From 89770cbfa07459e1cc4033d77db6806800f4464a Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 23 Jan 2026 06:43:50 +0000 Subject: [PATCH 1/3] Initial plan From 21f6c9435baab0e64b0af725f7e6ca25ab1d26bb Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 23 Jan 2026 06:49:02 +0000 Subject: [PATCH 2/3] Initial plan for adding security findings baseline documentation Co-authored-by: mnkiefer <8320933+mnkiefer@users.noreply.github.com> --- .github/workflows/smoke-codex.lock.yml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index fc223cbaa5..e6af4d2124 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -296,6 +296,30 @@ jobs: }, "name": "add_labels" }, + { + "description": "Remove labels from an existing GitHub issue or pull request. Silently skips labels that don't exist on the item. Use this to clean up labels or manage label lifecycles (e.g., removing 'needs-review' after review is complete). CONSTRAINTS: Only these labels can be removed: [smoke].", + "inputSchema": { + "additionalProperties": false, + "properties": { + "item_number": { + "description": "Issue or PR number to remove labels from. This is the numeric ID from the GitHub URL (e.g., 456 in github.com/owner/repo/issues/456). If omitted, removes labels from the item that triggered this workflow.", + "type": "number" + }, + "labels": { + "description": "Label names to remove (e.g., ['smoke', 'needs-triage']). Non-existent labels are silently skipped.", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "labels" + ], + "type": "object" + }, + "name": "remove_labels" + }, { "description": "Report that a tool or capability needed to complete the task is not available, or share any information you deem important about missing functionality or limitations. Use this when you cannot accomplish what was requested because the required functionality is missing or access is restricted.", "inputSchema": { From 37e19a8a5987fee16af41f0f6338a21df124b196 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 23 Jan 2026 06:55:14 +0000 Subject: [PATCH 3/3] Add security findings baseline documentation to worker workflows - Added Campaign Context section to code-scanning-fixer.md - Added Campaign Context section to security-fix-pr.md - Added Campaign Context section to dependabot-bundler.md - Added Campaign Context section to secret-scanning-triage.md - Documented expected 21 total security findings breakdown: * 3 Code scanning alerts * 1 Dependabot alert * 17 Secret scanning alerts - Recompiled workflows to update lock files Co-authored-by: mnkiefer <8320933+mnkiefer@users.noreply.github.com> --- .github/workflows/code-scanning-fixer.lock.yml | 9 +++++++++ .github/workflows/code-scanning-fixer.md | 9 +++++++++ .github/workflows/dependabot-bundler.lock.yml | 9 +++++++++ .github/workflows/dependabot-bundler.md | 9 +++++++++ .github/workflows/secret-scanning-triage.lock.yml | 9 +++++++++ .github/workflows/secret-scanning-triage.md | 9 +++++++++ .github/workflows/security-fix-pr.lock.yml | 9 +++++++++ .github/workflows/security-fix-pr.md | 9 +++++++++ 8 files changed, 72 insertions(+) diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index 1198730230..07ec48722b 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -643,6 +643,15 @@ jobs: You are a security-focused code analysis agent that automatically fixes critical and high severity code scanning alerts. + ## Campaign Context + + This workflow is part of the **Security Alert Burndown Campaign**, which expects to find and address **21 total security findings** across the repository: + - **3 Code scanning alerts** (this workflow addresses these) + - **1 Dependabot alert** (handled by dependabot-bundler workflow) + - **17 Secret scanning alerts** (handled by secret-scanning-triage workflow) + + Your focus is on the **3 code scanning alerts**. Process them systematically, one at a time, until all critical and high severity issues are resolved. + ## Important Guidelines **Error Handling**: If you encounter API errors or tool failures: diff --git a/.github/workflows/code-scanning-fixer.md b/.github/workflows/code-scanning-fixer.md index 54ff6c51cb..40570c7da1 100644 --- a/.github/workflows/code-scanning-fixer.md +++ b/.github/workflows/code-scanning-fixer.md @@ -37,6 +37,15 @@ timeout-minutes: 20 You are a security-focused code analysis agent that automatically fixes critical and high severity code scanning alerts. +## Campaign Context + +This workflow is part of the **Security Alert Burndown Campaign**, which expects to find and address **21 total security findings** across the repository: +- **3 Code scanning alerts** (this workflow addresses these) +- **1 Dependabot alert** (handled by dependabot-bundler workflow) +- **17 Secret scanning alerts** (handled by secret-scanning-triage workflow) + +Your focus is on the **3 code scanning alerts**. Process them systematically, one at a time, until all critical and high severity issues are resolved. + ## Important Guidelines **Error Handling**: If you encounter API errors or tool failures: diff --git a/.github/workflows/dependabot-bundler.lock.yml b/.github/workflows/dependabot-bundler.lock.yml index 372f14eb48..6dc0697631 100644 --- a/.github/workflows/dependabot-bundler.lock.yml +++ b/.github/workflows/dependabot-bundler.lock.yml @@ -643,6 +643,15 @@ jobs: You bundle *multiple* Dependabot security updates that belong to the **same manifest** (same `package.json`) into **one pull request**. + ## Campaign Context + + This workflow is part of the **Security Alert Burndown Campaign**, which expects to find and address **21 total security findings** across the repository: + - **1 Dependabot alert** (this workflow addresses this) + - **3 Code scanning alerts** (handled by code-scanning-fixer and security-fix-pr workflows) + - **17 Secret scanning alerts** (handled by secret-scanning-triage workflow) + + Your focus is on the **1 Dependabot alert**. Bundle all vulnerable packages for a single manifest into one PR per run. + ## Ground rules - Always operate on `owner="githubnext"` and `repo="gh-aw"`. diff --git a/.github/workflows/dependabot-bundler.md b/.github/workflows/dependabot-bundler.md index 736d79fa47..01b57ff774 100644 --- a/.github/workflows/dependabot-bundler.md +++ b/.github/workflows/dependabot-bundler.md @@ -37,6 +37,15 @@ timeout-minutes: 25 You bundle *multiple* Dependabot security updates that belong to the **same manifest** (same `package.json`) into **one pull request**. +## Campaign Context + +This workflow is part of the **Security Alert Burndown Campaign**, which expects to find and address **21 total security findings** across the repository: +- **1 Dependabot alert** (this workflow addresses this) +- **3 Code scanning alerts** (handled by code-scanning-fixer and security-fix-pr workflows) +- **17 Secret scanning alerts** (handled by secret-scanning-triage workflow) + +Your focus is on the **1 Dependabot alert**. Bundle all vulnerable packages for a single manifest into one PR per run. + ## Ground rules - Always operate on `owner="githubnext"` and `repo="gh-aw"`. diff --git a/.github/workflows/secret-scanning-triage.lock.yml b/.github/workflows/secret-scanning-triage.lock.yml index c9174f0478..d1fa489ace 100644 --- a/.github/workflows/secret-scanning-triage.lock.yml +++ b/.github/workflows/secret-scanning-triage.lock.yml @@ -714,6 +714,15 @@ jobs: You triage **one** open Secret Scanning alert per run. + ## Campaign Context + + This workflow is part of the **Security Alert Burndown Campaign**, which expects to find and address **21 total security findings** across the repository: + - **17 Secret scanning alerts** (this workflow addresses these) + - **3 Code scanning alerts** (handled by code-scanning-fixer and security-fix-pr workflows) + - **1 Dependabot alert** (handled by dependabot-bundler workflow) + + Your focus is on the **17 secret scanning alerts**. Process them one at a time, prioritizing real credentials that need rotation over test-only secrets. + ## Guardrails - Always operate on `owner="githubnext"` and `repo="gh-aw"`. diff --git a/.github/workflows/secret-scanning-triage.md b/.github/workflows/secret-scanning-triage.md index 7d98f28a42..88fc2b3bfb 100644 --- a/.github/workflows/secret-scanning-triage.md +++ b/.github/workflows/secret-scanning-triage.md @@ -41,6 +41,15 @@ timeout-minutes: 25 You triage **one** open Secret Scanning alert per run. +## Campaign Context + +This workflow is part of the **Security Alert Burndown Campaign**, which expects to find and address **21 total security findings** across the repository: +- **17 Secret scanning alerts** (this workflow addresses these) +- **3 Code scanning alerts** (handled by code-scanning-fixer and security-fix-pr workflows) +- **1 Dependabot alert** (handled by dependabot-bundler workflow) + +Your focus is on the **17 secret scanning alerts**. Process them one at a time, prioritizing real credentials that need rotation over test-only secrets. + ## Guardrails - Always operate on `owner="githubnext"` and `repo="gh-aw"`. diff --git a/.github/workflows/security-fix-pr.lock.yml b/.github/workflows/security-fix-pr.lock.yml index 1cdff50441..c2bfe11084 100644 --- a/.github/workflows/security-fix-pr.lock.yml +++ b/.github/workflows/security-fix-pr.lock.yml @@ -618,6 +618,15 @@ jobs: You are a security-focused code analysis agent that identifies and creates autofixes for code security issues using GitHub Code Scanning. + ## Campaign Context + + This workflow is part of the **Security Alert Burndown Campaign**, which expects to find and address **21 total security findings** across the repository: + - **3 Code scanning alerts** (this workflow addresses these) + - **1 Dependabot alert** (handled by dependabot-bundler workflow) + - **17 Secret scanning alerts** (handled by secret-scanning-triage workflow) + + Your focus is on the **3 code scanning alerts**. You can fix up to 5 alerts per run, working systematically through the backlog. + ## Mission When triggered, you must: diff --git a/.github/workflows/security-fix-pr.md b/.github/workflows/security-fix-pr.md index a589d1e71e..2b553f01ea 100644 --- a/.github/workflows/security-fix-pr.md +++ b/.github/workflows/security-fix-pr.md @@ -38,6 +38,15 @@ timeout-minutes: 20 You are a security-focused code analysis agent that identifies and creates autofixes for code security issues using GitHub Code Scanning. +## Campaign Context + +This workflow is part of the **Security Alert Burndown Campaign**, which expects to find and address **21 total security findings** across the repository: +- **3 Code scanning alerts** (this workflow addresses these) +- **1 Dependabot alert** (handled by dependabot-bundler workflow) +- **17 Secret scanning alerts** (handled by secret-scanning-triage workflow) + +Your focus is on the **3 code scanning alerts**. You can fix up to 5 alerts per run, working systematically through the backlog. + ## Mission When triggered, you must: