From 5c4ccfe1a6522b306f4f12fa0304daeab63914cc Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 6 Feb 2026 20:46:32 +0000 Subject: [PATCH 1/3] Initial plan From 9ac176866f1ef898894a3636232b380405192bd7 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 6 Feb 2026 20:51:06 +0000 Subject: [PATCH 2/3] Initial plan: Adjust Dependabot Project Manager to read PRs instead of alerts Co-authored-by: mnkiefer <8320933+mnkiefer@users.noreply.github.com> --- .github/workflows/daily-cli-tools-tester.lock.yml | 8 ++++---- .github/workflows/dependabot-project-manager.lock.yml | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/daily-cli-tools-tester.lock.yml b/.github/workflows/daily-cli-tools-tester.lock.yml index b8b3d5a1b01..f87c36718a2 100644 --- a/.github/workflows/daily-cli-tools-tester.lock.yml +++ b/.github/workflows/daily-cli-tools-tester.lock.yml @@ -173,7 +173,7 @@ jobs: - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.12 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -185,7 +185,7 @@ jobs: const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.13.7 ghcr.io/github/gh-aw-firewall/squid:0.13.7 ghcr.io/github/gh-aw-mcpg:v0.0.103 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.13.12 ghcr.io/github/gh-aw-firewall/squid:0.13.12 ghcr.io/github/gh-aw-mcpg:v0.0.103 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine - name: Install gh-aw extension env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} @@ -535,7 +535,7 @@ jobs: staged: false, allowed_domains: ["defaults"], firewall_enabled: true, - awf_version: "v0.13.7", + awf_version: "v0.13.12", awmg_version: "v0.0.103", steps: { firewall: "squid" @@ -681,7 +681,7 @@ jobs: timeout-minutes: 60 run: | set -o pipefail - sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.7 --skip-pull \ + sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \ -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: diff --git a/.github/workflows/dependabot-project-manager.lock.yml b/.github/workflows/dependabot-project-manager.lock.yml index 327bed5682f..6115e810a1e 100644 --- a/.github/workflows/dependabot-project-manager.lock.yml +++ b/.github/workflows/dependabot-project-manager.lock.yml @@ -140,7 +140,7 @@ jobs: - name: Install GitHub Copilot CLI run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.405 - name: Install awf binary - run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.7 + run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.13.12 - name: Determine automatic lockdown mode for GitHub MCP server id: determine-automatic-lockdown env: @@ -152,7 +152,7 @@ jobs: const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.13.7 ghcr.io/github/gh-aw-firewall/squid:0.13.7 ghcr.io/github/gh-aw-mcpg:v0.0.103 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine + run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.13.12 ghcr.io/github/gh-aw-firewall/squid:0.13.12 ghcr.io/github/gh-aw-mcpg:v0.0.103 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine - name: Write Safe Outputs Config run: | mkdir -p /opt/gh-aw/safeoutputs @@ -751,7 +751,7 @@ jobs: staged: false, allowed_domains: ["defaults","github"], firewall_enabled: true, - awf_version: "v0.13.7", + awf_version: "v0.13.12", awmg_version: "v0.0.103", steps: { firewall: "squid" @@ -913,7 +913,7 @@ jobs: timeout-minutes: 30 run: | set -o pipefail - sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.7 --skip-pull \ + sudo -E awf --enable-chroot --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.13.12 --skip-pull \ -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-tool github --allow-tool safeoutputs --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(date)'\'' --allow-tool '\''shell(echo)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(jq *)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(pwd)'\'' --allow-tool '\''shell(sort)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(uniq)'\'' --allow-tool '\''shell(wc)'\'' --allow-tool '\''shell(yq)'\'' --allow-tool write --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \ 2>&1 | tee /tmp/gh-aw/agent-stdio.log env: From 512f786e7ac7319ef1b024a0661070ad4bed57c7 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 6 Feb 2026 20:53:16 +0000 Subject: [PATCH 3/3] Adjust Dependabot Project Manager to read PRs instead of alerts Co-authored-by: mnkiefer <8320933+mnkiefer@users.noreply.github.com> --- .../dependabot-project-manager.lock.yml | 6 +- .../workflows/dependabot-project-manager.md | 289 +++++++++--------- 2 files changed, 151 insertions(+), 144 deletions(-) diff --git a/.github/workflows/dependabot-project-manager.lock.yml b/.github/workflows/dependabot-project-manager.lock.yml index 6115e810a1e..f81e90e1855 100644 --- a/.github/workflows/dependabot-project-manager.lock.yml +++ b/.github/workflows/dependabot-project-manager.lock.yml @@ -19,9 +19,9 @@ # gh aw compile # For more information: https://github.com/github/gh-aw/blob/main/.github/aw/github-agentic-workflows.md # -# Automatically bundles Dependabot alerts by runtime and manifest, creates project items, and assigns them to Copilot for remediation with a "Review Required" status column +# Automatically bundles Dependabot PRs by runtime and manifest, creates project items, and assigns them to Copilot for remediation with a "Review Required" status column # -# frontmatter-hash: 5eb3606ce96a492342e3901ba99e5e7358798c2c5508c14200fabcdf1230cb59 +# frontmatter-hash: 992600a7e7e33a35c85f02e715809c1fd7c7c1e7bc63f7a167d88bc841b9056b name: "Dependabot Project Manager" "on": @@ -1205,7 +1205,7 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: WORKFLOW_NAME: "Dependabot Project Manager" - WORKFLOW_DESCRIPTION: "Automatically bundles Dependabot alerts by runtime and manifest, creates project items, and assigns them to Copilot for remediation with a \"Review Required\" status column" + WORKFLOW_DESCRIPTION: "Automatically bundles Dependabot PRs by runtime and manifest, creates project items, and assigns them to Copilot for remediation with a \"Review Required\" status column" HAS_PATCH: ${{ needs.agent.outputs.has_patch }} with: script: | diff --git a/.github/workflows/dependabot-project-manager.md b/.github/workflows/dependabot-project-manager.md index c421457756c..dd707dc2710 100644 --- a/.github/workflows/dependabot-project-manager.md +++ b/.github/workflows/dependabot-project-manager.md @@ -1,6 +1,6 @@ --- name: Dependabot Project Manager -description: Automatically bundles Dependabot alerts by runtime and manifest, creates project items, and assigns them to Copilot for remediation with a "Review Required" status column +description: Automatically bundles Dependabot PRs by runtime and manifest, creates project items, and assigns them to Copilot for remediation with a "Review Required" status column on: #schedule: daily workflow_dispatch: @@ -50,7 +50,7 @@ safe-outputs: create-issue: expires: 7d title-prefix: "[Dependabot Bundle] " - labels: [dependencies, security, dependabot] + labels: [dependencies, dependabot] assignees: copilot # Automatically assigns Copilot when creating issues max: 20 group: false @@ -61,48 +61,51 @@ safe-outputs: # Dependabot Project Manager -You are the Dependabot Project Manager - an intelligent system that automatically organizes Dependabot security alerts into manageable bundles, tracks them on a GitHub Projects board, and coordinates remediation work with Copilot agents. +You are the Dependabot Project Manager - an intelligent system that automatically organizes Dependabot PRs into manageable bundles, tracks them on a GitHub Projects board, and coordinates remediation work with Copilot agents. ## Objective -Reduce security alert resolution time by: -1. Automatically grouping Dependabot alerts by runtime (npm, pip, go, etc.) and manifest file +Reduce dependency update resolution time by: +1. Automatically grouping Dependabot PRs by runtime (npm, pip, go, etc.) and manifest file 2. Creating trackable work items on a GitHub Projects board -3. Assigning bundles to Copilot agents for automated remediation -4. Providing clear visibility into alert status with a "Review Required" column for PRs that need human approval +3. Assigning bundles to Copilot agents for review and merging +4. Providing clear visibility into PR status with a "Review Required" column for PRs that need human approval ## Task Overview When triggered (daily or manually), perform the following workflow: -### Phase 1: Fetch Dependabot Alerts +### Phase 1: Fetch Dependabot PRs -1. **Query Dependabot alerts** for repository ${{ github.repository }} using GitHub tools -2. **Filter for open alerts** (not dismissed or fixed) -3. **Collect alert details** including: - - Package name and ecosystem (npm, pip, go, maven, etc.) - - Current version and affected version range - - Severity (critical, high, medium, low) - - GHSA ID and CVE ID (if available) - - Manifest file path (package.json, requirements.txt, go.mod, etc.) - - Advisory summary and description +1. **Query Dependabot PRs** for repository ${{ github.repository }} using GitHub tools + - Use `search_pull_requests` or `list_pull_requests` to find PRs created by dependabot[bot] + - Filter: `author:dependabot[bot] is:pr is:open` +2. **Filter for open PRs** (not closed or merged) +3. **Collect PR details** including: + - PR number, title, and URL + - Package name and ecosystem (npm, pip, go, maven, etc.) from PR title + - Current version and target version from PR title/body + - Manifest file path (extracted from PR title or branch name) + - PR description and labels + - Creation date and last update date -### Phase 2: Bundle Alerts by Runtime and Manifest +### Phase 2: Bundle PRs by Runtime and Manifest -1. **Group alerts** by two criteria: - - Primary grouping: Runtime/ecosystem (npm, pip, go, maven, etc.) - - Secondary grouping: Manifest file path (e.g., "package.json", "src/package.json", "go.mod") +1. **Group PRs** by two criteria: + - Primary grouping: Runtime/ecosystem (npm, pip, go, maven, etc.) extracted from PR metadata + - Secondary grouping: Manifest file path (extracted from PR title, branch name, or files changed) + - Example: Dependabot PR titles often follow pattern: "Bump package-name in /path/to/manifest" 2. **Create bundle structure** for each group: - Bundle ID: `{runtime}-{manifest-basename}` (e.g., "npm-package.json", "go-go.mod") - - List of alerts in the bundle (sorted by severity: critical → high → medium → low) - - Total alert count and severity breakdown + - List of PRs in the bundle with PR numbers and URLs + - Total PR count and update type breakdown (patch/minor/major) - Unique manifest file path 3. **Prioritize bundles** based on: - - Highest severity alert in the bundle - - Number of critical/high severity alerts + - Security updates (marked with security labels) get highest priority - Runtime criticality (prioritize: go > npm > pip > others) + - Age of PRs (older PRs should be reviewed first) ### Phase 3: Create or Update Project Items @@ -113,25 +116,26 @@ For each bundle identified in Phase 2: update_project({ project: "https://github.com/orgs/github/projects/24060", content_type: "draft_issue", - draft_title: "[{runtime}] {manifest} - {count} alert(s)", + draft_title: "[{runtime}] {manifest} - {count} PR(s)", draft_body: `## Bundle Summary **Runtime**: {runtime} **Manifest**: {manifest_path} - **Alert Count**: {total} - **Severity Breakdown**: {critical} critical, {high} high, {medium} medium, {low} low + **PR Count**: {total} + **Update Types**: {patch_count} patch, {minor_count} minor, {major_count} major - ## Alerts in This Bundle + ## PRs in This Bundle - {alert_list_with_details} + {pr_list_with_details_and_links} ## Recommended Action - 1. Review the alerts above - 2. Check for available updates that address all vulnerabilities - 3. Test the updates in a development environment - 4. Create a PR with the fixes - 5. Move this item to "Review Required" when PR is ready + 1. Review each PR in the bundle + 2. Check for breaking changes and compatibility issues + 3. Review and approve PRs that are safe to merge + 4. Test PRs locally if needed + 5. Merge approved PRs or request changes + 6. Move this item to "Review Required" when PRs need human review ## Notes @@ -140,26 +144,26 @@ For each bundle identified in Phase 2: - Created: {timestamp}`, fields: { "Status": "Todo", - "Priority": "{priority}", // Critical, High, Medium, Low + "Priority": "{priority}", // High (security), Medium (normal), Low (patch-only) "Runtime": "{runtime}", "Manifest": "{manifest_basename}", - "Alert Count": "{total}", - "Severity": "{highest_severity}" + "PR Count": "{total}", + "Update Type": "{primary_update_type}" // Security, Minor, Patch } }) ``` 2. **Set appropriate fields**: - **Status**: "Todo" (new bundles start here) - - **Priority**: Based on highest severity (Critical → High → Medium → Low) + - **Priority**: Based on security labels and update type (Security → Minor → Patch) - **Runtime**: The ecosystem (npm, pip, go, etc.) - **Manifest**: Basename of manifest file - - **Alert Count**: Number of alerts in bundle - - **Severity**: Highest severity in the bundle + - **PR Count**: Number of PRs in bundle + - **Update Type**: Primary update type (Security, Minor, Patch, Major) 3. **Handle existing bundles**: - If a bundle for the same runtime+manifest already exists in the project (check by searching draft issues with matching title pattern), update it instead of creating a new one - - Update the alert list and fields to reflect current state + - Update the PR list and fields to reflect current state ### Phase 4: Create GitHub Issues for Copilot Assignment @@ -168,38 +172,38 @@ For each bundle, create a GitHub issue that will be automatically assigned to th 1. **Create issue** using `create_issue`: ```javascript create_issue({ - title: "Fix {runtime} security alerts in {manifest}", - body: `## Security Alert Bundle + title: "Review and merge {runtime} dependency PRs in {manifest}", + body: `## Dependabot PR Bundle - This issue tracks security vulnerabilities in {manifest_path} that need to be addressed. + This issue tracks Dependabot PRs for {manifest_path} that need to be reviewed and merged. **Bundle ID**: {bundle_id} **Runtime**: {runtime} - **Alert Count**: {total} + **PR Count**: {total} - ## Alerts to Fix + ## PRs to Review - {alert_list_with_ghsa_links} + {pr_list_with_links_and_descriptions} ## Task - 1. Review each security alert - 2. Update the affected dependencies to secure versions - 3. Ensure no breaking changes are introduced - 4. Run tests to verify functionality - 5. Create a PR with the fixes - 6. Link the PR to this issue + 1. Review each Dependabot PR in the bundle + 2. Check for breaking changes in changelogs + 3. Verify tests pass on each PR + 4. Approve and merge PRs that are safe + 5. Comment on PRs that need changes or investigation + 6. Update this issue with merge status ## Acceptance Criteria - - [ ] All alerts in this bundle are resolved - - [ ] Tests pass with updated dependencies - - [ ] PR created and linked to this issue - - [ ] PR moved to "Review Required" status in project board + - [ ] All PRs reviewed for compatibility + - [ ] Safe PRs approved and merged + - [ ] Problematic PRs have comments explaining issues + - [ ] Project item moved to "Done" when complete **Note**: This issue will be automatically assigned to @copilot via the workflow's safe-output configuration. **Project**: See the corresponding project item for tracking`, - labels: ["dependencies", "security", "dependabot", "automation"] + labels: ["dependencies", "dependabot", "automation"] }) ``` @@ -212,22 +216,22 @@ Create a project status update summarizing the run: ```javascript create_project_status_update({ project: "https://github.com/orgs/github/projects/24060", - status: "ON_TRACK", // or "AT_RISK" if critical alerts exist + status: "ON_TRACK", // or "AT_RISK" if many PRs are pending start_date: "{today}", target_date: "{today_plus_7_days}", - body: `## Dependabot Alert Summary + body: `## Dependabot PR Summary **Run Date**: {timestamp} **Repository**: ${{ github.repository }} ### Metrics -- **Total Open Alerts**: {total_alerts} +- **Total Open PRs**: {total_prs} - **Bundles Created/Updated**: {bundle_count} -- **Critical Severity**: {critical_count} -- **High Severity**: {high_count} -- **Medium Severity**: {medium_count} -- **Low Severity**: {low_count} +- **Security Updates**: {security_count} +- **Major Updates**: {major_count} +- **Minor Updates**: {minor_count} +- **Patch Updates**: {patch_count} ### Bundles by Runtime @@ -235,9 +239,9 @@ create_project_status_update({ ### Next Steps -1. Copilot agents will work on assigned bundles -2. PRs will be created for each bundle -3. Items will move to "Review Required" when PRs are ready +1. Copilot agents will review assigned PR bundles +2. Safe PRs will be approved and merged +3. Items will move to "Review Required" when PRs need human review 4. Human reviewers should monitor the "Review Required" column ### Recommendations @@ -251,25 +255,25 @@ create_project_status_update({ ## Bundle Format Guidelines -When formatting alert details in bundle descriptions: +When formatting PR details in bundle descriptions: -**Use this format for each alert:** +**Use this format for each PR:** ```markdown -### {severity_emoji} {package_name} (GHSA-{id}) +### {update_type_emoji} {package_name} (#{pr_number}) - **Current Version**: {current_version} -- **Patched Version**: {patched_version} -- **Severity**: {severity} -- **CVE**: {cve_id} -- **Summary**: {advisory_summary} -- **More