviewers [copilot] will be assigned.", "inputSchema": { "additionalProperties": false, "properties": { @@ -1368,7 +1368,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} - GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_issue\":{\"labels\":[\"security\",\"secret-scanning\",\"triage\"],\"max\":1,\"title_prefix\":\"[secret-triage] \"},\"create_pull_request\":{\"base_branch\":\"${{ github.ref_name }}\",\"max\":1,\"max_patch_size\":1024},\"missing_data\":{},\"missing_tool\":{}}" + GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_issue\":{\"labels\":[\"security\",\"secret-scanning\",\"triage\",\"agentic-campaign\",\"z_campaign_security-alert-burndown\"],\"max\":1,\"title_prefix\":\"[secret-triage] \"},\"create_pull_request\":{\"base_branch\":\"${{ github.ref_name }}\",\"labels\":[\"security\",\"secret-scanning\",\"automated-fix\",\"agentic-campaign\",\"z_campaign_security-alert-burndown\"],\"max\":1,\"max_patch_size\":1024,\"title_prefix\":\"[secret-removal] \"},\"missing_data\":{},\"missing_tool\":{}}" with: github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/secret-scanning-triage.md b/.github/workflows/secret-scanning-triage.md index aac8dd66e5..ae0c148785 100644 --- a/.github/workflows/secret-scanning-triage.md +++ b/.github/workflows/secret-scanning-triage.md @@ -24,12 +24,12 @@ tools: safe-outputs: create-issue: title-prefix: "[secret-triage] " - labels: [security, secret-scanning, triage] + labels: [security, secret-scanning, triage, agentic-campaign, z_campaign_security-alert-burndown] max: 1 create-pull-request: title-prefix: "[secret-removal] " - labels: [security, secret-scanning, automated-fix] - reviewers: copilot + labels: [security, secret-scanning, automated-fix, agentic-campaign, z_campaign_security-alert-burndown] + reviewers: [copilot] timeout-minutes: 25 --- From 9a55e6b2feedea9eeae4b9d45a0aa1454b71b051 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 22 Jan 2026 20:41:23 +0000 Subject: [PATCH 3/3] docs: add investigation summary and fix documentation Co-authored-by: mnkiefer <8320933+mnkiefer@users.noreply.github.com> --- specs/artifacts.md | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/specs/artifacts.md b/specs/artifacts.md index af07146435..f6dd95ef77 100644 --- a/specs/artifacts.md +++ b/specs/artifacts.md @@ -46,6 +46,9 @@ This section provides an overview of artifacts organized by job name, with dupli - `python-source-and-data` - **Paths**: `/tmp/gh-aw/python/*.py`, `/tmp/gh-aw/python/data/*` - **Used in**: 9 workflow(s) - copilot-pr-nlp-analysis.md, daily-copilot-token-report.md, daily-issues-report.md, daily-news.md, daily-repo-chronicle.md, github-mcp-structural-analysis.md, python-data-charts.md, stale-repo-identifier.md, weekly-issue-summary.md +- `repo-memory-campaigns` + - **Paths**: `/tmp/gh-aw/repo-memory/campaigns` + - **Used in**: 1 workflow(s) - code-scanning-fixer.md - `repo-memory-default` - **Paths**: `/tmp/gh-aw/repo-memory/default` - **Used in**: 8 workflow(s) - agent-performance-analyzer.md, copilot-pr-nlp-analysis.md, daily-copilot-token-report.md, daily-news.md, deep-report.md, metrics-collector.md, security-compliance.md, workflow-health-manager.md @@ -105,6 +108,9 @@ This section provides an overview of artifacts organized by job name, with dupli **Artifacts Downloaded:** +- `repo-memory-campaigns` + - **Download paths**: `/tmp/gh-aw/repo-memory/campaigns` + - **Used in**: 1 workflow(s) - code-scanning-fixer.md - `repo-memory-default` - **Download paths**: `/tmp/gh-aw/repo-memory/default` - **Used in**: 8 workflow(s) - agent-performance-analyzer.md, copilot-pr-nlp-analysis.md, daily-copilot-token-report.md, daily-news.md, deep-report.md, metrics-collector.md, security-compliance.md, workflow-health-manager.md @@ -969,6 +975,10 @@ This section provides an overview of artifacts organized by job name, with dupli - `/tmp/gh-aw/sandbox/agent/logs/` - `/tmp/gh-aw/redacted-urls.log` +- **Artifact**: `repo-memory-campaigns` + - **Upload paths**: + - `/tmp/gh-aw/repo-memory/campaigns` + - **Artifact**: `cache-memory` - **Upload paths**: - `/tmp/gh-aw/cache-memory` @@ -988,7 +998,7 @@ This section provides an overview of artifacts organized by job name, with dupli - **Artifact**: `agent-output` (by name) - **Download path**: `/tmp/gh-aw/safeoutputs/` - - **Depends on jobs**: [activation agent detection safe_outputs update_cache_memory] + - **Depends on jobs**: [activation agent detection push_repo_memory safe_outputs update_cache_memory] #### Job: `detection` @@ -1008,6 +1018,14 @@ This section provides an overview of artifacts organized by job name, with dupli - **Download path**: `/tmp/gh-aw/threat-detection/` - **Depends on jobs**: [agent] +#### Job: `push_repo_memory` + +**Downloads:** + +- **Artifact**: `repo-memory-campaigns` (by name) + - **Download path**: `/tmp/gh-aw/repo-memory/campaigns` + - **Depends on jobs**: [agent detection] + #### Job: `safe_outputs` **Downloads:**