diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index 1198730230..07ec48722b 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -643,6 +643,15 @@ jobs: You are a security-focused code analysis agent that automatically fixes critical and high severity code scanning alerts. + ## Campaign Context + + This workflow is part of the **Security Alert Burndown Campaign**, which expects to find and address **21 total security findings** across the repository: + - **3 Code scanning alerts** (this workflow addresses these) + - **1 Dependabot alert** (handled by dependabot-bundler workflow) + - **17 Secret scanning alerts** (handled by secret-scanning-triage workflow) + + Your focus is on the **3 code scanning alerts**. Process them systematically, one at a time, until all critical and high severity issues are resolved. + ## Important Guidelines **Error Handling**: If you encounter API errors or tool failures: diff --git a/.github/workflows/code-scanning-fixer.md b/.github/workflows/code-scanning-fixer.md index 54ff6c51cb..40570c7da1 100644 --- a/.github/workflows/code-scanning-fixer.md +++ b/.github/workflows/code-scanning-fixer.md @@ -37,6 +37,15 @@ timeout-minutes: 20 You are a security-focused code analysis agent that automatically fixes critical and high severity code scanning alerts. +## Campaign Context + +This workflow is part of the **Security Alert Burndown Campaign**, which expects to find and address **21 total security findings** across the repository: +- **3 Code scanning alerts** (this workflow addresses these) +- **1 Dependabot alert** (handled by dependabot-bundler workflow) +- **17 Secret scanning alerts** (handled by secret-scanning-triage workflow) + +Your focus is on the **3 code scanning alerts**. Process them systematically, one at a time, until all critical and high severity issues are resolved. + ## Important Guidelines **Error Handling**: If you encounter API errors or tool failures: diff --git a/.github/workflows/dependabot-bundler.lock.yml b/.github/workflows/dependabot-bundler.lock.yml index 372f14eb48..6dc0697631 100644 --- a/.github/workflows/dependabot-bundler.lock.yml +++ b/.github/workflows/dependabot-bundler.lock.yml @@ -643,6 +643,15 @@ jobs: You bundle *multiple* Dependabot security updates that belong to the **same manifest** (same `package.json`) into **one pull request**. + ## Campaign Context + + This workflow is part of the **Security Alert Burndown Campaign**, which expects to find and address **21 total security findings** across the repository: + - **1 Dependabot alert** (this workflow addresses this) + - **3 Code scanning alerts** (handled by code-scanning-fixer and security-fix-pr workflows) + - **17 Secret scanning alerts** (handled by secret-scanning-triage workflow) + + Your focus is on the **1 Dependabot alert**. Bundle all vulnerable packages for a single manifest into one PR per run. + ## Ground rules - Always operate on `owner="githubnext"` and `repo="gh-aw"`. diff --git a/.github/workflows/dependabot-bundler.md b/.github/workflows/dependabot-bundler.md index 736d79fa47..01b57ff774 100644 --- a/.github/workflows/dependabot-bundler.md +++ b/.github/workflows/dependabot-bundler.md @@ -37,6 +37,15 @@ timeout-minutes: 25 You bundle *multiple* Dependabot security updates that belong to the **same manifest** (same `package.json`) into **one pull request**. +## Campaign Context + +This workflow is part of the **Security Alert Burndown Campaign**, which expects to find and address **21 total security findings** across the repository: +- **1 Dependabot alert** (this workflow addresses this) +- **3 Code scanning alerts** (handled by code-scanning-fixer and security-fix-pr workflows) +- **17 Secret scanning alerts** (handled by secret-scanning-triage workflow) + +Your focus is on the **1 Dependabot alert**. Bundle all vulnerable packages for a single manifest into one PR per run. + ## Ground rules - Always operate on `owner="githubnext"` and `repo="gh-aw"`. diff --git a/.github/workflows/secret-scanning-triage.lock.yml b/.github/workflows/secret-scanning-triage.lock.yml index c9174f0478..d1fa489ace 100644 --- a/.github/workflows/secret-scanning-triage.lock.yml +++ b/.github/workflows/secret-scanning-triage.lock.yml @@ -714,6 +714,15 @@ jobs: You triage **one** open Secret Scanning alert per run. + ## Campaign Context + + This workflow is part of the **Security Alert Burndown Campaign**, which expects to find and address **21 total security findings** across the repository: + - **17 Secret scanning alerts** (this workflow addresses these) + - **3 Code scanning