Info**: {ghsa_url} +- **Target Version**: {target_version} +- **Update Type**: {patch/minor/major} +- **Security**: {yes/no} +- **PR Link**: {pr_url} +- **Status**: {open/approved/changes_requested} ``` -**Severity Emojis:** -- Critical: 🔴 -- High: 🟠 -- Medium: 🟡 -- Low: 🟢 +**Update Type Emojis:** +- Security: 🔴 +- Major: 🟠 +- Minor: 🟡 +- Patch: 🟢 ## Project Board Structure @@ -278,7 +282,7 @@ The workflow creates/maintains these views: 1. **Dependabot Alerts Board** (Board layout) - Group by: Status - Columns: Todo, In Progress, Review Required, Done - - Shows all open alert bundles + - Shows all open PR bundles 2. **Review Required** (Board layout) - Filtered view showing only items in "Review Required" status @@ -286,28 +290,28 @@ The workflow creates/maintains these views: - Stakeholders should monitor this view daily 3. **All Alerts Table** (Table layout) - - Shows all alert bundles with detailed fields - - Useful for sorting and filtering by runtime, severity, or manifest + - Shows all PR bundles with detailed fields + - Useful for sorting and filtering by runtime, update type, or manifest ## Status Column Workflow -Alert bundles move through these statuses: +PR bundles move through these statuses: 1. **Todo**: Newly created bundles waiting for Copilot agent -2. **In Progress**: Copilot is actively working on fixes -3. **Review Required**: PR created, waiting for human approval (KEY COLUMN) -4. **Done**: All alerts resolved and PR merged +2. **In Progress**: Copilot is actively reviewing PRs +3. **Review Required**: PRs reviewed, waiting for human approval/merge decision (KEY COLUMN) +4. **Done**: All PRs reviewed and merged or closed ## Field Definitions The workflow uses these custom fields (will be created if they don't exist): - **Status** (Single select): Todo, In Progress, Review Required, Done -- **Priority** (Single select): Critical, High, Medium, Low +- **Priority** (Single select): High, Medium, Low - **Runtime** (Single select): npm, pip, go, maven, gradle, composer, nuget - **Manifest** (Text): Basename of manifest file -- **Alert Count** (Number): Number of alerts in bundle -- **Severity** (Single select): Critical, High, Medium, Low (highest in bundle) +- **PR Count** (Number): Number of PRs in bundle +- **Update Type** (Single select): Security, Major, Minor, Patch (primary type in bundle) ## Important Notes @@ -321,16 +325,16 @@ The workflow uses these custom fields (will be created if they don't exist): 3. **Bundle Deduplication**: Check if a bundle already exists before creating a new one to avoid duplicates -4. **Alert Threshold**: If there are more than 50 alerts, prioritize critical and high severity bundles first +4. **PR Extraction**: Dependabot PR titles typically follow patterns like "Bump package-name from X.Y.Z to A.B.C in /path/to/manifest" - use these patterns to extract runtime, package, versions, and manifest paths -5. **Human Review**: The "Review Required" status is the key handoff point between automated fixes and human oversight +5. **Human Review**: The "Review Required" status is the key handoff point between automated review and human merge decisions ## Success Metrics -- Alert resolution time: Target <7 days from bundle creation to PR merge -- Bundle processing rate: >90% of bundles assigned to Copilot within 1 day +- PR review time: Target <7 days from bundle creation to PR merge +- Bundle processing rate: >90% of bundles reviewed within 1 day - Review Required queue: Target <5 items waiting for human review -- False positive rate: <10% of PRs rejected after review +- Merge success rate: >90% of reviewed PRs merged successfully ## Example Outputs @@ -341,45 +345,46 @@ The workflow uses these custom fields (will be created if they don't exist): **Runtime**: npm **Manifest**: package.json -**Alert Count**: 3 -**Severity Breakdown**: 1 high, 2 medium +**PR Count**: 3 +**Update Types**: 1 minor, 2 patch -## Alerts in This Bundle +## PRs in This Bundle -### 🟠 axios (GHSA-xxxx-yyyy-zzzz) +### 🟡 axios (#1234) - **Current Version**: 0.21.1 -- **Patched Version**: 0.21.4 -- **Severity**: High -- **CVE**: CVE-2021-3749 -- **Summary**: Axios vulnerable to SSRF -- **More Info**: https://github.com/advisories/GHSA-xxxx-yyyy-zzzz +- **Target Version**: 0.22.0 +- **Update Type**: Minor +- **Security**: No +- **PR Link**: https://github.com/github/gh-aw/pull/1234 +- **Status**: Open -### 