From cd6da720bbe0e9e16295d7f095887203bf254ba5 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 29 Jan 2026 06:28:04 +0000 Subject: [PATCH 1/4] Initial plan From c5fd6bc6849089e9915dd7fc9ded73ef7baa0ea0 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 29 Jan 2026 06:35:13 +0000 Subject: [PATCH 2/4] Improve security alert burndown workflow instructions for issue creation - Restructure Step 4 to make three required safe-output calls more explicit - Add clear sequential numbering (#1, #2, #3) for the three calls - Emphasize immediacy with "immediately perform" and "Immediately call" - Move bundling analysis before the safe-output calls for better flow - Add prominent example showing temporary ID usage across all three calls - Use consistent naming: "call #1", "call #2", "call #3" for clarity Co-authored-by: mnkiefer <8320933+mnkiefer@users.noreply.github.com> --- .../security-alert-burndown.lock.yml | 59 ++++++++++--------- .github/workflows/security-alert-burndown.md | 55 +++++++++-------- 2 files changed, 62 insertions(+), 52 deletions(-) diff --git a/.github/workflows/security-alert-burndown.lock.yml b/.github/workflows/security-alert-burndown.lock.yml index 2957bb20de..ee55608047 100644 --- a/.github/workflows/security-alert-burndown.lock.yml +++ b/.github/workflows/security-alert-burndown.lock.yml @@ -894,13 +894,18 @@ jobs: ### Step 4: Create parent issue and assign work - After updating project items, you must complete **all three actions below in order**: + After updating project items, you must **immediately perform all three safe-output calls below in sequence**. Do not proceed to Step 5 until all three calls are complete. - 1. **Create the parent tracking issue** - 2. **Add the issue to the project board** - 3. **Assign the issue to the Copilot agent** + #### Required Safe-Output Calls (All Three Required): + + 1. **Call `create_issue`** to create the parent tracking issue + 2. **Call `update_project`** to add the created issue to the project board + 3. **Call `assign_to_agent`** to assign the created issue to Copilot + + #### Bundling Analysis (Do This First) + + Before creating the issue, analyze the discovered PRs: - **Selection Criteria:** 1. Review all discovered PRs 2. Group by **runtime** (Node.js, Python, etc.) and **target dependency file** 3. Select up to **3 bundles** total following the bundling rules below @@ -920,30 +925,28 @@ jobs: - Enforce **one runtime + one target file per PR**. - All PRs must pass **CI and relevant runtime tests** before merge. - **Action 1: Create the parent issue** + #### Safe-Output Call #1: Create the Issue - Create a single issue that contains: - - The bundling rules (copied below) - - The proposed bundles (grouped by runtime + target manifest) - - A checklist of the PRs to bundle, one checkbox per PR - - Use the `create_issue` tool: + Create a single issue using the `create_issue` tool: ``` - create_issue(title="Security Alert Burndown: Dependabot bundling plan (YYYY-MM-DD)", body="") + create_issue( + title="Security Alert Burndown: Dependabot bundling plan (YYYY-MM-DD)", + body="" + ) ``` - After calling `create_issue`, **store the returned temporary ID** (e.g., `aw_sec2026012901`) - you will need it for actions 2 and 3. The temporary ID will be automatically resolved to the actual issue number. + **IMPORTANT**: After calling `create_issue`, save the returned temporary ID (e.g., `aw_sec2026012901`). You MUST use this temporary ID in the next two calls. - **Action 2: Add the issue to the project board** + #### Safe-Output Call #2: Add Issue to Project Board - Immediately after creating the issue, add it to the project board using `update_project`. Use the temporary ID from action 1: + **Immediately** call `update_project` using the temporary ID from call #1: ``` update_project( project="https://github.com/orgs/githubnext/projects/144", content_type="issue", - content_number=, + content_number="", fields={ "campaign_id": "security-alert-burndown", "status": "Todo", @@ -956,20 +959,22 @@ jobs: ) ``` - **Action 3: Assign the issue to the agent** + #### Safe-Output Call #3: Assign to Agent - Finally, assign the issue to the Copilot agent using `assign_to_agent`. Use the temporary ID from action 1: + **Immediately** call `assign_to_agent` using the temporary ID from call #1: ``` - assign_to_agent(issue_number=, name="copilot") + assign_to_agent( + issue_number="", + name="copilot" + ) ``` - Example: If `create_issue` returned `aw_sec2026012901`, then call: - ``` - assign_to_agent(issue_number="aw_sec2026012901", name="copilot") - ``` + **Example**: If `create_issue` returned `aw_sec2026012901`, then: + - Call #2: `update_project(..., content_number="aw_sec2026012901", ...)