Add security-alert-burndown campaign spec

[Copilot]

Campaign coordinates code-scanning-fixer and security-fix-pr workflows to systematically reduce security alerts. Prioritizes file write vulnerabilities, clusters up to 3 alerts per run, tracks progress via GitHub Project.

Changes

• Campaign spec .github/workflows/security-alert-burndown.campaign.md

  • 3-phase rollout: file write issues → clustered alerts → remaining backlog
  • KPIs: Critical alerts 5→0, High-severity 15→5 (90-day window)
  • Governance: max 3 items/run, opt-out labels, discovery scoped to githubnext/gh-aw
  • Risk level: high (requires 2 approvals + sponsor)
  • Owner: @mnkiefer

• Generated orchestrator .github/workflows/security-alert-burndown.campaign.lock.yml

  • Compiled from spec via gh aw compile
  • Runs daily, coordinates worker workflows
  • Project integration at https://github.com/orgs/githubnext/projects/130

Campaign Structure

id: security-alert-burndown
workflows:
  - code-scanning-fixer   # every 30m, creates PRs
  - security-fix-pr       # every 4h, submits autofixes
tracker-label: campaign:security-alert-burndown
project-url: https://github.com/orgs/githubnext/projects/130
governance:
  max-new-items-per-run: 3
  max-discovery-items-per-run: 50
kpis:
  - name: Critical Security Alerts
    baseline: 5
    target: 0

Worker workflows use Copilot engine with GitHub MCP toolsets for code security operations.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Campaign: Security Alert Burndown</issue_title>
<issue_description>Write a campaign that burns down the code security alerts backlog. Focus on file write issues first, cluster alerts if possible (up to 3), and add comments generated code for fixes. Use Claude for codegen, copilot for campaign manager

---

Campaign setup status

Status: Ready for PR review

What just happened

• Created Project: #aw_90ee2db58e56 (Security Alert Burndown)
• Created standard fields (status, campaign_id, worker_workflow, repository, priority, size, start_date, end_date) with proper single-select options
• Created views: Campaign Roadmap (roadmap), Task Tracker (table), Progress Board (board)
• Generated campaign spec: .github/workflows/security-alert-burndown.campaign.md
• Selected workflows: code-scanning-fixer, security-fix-pr

What happens next

1. Copilot Coding Agent will open a pull request with the generated files.
2. You review the PR and merge it.
3. After merge, run the orchestrator workflow from the Actions tab to activate the campaign.

Copilot Coding Agent handoff

• Campaign ID: security-alert-burndown
• Project URL: #aw_90ee2db58e56
• Workflows: code-scanning-fixer, security-fix-pr

Run:

gh aw compile

Commit and include in the PR:

• .github/workflows/security-alert-burndown.campaign.md
• .github/workflows/security-alert-burndown.campaign.g.md
• .github/workflows/security-alert-burndown.campaign.lock.yml

Acceptance checklist:

• gh aw compile succeeds without errors
• Orchestrator lock file updated with campaign configuration
• PR opened and linked back to this issue (Campaign: Security Alert Burndown #11231)
• All three campaign files committed

Campaign Overview

This campaign systematically burns down code security alerts with the following strategy:

Focus Areas:

• Prioritizes file write security issues (highest risk)
• Clusters related alerts (up to 3) for efficient remediation
• Uses Claude for code generation with detailed security comments
• All fixes go through PR review process

Workflows:

• code-scanning-fixer: Runs every 30 minutes, automatically fixes high severity alerts
• security-fix-pr: Runs every 4 hours, can be manually triggered for specific alerts

Risk Level: High (requires 2 approvals + sponsor)

Timeline:

• Phase 1 (Weeks 1-2): High severity file write issues
• Phase 2 (Weeks 3-4): Clustered alert remediation
• Phase 3 (Week 5+): Remaining alerts cleanup

Documentation

• Getting started: (redacted)
• Flow & lifecycle: (redacted)
• Campaign specs: (redacted)

---

Generated by [Agentic Campaign Generator](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})

Ahoy! This treasure was crafted by 🏴‍☠️ Agentic Campaign Generator</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Campaign: Security Alert Burndown #11231

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[mnkiefer]

@copilot updated owner, please recompile

[Copilot]

@copilot updated owner, please recompile

Recompiled successfully after owner update. The campaign compiles without errors and the owner is now set to @mnkiefer in the spec.

[mnkiefer]

@copilot Wrong project board URL, get from issue context.

[Copilot]

@copilot Wrong project board URL, get from issue context.

Fixed project URL to use organization format: https://github.com/orgs/githubnext/projects/90ee2db58e56. Campaign recompiled successfully (commit d803012).

[mnkiefer]

@copilot This is not a valid project number

[Copilot]

@copilot This is not a valid project number

You're right - 90ee2db58e56 is not a valid project number. The issue context shows "#aw_90ee2db58e56" which is a temporary reference. Could you provide the actual GitHub project number or URL? GitHub project URLs typically use numeric IDs like https://github.com/orgs/githubnext/projects/123.

[mnkiefer]

@copilot The project is https://github.com/orgs/githubnext/projects/130

[Copilot]

@copilot The project is https://github.com/orgs/githubnext/projects/130

Updated project URL to https://github.com/orgs/githubnext/projects/130. Campaign recompiled successfully (commit 79459d4).