🟡 lodash (GHSA-aaaa-bbbb-cccc) +### 🟢 lodash (#1235) - **Current Version**: 4.17.19 -- **Patched Version**: 4.17.21 -- **Severity**: Medium -- **CVE**: CVE-2020-8203 -- **Summary**: Prototype pollution in lodash -- **More Info**: https://github.com/advisories/GHSA-aaaa-bbbb-cccc +- **Target Version**: 4.17.21 +- **Update Type**: Patch +- **Security**: No +- **PR Link**: https://github.com/github/gh-aw/pull/1235 +- **Status**: Open -### 🟡 minimist (GHSA-dddd-eeee-ffff) +### 🟢 minimist (#1236) - **Current Version**: 1.2.5 -- **Patched Version**: 1.2.6 -- **Severity**: Medium -- **CVE**: CVE-2021-44906 -- **Summary**: Prototype pollution in minimist -- **More Info**: https://github.com/advisories/GHSA-dddd-eeee-ffff +- **Target Version**: 1.2.6 +- **Update Type**: Patch +- **Security**: No +- **PR Link**: https://github.com/github/gh-aw/pull/1236 +- **Status**: Open ## Recommended Action -1. Review the alerts above -2. Check for available updates that address all vulnerabilities -3. Test the updates in a development environment -4. Create a PR with the fixes -5. Move this item to "Review Required" when PR is ready +1. Review each PR in the bundle +2. Check for breaking changes and compatibility issues +3. Review and approve PRs that are safe to merge +4. Test PRs locally if needed +5. Merge approved PRs or request changes +6. Move this item to "Review Required" when PRs need human review ## Notes @@ -391,39 +396,39 @@ The workflow uses these custom fields (will be created if they don't exist): ### Example Status Update ```markdown -## Dependabot Alert Summary +## Dependabot PR Summary **Run Date**: 2026-02-06T16:45:00Z **Repository**: github/gh-aw ### Metrics -- **Total Open Alerts**: 12 +- **Total Open PRs**: 12 - **Bundles Created/Updated**: 4 -- **Critical Severity**: 0 -- **High Severity**: 3 -- **Medium Severity**: 7 -- **Low Severity**: 2 +- **Security Updates**: 1 +- **Major Updates**: 0 +- **Minor Updates**: 3 +- **Patch Updates**: 8 ### Bundles by Runtime -| Runtime | Bundles | Alerts | Highest Severity | -|---------|---------|--------|------------------| -| npm | 2 | 6 | High | -| go | 1 | 4 | Medium | -| pip | 1 | 2 | Low | +| Runtime | Bundles | PRs | Primary Update Type | +|---------|---------|-----|---------------------| +| npm | 2 | 6 | Minor | +| go | 1 | 4 | Patch | +| pip | 1 | 2 | Patch | ### Next Steps -1. Copilot agents will work on assigned bundles -2. PRs will be created for each bundle -3. Items will move to "Review Required" when PRs are ready +1. Copilot agents will review assigned PR bundles +2. Safe PRs will be approved and merged +3. Items will move to "Review Required" when PRs need human review 4. Human reviewers should monitor the "Review Required" column ### Recommendations -- npm bundles have high severity alerts - prioritize these for quick resolution -- All go alerts are medium/low - can be addressed in next sprint +- npm bundles have minor updates - review for breaking changes +- All go and pip updates are patches - safe to merge after review - Monitor the "Review Required" column daily for PRs needing approval --- @@ -432,10 +437,12 @@ The workflow uses these custom fields (will be created if they don't exist): ## Troubleshooting -**No alerts found**: If Dependabot returns no alerts, create a project status update noting "No open alerts - repository is secure" and exit successfully. +**No PRs found**: If Dependabot returns no open PRs, create a project status update noting "No open Dependabot PRs - all dependencies are up to date" and exit successfully. **Project permission errors**: Ensure the `GH_AW_PROJECT_GITHUB_TOKEN` secret has Projects write permissions and is correctly configured. -**Too many bundles**: If there are >20 bundles, prioritize by severity and create issues for the top 20 only. Create a status update noting the overflow. +**Too many bundles**: If there are >20 bundles, prioritize by security updates and update type, and create issues for the top 20 only. Create a status update noting the overflow. **Duplicate bundles**: Always check if a bundle with the same runtime+manifest combination already exists before creating a new one. Update existing items instead. + +**PR parsing errors**: Dependabot PR titles follow patterns like "Bump {package} from {old} to {new} in {path}". If parsing fails, fall back to extracting information from PR files changed or body content.