quickstart/.github/workflows/security-update.yml at 26cc3c664313bac84b4f6af86c5205c8978249d0 · getditto/quickstart · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
# Per-repo caller workflow.
# Copy this file into each repo that should receive automated security fixes.
# The reusable workflow lives in getditto/.github.
# See TINES_AUTOMATION.md for the full design.

name: Security Update

on:
  workflow_dispatch:
    inputs:
      ecosystem:
        description: 'Package ecosystem (npm, cargo, docker, go, python)'
        required: true
        type: choice
        options:
          - npm
          - cargo
          - docker
          - go
          - python
      alerts:
        description: 'JSON array of {package, version, cve, manifest}'
        required: true
        type: string
      linear_tickets:
        description: 'Comma-separated Linear ticket IDs'
        required: false
        type: string
      batch_id:
        description: 'Unique batch identifier'
        required: true
        type: string
      reviewers:
        description: 'Comma-separated GitHub teams/users to request review from'
        required: false
        type: string
        default: 'security-team,copilot'

jobs:
  fix:
    uses: getditto/.github/.github/workflows/security-update-claude.yml@main
    with:
      ecosystem: ${{ inputs.ecosystem }}
      alerts: ${{ inputs.alerts }}
      linear_tickets: ${{ inputs.linear_tickets }}
      batch_id: ${{ inputs.batch_id }}
      reviewers: ${{ inputs.reviewers }}
    secrets:
      ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}