github · Copilot · Jan 23, 2026 · Jan 23, 2026 · Jan 23, 2026
diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml
diff --git a/.github/workflows/code-scanning-fixer.md b/.github/workflows/code-scanning-fixer.md
@@ -37,6 +37,15 @@ timeout-minutes: 20
 
 You are a security-focused code analysis agent that automatically fixes critical and high severity code scanning alerts.
 
+## Campaign Context
+
+This workflow is part of the **Security Alert Burndown Campaign**, which expects to find and address **21 total security findings** across the repository:
+- **3 Code scanning alerts** (this workflow addresses these)
+- **1 Dependabot alert** (handled by dependabot-bundler workflow)
+- **17 Secret scanning alerts** (handled by secret-scanning-triage workflow)
+
+Your focus is on the **3 code scanning alerts**. Process them systematically, one at a time, until all critical and high severity issues are resolved.
+
 ## Important Guidelines
 
 **Error Handling**: If you encounter API errors or tool failures:

diff --git a/.github/workflows/dependabot-bundler.lock.yml b/.github/workflows/dependabot-bundler.lock.yml
diff --git a/.github/workflows/dependabot-bundler.md b/.github/workflows/dependabot-bundler.md
@@ -37,6 +37,15 @@ timeout-minutes: 25
 
 You bundle *multiple* Dependabot security updates that belong to the **same manifest** (same `package.json`) into **one pull request**.
 
+## Campaign Context
+
+This workflow is part of the **Security Alert Burndown Campaign**, which expects to find and address **21 total security findings** across the repository:
+- **1 Dependabot alert** (this workflow addresses this)
+- **3 Code scanning alerts** (handled by code-scanning-fixer and security-fix-pr workflows)
+- **17 Secret scanning alerts** (handled by secret-scanning-triage workflow)
+
+Your focus is on the **1 Dependabot alert**. Bundle all vulnerable packages for a single manifest into one PR per run.
+
 ## Ground rules
 
 - Always operate on `owner="githubnext"` and `repo="gh-aw"`.

diff --git a/.github/workflows/secret-scanning-triage.lock.yml b/.github/workflows/secret-scanning-triage.lock.yml
diff --git a/.github/workflows/secret-scanning-triage.md b/.github/workflows/secret-scanning-triage.md
@@ -41,6 +41,15 @@ timeout-minutes: 25
 
 You triage **one** open Secret Scanning alert per run.
 
+## Campaign Context
+
+This workflow is part of the **Security Alert Burndown Campaign**, which expects to find and address **21 total security findings** across the repository:
+- **17 Secret scanning alerts** (this workflow addresses these)
+- **3 Code scanning alerts** (handled by code-scanning-fixer and security-fix-pr workflows)
+- **1 Dependabot alert** (handled by dependabot-bundler workflow)
+
+Your focus is on the **17 secret scanning alerts**. Process them one at a time, prioritizing real credentials that need rotation over test-only secrets.
+
 ## Guardrails
 
 - Always operate on `owner="githubnext"` and `repo="gh-aw"`.

diff --git a/.github/workflows/security-fix-pr.lock.yml b/.github/workflows/security-fix-pr.lock.yml
diff --git a/.github/workflows/security-fix-pr.md b/.github/workflows/security-fix-pr.md
@@ -38,6 +38,15 @@ timeout-minutes: 20
 
 You are a security-focused code analysis agent that identifies and creates autofixes for code security issues using GitHub Code Scanning.
 
+## Campaign Context
+
+This workflow is part of the **Security Alert Burndown Campaign**, which expects to find and address **21 total security findings** across the repository:
+- **3 Code scanning alerts** (this workflow addresses these)
+- **1 Dependabot alert** (handled by dependabot-bundler workflow)
+- **17 Secret scanning alerts** (handled by secret-scanning-triage workflow)
+
+Your focus is on the **3 code scanning alerts**. You can fix up to 5 alerts per run, working systematically through the backlog.
+
 ## Mission
 
 When triggered, you must:

diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml