fix security-alert-burndown: clarify safe-output call sequence

[Copilot]

The security alert burndown workflow created issues but failed to add them to the project board or assign them to agents. The agent executed only 1 of 3 required safe-output calls.

Root Cause

Step 4 instructions listed three required calls but interrupted them with bundling context:

After updating project items, you must complete all three actions below in order:
1. Create the parent tracking issue
2. Add the issue to the project board
3. Assign the issue to the Copilot agent

**Selection Criteria:**
1. Review all discovered PRs
2. Group by runtime...
[70 lines of bundling rules]

**Action 1: Create the parent issue**
[instructions for create_issue]

**Action 2: Add issue to project board**
[instructions for update_project]
...

The agent created the issue, but the intervening context caused it to skip the subsequent update_project and assign_to_agent calls.

Changes

Restructured Step 4 for sequential clarity:

### Step 4: Create parent issue and assign work

First complete the bundling analysis below, then immediately perform 
all three safe-output calls in sequence.

#### Bundling Analysis (Do This First)
[Analysis and rules moved here]

#### Required Safe-Output Calls (All Three Required):
After completing bundling analysis, immediately perform:

1. Call create_issue
2. Call update_project
3. Call assign_to_agent

#### Safe-Output Call #1: Create the Issue
[create_issue instructions with temporary ID capture]

#### Safe-Output Call #2: Add Issue to Project Board
[update_project instructions using temporary ID]

#### Safe-Output Call #3: Assign to Agent
[assign_to_agent instructions using temporary ID]

Added concrete example:

If create_issue returned aw_sec2026012901, then:
- Call #2: update_project(..., content_number="aw_sec2026012901", ...)
- Call #3: assign_to_agent(issue_number="aw_sec2026012901", ...)

The sequential structure (analysis → call #1 → call #2 → call #3) makes the required flow obvious and uninterruptible.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/githubnext/gh-aw/issues/12462
  • Triggering command: /usr/bin/curl curl -s -H Accept: application/vnd.github+json REDACTED (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

Fix security alert burndown campaign:

• Not adding newly created issue to project board
• Not assigning newly created issue to agent
  https://github.com/githubnext/gh-aw/actions/runs/21467934386

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.