` + - Call #3: `assign_to_agent(issue_number="aw_sec2026012901", name="copilot")` - **CRITICAL**: You must call all three tools (create_issue, update_project, assign_to_agent) in sequence to complete this step. Do not skip any of them. The temporary ID will be automatically resolved to the real issue number during execution. + The temporary ID will be automatically resolved to the real issue number during safe-output processing. **Issue Body Template:** @@ -1318,10 +1323,10 @@ jobs: - Enforce strict pagination budgets; if a query requires many pages, stop early and continue next run. - Use a durable cursor/checkpoint so the next run continues without rescanning. - On throttling (HTTP 429 / rate-limit 403), do not retry aggressively; back off and end the run after reporting what remains. - PROMPT_EOF - cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" + PROMPT_EOF + cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" **Cursor file (repo-memory)**: `memory/campaigns/security-alert-burndown/cursor.json` **File system path**: `/tmp/gh-aw/repo-memory/campaigns/security-alert-burndown/cursor.json` - If it exists: read first and continue from its boundary. diff --git a/.github/workflows/security-alert-burndown.md b/.github/workflows/security-alert-burndown.md index 4320aac453..0165544f98 100644 --- a/.github/workflows/security-alert-burndown.md +++ b/.github/workflows/security-alert-burndown.md @@ -84,13 +84,18 @@ For each discovered item (up to 100 total per run): ### Step 4: Create parent issue and assign work -After updating project items, you must complete **all three actions below in order**: +After updating project items, you must **immediately perform all three safe-output calls below in sequence**. Do not proceed to Step 5 until all three calls are complete. -1. **Create the parent tracking issue** -2. **Add the issue to the project board** -3. **Assign the issue to the Copilot agent** +#### Required Safe-Output Calls (All Three Required): + +1. **Call `create_issue`** to create the parent tracking issue +2. **Call `update_project`** to add the created issue to the project board +3. **Call `assign_to_agent`** to assign the created issue to Copilot + +#### Bundling Analysis (Do This First) + +Before creating the issue, analyze the discovered PRs: -**Selection Criteria:** 1. Review all discovered PRs 2. Group by **runtime** (Node.js, Python, etc.) and **target dependency file** 3. Select up to **3 bundles** total following the bundling rules below @@ -110,30 +115,28 @@ After updating project items, you must complete **all three actions below in ord - Enforce **one runtime + one target file per PR**. - All PRs must pass **CI and relevant runtime tests** before merge. -**Action 1: Create the parent issue** - -Create a single issue that contains: -- The bundling rules (copied below) -- The proposed bundles (grouped by runtime + target manifest) -- A checklist of the PRs to bundle, one checkbox per PR +#### Safe-Output Call #1: Create the Issue -Use the `create_issue` tool: +Create a single issue using the `create_issue` tool: ``` -create_issue(title="Security Alert Burndown: Dependabot bundling plan (YYYY-MM-DD)", body="") +create_issue( + title="Security Alert Burndown: Dependabot bundling plan (YYYY-MM-DD)", + body="" +) ``` -After calling `create_issue`, **store the returned temporary ID** (e.g., `aw_sec2026012901`) - you will need it for actions 2 and 3. The temporary ID will be automatically resolved to the actual issue number. +**IMPORTANT**: After calling `create_issue`, save the returned temporary ID (e.g., `aw_sec2026012901`). You MUST use this temporary ID in the next two calls. -**Action 2: Add the issue to the project board** +#### Safe-Output Call #2: Add Issue to Project Board -Immediately after creating the issue, add it to the project board using `update_project`. Use the temporary ID from action 1: +**Immediately** call `update_project` using the temporary ID from call #1: ``` update_project( project="https://github.com/orgs/githubnext/projects/144", content_type="issue", - content_number=, + content_number="", fields={ "campaign_id": "security-alert-burndown", "status": "Todo", @@ -146,20 +149,22 @@ update_project( ) ``` -**Action 3: Assign the issue to the agent** +#### Safe-Output Call #3: Assign to Agent -Finally, assign the issue to the Copilot agent using `assign_to_agent`. Use the temporary ID from action 1: +**Immediately** call `assign_to_agent` using the temporary ID from call #1: ``` -assign_to_agent(issue_number=, name="copilot") +assign_to_agent( + issue_number="", + name="copilot" +) ``` -Example: If `create_issue` returned `aw_sec2026012901`, then call: -``` -assign_to_agent(issue_number="aw_sec2026012901", name="copilot") -``` +**Example**: If `create_issue` returned `aw_sec2026012901`, then: +- Call #2: `update_project(..., content_number="aw_sec2026012901", ...)` +- Call #3: `assign_to_agent(issue_number="aw_sec2026012901", name="copilot")` -**CRITICAL**: You must call all three tools (create_issue, update_project, assign_to_agent) in sequence to complete this step. Do not skip any of them. The temporary ID will be automatically resolved to the real issue number during execution. +The temporary ID will be automatically resolved to the real issue number during safe-output processing. **Issue Body Template:** From 1a112d6a9b31407ffd1946d515e6e5afbe6ae0e7 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 29 Jan 2026 06:39:12 +0000 Subject: [PATCH 3/4] Fix instruction ordering: bundling analysis before safe-output calls Address code review feedback - clarify that bundling analysis must be completed before performing the three safe-output calls. This resolves the contradictory instruction sequencing where "immediately perform" came before "Do This First". Co-authored-by: mnkiefer <8320933+mnkiefer@users.noreply.github.com> --- .../workflows/security-alert-burndown.lock.yml | 18 +++++++++++++----- .github/workflows/security-alert-burndown.md | 14 +++++++++++--- 2 files changed, 24 insertions(+), 8 deletions(-) diff --git a/.github/workflows/security-alert-burndown.lock.yml b/.github/workflows/security-alert-burndown.lock.yml index ee55608047..e122f4608e 100644 --- a/.github/workflows/security-alert-burndown.lock.yml +++ b/.github/workflows/security-alert-burndown.lock.yml @@ -894,17 +894,25 @@ jobs: ### Step 4: Create parent issue and assign work - After updating project items, you must **immediately perform all three safe-output calls below in sequence**. Do not proceed to Step 5 until all three calls are complete. + After updating project items, **first complete the bundling analysis below, then immediately perform all three safe-output calls in sequence**. Do not proceed to Step 5 until all three calls are complete. + + #### Bundling Analysis (Do This First) + + Before creating the issue, analyze the discovered PRs and determine which PRs to bundle together. #### Required Safe-Output Calls (All Three Required): + After completing the bundling analysis, you must immediately perform these three safe-output calls in order: + 1. **Call `create_issue`** to create the parent tracking issue 2. **Call `update_project`** to add the created issue to the project board 3. **Call `assign_to_agent`** to assign the created issue to Copilot - #### Bundling Analysis (Do This First) + #### Bundling Guidelines - Before creating the issue, analyze the discovered PRs: + #### Bundling Guidelines + + Analyze all discovered PRs following these rules: 1. Review all discovered PRs 2. Group by **runtime** (Node.js, Python, etc.) and **target dependency file** @@ -1319,14 +1327,14 @@ jobs: ## Traffic and Rate Limits (Required) - Minimize API calls; avoid full rescans when possible. + PROMPT_EOF + cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" - Prefer incremental discovery with deterministic ordering (e.g., by `updatedAt`, tie-break by ID). - Enforce strict pagination budgets; if a query requires many pages, stop early and continue next run. - Use a durable cursor/checkpoint so the next run continues without rescanning. - On throttling (HTTP 429 / rate-limit 403), do not retry aggressively; back off and end the run after reporting what remains. - PROMPT_EOF - cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" **Cursor file (repo-memory)**: `memory/campaigns/security-alert-burndown/cursor.json` **File system path**: `/tmp/gh-aw/repo-memory/campaigns/security-alert-burndown/cursor.json` - If it exists: read first and continue from its boundary. diff --git a/.github/workflows/security-alert-burndown.md b/.github/workflows/security-alert-burndown.md index 0165544f98..acff775b9a 100644 --- a/.github/workflows/security-alert-burndown.md +++ b/.github/workflows/security-alert-burndown.md @@ -84,17 +84,25 @@ For each discovered item (up to 100 total per run): ### Step 4: Create parent issue and assign work -After updating project items, you must **immediately perform all three safe-output calls below in sequence**. Do not proceed to Step 5 until all three calls are complete. +After updating project items, **first complete the bundling analysis below, then immediately perform all three safe-output calls in sequence**. Do not proceed to Step 5 until all three calls are complete. + +#### Bundling Analysis (Do This First) + +Before creating the issue, analyze the discovered PRs and determine which PRs to bundle together. #### Required Safe-Output Calls (All Three Required): +After completing the bundling analysis, you must immediately perform these three safe-output calls in order: + 1. **Call `create_issue`** to create the parent tracking issue 2. **Call `update_project`** to add the created issue to the project board 3. **Call `assign_to_agent`** to assign the created issue to Copilot -#### Bundling Analysis (Do This First) +#### Bundling Guidelines + +#### Bundling Guidelines -Before creating the issue, analyze the discovered PRs: +Analyze all discovered PRs following these rules: 1. Review all discovered PRs 2. Group by **runtime** (Node.js, Python, etc.) and **target dependency file** From d8e2bda10b0844eb7be717c8f08dcf5d3b5d2b52 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 29 Jan 2026 06:40:00 +0000 Subject: [PATCH 4/4] Remove duplicate Bundling Guidelines header Minor cleanup - removed duplicate section header that was introduced during the restructuring. Co-authored-by: mnkiefer <8320933+mnkiefer@users.noreply.github.com> --- .github/workflows/security-alert-burndown.lock.yml | 4 +--- .github/workflows/security-alert-burndown.md | 2 -- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/security-alert-burndown.lock.yml b/.github/workflows/security-alert-burndown.lock.yml index e122f4608e..51e3a10e08 100644 --- a/.github/workflows/security-alert-burndown.lock.yml +++ b/.github/workflows/security-alert-burndown.lock.yml @@ -910,8 +910,6 @@ jobs: #### Bundling Guidelines - #### Bundling Guidelines - Analyze all discovered PRs following these rules: 1. Review all discovered PRs @@ -1327,9 +1325,9 @@ jobs: ## Traffic and Rate Limits (Required) - Minimize API calls; avoid full rescans when possible. + - Prefer incremental discovery with deterministic ordering (e.g., by `updatedAt`, tie-break by ID). PROMPT_EOF cat << 'PROMPT_EOF' >> "$GH_AW_PROMPT" - - Prefer incremental discovery with deterministic ordering (e.g., by `updatedAt`, tie-break by ID). - Enforce strict pagination budgets; if a query requires many pages, stop early and continue next run. - Use a durable cursor/checkpoint so the next run continues without rescanning. - On throttling (HTTP 429 / rate-limit 403), do not retry aggressively; back off and end the run after reporting what remains. diff --git a/.github/workflows/security-alert-burndown.md b/.github/workflows/security-alert-burndown.md index acff775b9a..6f527dd6dd 100644 --- a/.github/workflows/security-alert-burndown.md +++ b/.github/workflows/security-alert-burndown.md @@ -100,8 +100,6 @@ After completing the bundling analysis, you must immediately perform these three #### Bundling Guidelines -#### Bundling Guidelines - Analyze all discovered PRs following these rules: 1. Review all discovered PRs