This repository was archived by the owner on May 13, 2026. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathfix.yaml
More file actions
103 lines (85 loc) · 3.63 KB
/
fix.yaml
File metadata and controls
103 lines (85 loc) · 3.63 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
name: "[SecurityEngineer] Fix Security Issue"
description: Fixes a vulnerability finding from Linear for the current repository
triggers:
- manual: {}
context:
projects: {}
action:
limits:
maxParallel: 1
maxTotal: 10
steps:
- agent:
prompt: |
Select a vulnerability finding to fix.
1. Fetch issues from Linear (team: "Ona AI Security Engineer", label: "finding")
2. Filter to issues containing "{{repository_name}}" in title/description
3. If none found, report "No findings for {{repository_name}}" and STOP
4. Select one at random and report: "Selected [identifier]: [title]"
If list_issues returns empty, try querying by repo name instead of team/label.
Extract: issue_id, identifier, advisory ID (CVE/GHSA/vendor), affected package/version, fixed version, file locations.
- agent:
prompt: |
Check if the selected vulnerability is already fixed.
1. Read affected files and dependency files for the vulnerable version
2. Search PRs (open and merged) for the advisory ID or package name
If ALREADY FIXED:
- Identify the fixing PR
- Report: "Already fixed by PR #[number]"
If NEEDS FIX:
- Determine fix type: dependency_upgrade, code_migration, config_change, or code_replacement
- Identify files to modify and target version
- Report: "Needs fix: [description]"
- agent:
prompt: |
Handle the vulnerability based on fix status.
If ALREADY FIXED:
- Comment on Linear issue documenting the existing PR and evidence
- Report: "Linked existing PR to [identifier]"
- STOP (do not create new PR)
If NEEDS FIX:
- Implement the fix (update dependencies, migrate code, etc.)
- Run tests if available
- Stage changes with git add
- Report: "Implemented: [description]"
- agent:
prompt: |
Verify the fix works.
1. Build: Run relevant build commands. Fix errors until build succeeds.
2. Test: Run tests covering changed code. Fix failures until tests pass.
3. Execute: Run any changed scripts/executables to confirm behavior.
4. Report: Summarize what was executed and the results.
- pullRequest:
branch: jonas/{{linear_issue_id}}-fix
description: Automated security fix by Ona Agent.
draft: false
title: "fix: security vulnerability remediation"
- agent:
prompt: |
Document the completed fix.
If existing PR was linked (no new PR created):
- Report summary and STOP
If new fix was implemented:
- Comment on Linear issue with: change description, files modified, test results
- Generate summary with repository, issue, changes, and next steps
- report:
outputs:
- key: action_taken
title: Action Taken
string: {}
prompt: |
Return ONLY: LINKED_EXISTING_PR, IMPLEMENTED_FIX, or NO_ISSUES_FOUND
- key: issue_identifier
title: Issue Processed
string: {}
prompt: Return ONLY the Linear issue identifier, or "none"
- key: fix_type
title: Fix Type
string: {}
prompt: |
Return ONLY: dependency_upgrade, code_migration, config_change, code_replacement, or "n/a"
- key: files_modified
title: Files Modified
string: {}
prompt: |
Return ONLY comma-separated file paths, or "none"