alerts** (handled by code-scanning-fixer and security-fix-pr workflows) + - **1 Dependabot alert** (handled by dependabot-bundler workflow) + + Your focus is on the **17 secret scanning alerts**. Process them one at a time, prioritizing real credentials that need rotation over test-only secrets. + ## Guardrails - Always operate on `owner="githubnext"` and `repo="gh-aw"`. diff --git a/.github/workflows/secret-scanning-triage.md b/.github/workflows/secret-scanning-triage.md index 7d98f28a42..88fc2b3bfb 100644 --- a/.github/workflows/secret-scanning-triage.md +++ b/.github/workflows/secret-scanning-triage.md @@ -41,6 +41,15 @@ timeout-minutes: 25 You triage **one** open Secret Scanning alert per run. +## Campaign Context + +This workflow is part of the **Security Alert Burndown Campaign**, which expects to find and address **21 total security findings** across the repository: +- **17 Secret scanning alerts** (this workflow addresses these) +- **3 Code scanning alerts** (handled by code-scanning-fixer and security-fix-pr workflows) +- **1 Dependabot alert** (handled by dependabot-bundler workflow) + +Your focus is on the **17 secret scanning alerts**. Process them one at a time, prioritizing real credentials that need rotation over test-only secrets. + ## Guardrails - Always operate on `owner="githubnext"` and `repo="gh-aw"`. diff --git a/.github/workflows/security-fix-pr.lock.yml b/.github/workflows/security-fix-pr.lock.yml index 1cdff50441..c2bfe11084 100644 --- a/.github/workflows/security-fix-pr.lock.yml +++ b/.github/workflows/security-fix-pr.lock.yml @@ -618,6 +618,15 @@ jobs: You are a security-focused code analysis agent that identifies and creates autofixes for code security issues using GitHub Code Scanning. + ## Campaign Context + + This workflow is part of the **Security Alert Burndown Campaign**, which expects to find and address **21 total security findings** across the repository: + - **3 Code scanning alerts** (this workflow addresses these) + - **1 Dependabot alert** (handled by dependabot-bundler workflow) + - **17 Secret scanning alerts** (handled by secret-scanning-triage workflow) + + Your focus is on the **3 code scanning alerts**. You can fix up to 5 alerts per run, working systematically through the backlog. + ## Mission When triggered, you must: diff --git a/.github/workflows/security-fix-pr.md b/.github/workflows/security-fix-pr.md index a589d1e71e..2b553f01ea 100644 --- a/.github/workflows/security-fix-pr.md +++ b/.github/workflows/security-fix-pr.md @@ -38,6 +38,15 @@ timeout-minutes: 20 You are a security-focused code analysis agent that identifies and creates autofixes for code security issues using GitHub Code Scanning. +## Campaign Context + +This workflow is part of the **Security Alert Burndown Campaign**, which expects to find and address **21 total security findings** across the repository: +- **3 Code scanning alerts** (this workflow addresses these) +- **1 Dependabot alert** (handled by dependabot-bundler workflow) +- **17 Secret scanning alerts** (handled by secret-scanning-triage workflow) + +Your focus is on the **3 code scanning alerts**. You can fix up to 5 alerts per run, working systematically through the backlog. + ## Mission When triggered, you must: diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index fc223cbaa5..e6af4d2124 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -296,6 +296,30 @@ jobs: }, "name": "add_labels" }, + { + "description": "Remove labels from an existing GitHub issue or pull request. Silently skips labels that don't exist on the item. Use this to clean up labels or manage label lifecycles (e.g., removing 'needs-review' after review is complete). CONSTRAINTS: Only these labels can be removed: [smoke].", + "inputSchema": { + "additionalProperties": false, + "properties": { + "item_number": { + "description": "Issue or PR number to remove labels from. This is the numeric ID from the GitHub URL (e.g., 456 in github.com/owner/repo/issues/456). If omitted, removes labels from the item that triggered this workflow.", + "type": "number" + }, + "labels": { + "description": "Label names to remove (e.g., ['smoke', 'needs-triage']). Non-existent labels are silently skipped.", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "labels" + ], + "type": "object" + }, + "name": "remove_labels" + }, { "description": "Report that a tool or capability needed to complete the task is not available, or share any information you deem important about missing functionality or limitations. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", "inputSchema": {