Add Dependabot Project Manager workflow with bundling and Copilot assignment

[Copilot]

Plan: Create Dependabot Project Manager Workflow

• Create workflow markdown file: dependabot-project-manager.md
• Configure frontmatter with:
  • Scheduled trigger (daily) - currently commented out
  • Copilot engine
  • GitHub tools with dependabot and projects toolsets
  • Safe outputs for project management and issue creation
  • Permissions for reading dependabot alerts and managing projects
• Write workflow prompt to:
  • Fetch dependabot alerts from the repository
  • Bundle alerts by runtime (npm, pip, go, etc.) and manifest file
  • Create draft issues in GitHub Projects for each bundle
  • Set appropriate fields (Status, Priority, Runtime, Manifest)
  • Create a "Review Required" status column in the project board
  • Assign bundles to Copilot agents for remediation
• Compile the workflow to generate .lock.yml file
• Test the workflow compilation
• Verify workflow structure and documentation
• Simplify Copilot assignment to use only assignees: copilot
• Recompile workflow after project URL update

Summary

Successfully created and simplified the Dependabot Project Manager workflow, now recompiled with updated configuration.

Latest Changes

Recompiled workflow lock file:

• Updated frontmatter hash to reflect current configuration
• Project URL updated to https://github.com/orgs/github/projects/24060
• Schedule trigger commented out (can be re-enabled when ready for production)
• Removed actions: read permission (not needed for this workflow)

The workflow is ready for testing with the configured project board.

Original prompt

Create a workflow for GitHub Agentic Workflows using https://raw.githubusercontent.com/github/gh-aw/main/create.md

The purpose of the workflow is to pick up dependabot alerts, bundles them according to runtime and manifest, and assign each budle to Copilot. It should surface all work on a GitHub Projects board, with a board view and an extra column for status "Review Required" when Copilot PRs are ready.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[mnkiefer]

@copilot Safe output assign-to-agent should need a special token too. See https://github.github.io/gh-aw/reference/safe-outputs/#assign-to-agent-assign-to-agent

[Copilot]

@copilot Safe output assign-to-agent should need a special token too. See https://github.github.io/gh-aw/reference/safe-outputs/#assign-to-agent-assign-to-agent

Added assign-to-agent safe output configuration with the required GH_AW_AGENT_TOKEN token. The workflow now supports both approaches:

1. Simple (already configured): assignees: copilot in create-issue - no extra token needed
2. Programmatic (now added): assign-to-agent safe output - requires GH_AW_AGENT_TOKEN

Also updated documentation to explain:

• Both token requirements (GH_AW_PROJECT_GITHUB_TOKEN and GH_AW_AGENT_TOKEN)
• Required permissions for each token
• When to use each Copilot assignment approach

Commit: 2d1e31d

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• github.github.io
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[mnkiefer]

@copilot Just the GH_AW_AGENT_TOKEN, assign-to-agent is reundant since we can use assignee: copilot on the issue

[Copilot]

@copilot Just the GH_AW_AGENT_TOKEN, assign-to-agent is reundant since we can use assignee: copilot on the issue

Removed the redundant assign-to-agent safe output configuration. The workflow now uses only assignees: copilot in the create-issue config, which is simpler and requires only GH_AW_PROJECT_GITHUB_TOKEN (no GH_AW_AGENT_TOKEN needed).

Changes:

• Removed assign-to-agent safe output from frontmatter
• Simplified Phase 4 documentation to single assignment approach
• Updated Important Notes to require only one token
• Removed all references to programmatic assignment

Commit: e4813c5

[github-actions]

🔍 PR Triage Results

Category: feature | Risk: high | Priority: 43/100

Scores Breakdown

• Impact: 35/50 - Large feature addition
• Urgency: 0/30 - Recently created
• Quality: 8/20 - CI pending, good description, draft status

📋 Recommended Action: defer

Draft or low priority - can wait for more development

---

Triaged by PR Triage Agent on 2026-02-06

AI generated by PR Triage Agent

[Copilot]

Pull request overview

Adds a new GitHub Agentic Workflows automation to triage Dependabot alerts by bundling them into runtime+manifest work items, tracking them in GitHub Projects, and creating Copilot-assigned remediation issues.

Changes:

• Introduces a new agentic workflow prompt to fetch, bundle, and track Dependabot alerts via Projects v2.
• Configures safe-outputs for project updates, status updates, and issue creation/assignment to Copilot.
• Adds the compiled .lock.yml workflow for execution by GitHub Actions.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
.github/workflows/dependabot-project-manager.md	New agentic workflow definition/prompt + safe-outputs configuration for Projects + issue creation.
.github/workflows/dependabot-project-manager.lock.yml	Compiled workflow used at runtime (safe-outputs MCP config + handler config + jobs).

Comments suppressed due to low confidence (1)

.github/workflows/dependabot-project-manager.lock.yml:1327

• GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG sets create_issue.max to 1 and only includes assignees: [copilot], but the workflow frontmatter configures create-issue with max: 20, expires: 7d, title-prefix, labels, and group: false. With the current lock output, only one issue can be created and the other constraints/policies won’t be applied. Please recompile/fix the lock so the handler config matches the .md frontmatter.

          GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
          GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":10},\"create_issue\":{\"assignees\":[\"copilot\"],\"max\":1},\"create_project_status_update\":{\"github-token\":\"${{ secrets.GH_AW_PROJECT_GITHUB_TOKEN }}\",\"max\":1,\"project\":\"https://github.com/orgs/\\u003cORG\\u003e/projects/\\u003cPROJECT_NUMBER\\u003e\"},\"missing_data\":{},\"missing_tool\":{},\"update_project\":{\"github-token\":\"${{ secrets.GH_AW_PROJECT_GITHUB_TOKEN }}\",\"max\":50,\"project\":\"https://github.com/orgs/\\u003cORG\\u003e/projects/\\u003cPROJECT_NUMBER\\u003e\",\"views\":[{\"name\":\"Dependabot Alerts Board\",\"layout\":\"board\",\"filter\":\"is:open\"},{\"name\":\"Review Required\",\"layout\":\"board\",\"filter\":\"is:open status:\\\"Review Required\\\"\"},{\"name\":\"All Alerts Table\",\"layout\":\"table\"}]}}"
          GH_AW_ASSIGN_COPILOT: "true"

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[mnkiefer]

@copilot recompile workflow

[Copilot]

@copilot recompile workflow

Workflow recompiled successfully. The lock file now reflects:

• Updated project URL: https://github.com/orgs/github/projects/24060
• Removed commented schedule (can be re-enabled when ready)
• Removed unused actions: read permission

Commit: 7675f69