diff --git a/.github/workflows/security-alert-burndown.lock.yml b/.github/workflows/security-alert-burndown.lock.yml index 2957bb20de..51e3a10e08 100644 --- a/.github/workflows/security-alert-burndown.lock.yml +++ b/.github/workflows/security-alert-burndown.lock.yml @@ -894,13 +894,24 @@ jobs: ### Step 4: Create parent issue and assign work - After updating project items, you must complete **all three actions below in order**: + After updating project items, **first complete the bundling analysis below, then immediately perform all three safe-output calls in sequence**. Do not proceed to Step 5 until all three calls are complete. - 1. **Create the parent tracking issue** - 2. **Add the issue to the project board** - 3. **Assign the issue to the Copilot agent** + #### Bundling Analysis (Do This First) + + Before creating the issue, analyze the discovered PRs and determine which PRs to bundle together. + + #### Required Safe-Output Calls (All Three Required): + + After completing the bundling analysis, you must immediately perform these three safe-output calls in order: + + 1. **Call `create_issue`** to create the parent tracking issue + 2. **Call `update_project`** to add the created issue to the project board + 3. **Call `assign_to_agent`** to assign the created issue to Copilot + + #### Bundling Guidelines + + Analyze all discovered PRs following these rules: - **Selection Criteria:** 1. Review all discovered PRs 2. Group by **runtime** (Node.js, Python, etc.) and **target dependency file** 3. Select up to **3 bundles** total following the bundling rules below @@ -920,30 +931,28 @@ jobs: - Enforce **one runtime + one target file per PR**. - All PRs must pass **CI and relevant runtime tests** before merge. - **Action 1: Create the parent issue** + #### Safe-Output Call #1: Create the Issue - Create a single issue that contains: - - The bundling rules (copied below) - - The proposed bundles (grouped by runtime + target manifest) - - A checklist of the PRs to bundle, one checkbox per PR - - Use the `create_issue` tool: + Create a single issue using the `create_issue` tool: ``` - create_issue(title="Security Alert Burndown: Dependabot bundling plan (YYYY-MM-DD)", body="") + create_issue( + title="Security Alert Burndown: Dependabot bundling plan (YYYY-MM-DD)", + body="" + ) ``` - After calling `create_issue`, **store the returned temporary ID** (e.g., `aw_sec2026012901`) - you will need it for actions 2 and 3. The temporary ID will be automatically resolved to the actual issue number. + **IMPORTANT**: After calling `create_issue`, save the returned temporary ID (e.g., `aw_sec2026012901`). You MUST use this temporary ID in the next two calls. - **Action 2: Add the issue to the project board** + #### Safe-Output Call #2: Add Issue to Project Board - Immediately after creating the issue, add it to the project board using `update_project`. Use the temporary ID from action 1: + **Immediately** call `update_project` using the temporary ID from call #1: ``` update_project( project="https://github.com/orgs/githubnext/projects/144", content_type="issue", - content_number=, + content_number="", fields={ "campaign_id": "security-alert-burndown", "status": "Todo", @@ -956,20 +965,22 @@ jobs: ) ``` - **Action 3: Assign the issue to the agent** + #### Safe-Output Call #3: Assign to Agent - Finally, assign the issue to the Copilot agent using `assign_to_agent`. Use the temporary ID from action 1: + **Immediately** call `assign_to_agent` using the temporary ID from call #1: ``` - assign_to_agent(issue_number=, name="copilot") + assign_to_agent( + issue_number="", + name="copilot" + ) ``` - Example: If `create_issue` returned `aw_sec2026012901`, then call: - ``` - assign_to_agent(issue_number="aw_sec2026012901", name="copilot") - ``` + **Example**: If `create_issue` returned `aw_sec2026012901`, then: + - Call #2: `update_project(..., content_number="aw_sec2026012901", ...)` + - Call #3: `assign_to_agent(issue_number="aw_sec2026012901", name="copilot")` - **CRITICAL**: You must call all three tools (create_issue, update_project, assign_to_agent) in sequence to complete this step. Do not skip any of them. The temporary ID will be automatically resolved to the real issue number during execution. + The temporary ID will be automatically resolved to the real issue number during safe-output processing. **Issue Body Template:** @@ -1315,11 +1326,11 @@ jobs: - Minimize API calls; avoid full rescans when possible. - Prefer incremental discovery with deterministic ordering (e.g., by `updatedAt`, tie-break by ID). + PROMPT_EOF + cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" - Enforce strict pagination budgets; if a query requires many pages, stop early and continue next run. - Use a durable cursor/checkpoint so the next run continues without rescanning. - On throttling (HTTP 429 / rate-limit 403), do not retry aggressively; back off and end the run after reporting what remains. - PROMPT_EOF - cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" **Cursor file (repo-memory)**: `memory/campaigns/security-alert-burndown/cursor.json` diff --git a/.github/workflows/security-alert-burndown.md b/.github/workflows/security-alert-burndown.md index 4320aac453..6f527dd6dd 100644 --- a/.github/workflows/security-alert-burndown.md +++ b/.github/workflows/security-alert-burndown.md @@ -84,13 +84,24 @@ For each discovered item (up to 100 total per run): ### Step 4: Create parent issue and assign work -After updating project items, you must complete **all three actions below in order**: +After updating project items, **first complete the bundling analysis below, then immediately perform all three safe-output calls in sequence**. Do not proceed to Step 5 until all three calls are complete. -1. **Create the parent tracking issue** -2. **Add the issue to the project board** -3. **Assign the issue to the Copilot agent** +#### Bundling Analysis (Do This First) + +Before creating the issue, analyze the discovered PRs and determine which PRs to bundle together. + +#### Required Safe-Output Calls (All Three Required): + +After completing the bundling analysis, you must immediately perform these three safe-output calls in order: + +1. **Call `create_issue`** to create the parent tracking issue +2. **Call `update_project`** to add the created issue to the project board +3. **Call `assign_to_agent`** to assign the created issue to Copilot + +#### Bundling Guidelines + +Analyze all discovered PRs following these rules: -**Selection Criteria:** 1. Review all discovered PRs 2. Group by **runtime** (Node.js, Python, etc.) and **target dependency file** 3. Select up to **3 bundles** total following the bundling rules below @@ -110,30 +121,28 @@ After updating project items, you must complete **all three actions below in ord - Enforce **one runtime + one target file per PR**. - All PRs must pass **CI and relevant runtime tests** before merge. -**Action 1: Create the parent issue** +#### Safe-Output Call #1: Create the Issue -Create a single issue that contains: -- The bundling rules (copied below) -- The proposed bundles (grouped by runtime + target manifest) -- A checklist of the PRs to bundle, one checkbox per PR - -Use the `create_issue` tool: +Create a single issue using the `create_issue` tool: ``` -create_issue(title="Security Alert Burndown: Dependabot bundling plan (YYYY-MM-DD)", body="") +create_issue( + title="Security Alert Burndown: Dependabot bundling plan (YYYY-MM-DD)", + body="" +) ``` -After calling `create_issue`, **store the returned temporary ID** (e.g., `aw_sec2026012901`) - you will need it for actions 2 and 3. The temporary ID will be automatically resolved to the actual issue number. +**IMPORTANT**: After calling `create_issue`, save the returned temporary ID (e.g., `aw_sec2026012901`). You MUST use this temporary ID in the next two calls. -**Action 2: Add the issue to the project board** +#### Safe-Output Call #2: Add Issue to Project Board -Immediately after creating the issue, add it to the project board using `update_project`. Use the temporary ID from action 1: +**Immediately** call `update_project` using the temporary ID from call #1: ``` update_project( project="https://github.com/orgs/githubnext/projects/144", content_type="issue", - content_number=, + content_number="", fields={ "campaign_id": "security-alert-burndown", "status": "Todo", @@ -146,20 +155,22 @@ update_project( ) ``` -**Action 3: Assign the issue to the agent** +#### Safe-Output Call #3: Assign to Agent -Finally, assign the issue to the Copilot agent using `assign_to_agent`. Use the temporary ID from action 1: +**Immediately** call `assign_to_agent` using the temporary ID from call #1: ``` -assign_to_agent(issue_number=, name="copilot") +assign_to_agent( + issue_number="", + name="copilot" +) ``` -Example: If `create_issue` returned `aw_sec2026012901`, then call: -``` -assign_to_agent(issue_number="aw_sec2026012901", name="copilot") -``` +**Example**: If `create_issue` returned `aw_sec2026012901`, then: +- Call #2: `update_project(..., content_number="aw_sec2026012901", ...)` +- Call #3: `assign_to_agent(issue_number="aw_sec2026012901", name="copilot")` -**CRITICAL**: You must call all three tools (create_issue, update_project, assign_to_agent) in sequence to complete this step. Do not skip any of them. The temporary ID will be automatically resolved to the real issue number during execution. +The temporary ID will be automatically resolved to the real issue number during safe-output processing. **Issue Body Template:**