From 212a2ed5139b9cbb4c3876abcf43fad02eb1c6ee Mon Sep 17 00:00:00 2001 From: John Cunningham Date: Thu, 7 May 2026 09:45:28 -0700 Subject: [PATCH 1/6] SPO-480: Port getditto/ditto automated security patch action to getditto/react-ditto From dc5a03ad80b059e9786a0e21a3127fc9fdb9ef87 Mon Sep 17 00:00:00 2001 From: John Cunningham Date: Thu, 7 May 2026 09:47:43 -0700 Subject: [PATCH 2/6] Add security-update caller workflow pointing to sec-tools-public Thin caller for Tines-driven automated security patching. The reusable workflow (Claude prompt, PR creation logic) lives in getditto/sec-tools-public; this file just forwards inputs and secrets. Closes: SPO-480 Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/security-update-claude.yml | 48 ++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 .github/workflows/security-update-claude.yml diff --git a/.github/workflows/security-update-claude.yml b/.github/workflows/security-update-claude.yml new file mode 100644 index 0000000..e1449d4 --- /dev/null +++ b/.github/workflows/security-update-claude.yml @@ -0,0 +1,48 @@ +# Per-repo caller workflow for automated security patching. +# The reusable workflow lives in getditto/sec-tools-public. + +name: Security Update + +on: + workflow_dispatch: + inputs: + ecosystem: + description: "Package ecosystem (npm, cargo, docker, go, python)" + required: true + type: choice + options: + - npm + - cargo + - docker + - go + - python + alerts: + description: "JSON array of {package, version, cve, manifest}" + required: true + type: string + linear_tickets: + description: "Comma-separated Linear ticket IDs" + required: false + type: string + batch_id: + description: "Unique batch identifier" + required: true + type: string + reviewers: + description: "Comma-separated GitHub teams/users to request review from" + required: false + type: string + default: "security-team,copilot" + +jobs: + fix: + uses: getditto/sec-tools-public/.github/workflows/security-update-claude.yml@main + with: + ecosystem: ${{ inputs.ecosystem }} + alerts: ${{ inputs.alerts }} + linear_tickets: ${{ inputs.linear_tickets }} + batch_id: ${{ inputs.batch_id }} + reviewers: ${{ inputs.reviewers }} + secrets: + ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + GH_TOKEN_SECURITY_PATCHES: ${{ secrets.GH_TOKEN_SECURITY_PATCHES }} From 795c4640a2284a8cd25898b4bba70caf683504ef Mon Sep 17 00:00:00 2001 From: John Cunningham Date: Thu, 7 May 2026 11:00:07 -0700 Subject: [PATCH 3/6] Revert ecosystem input to type: string Match the original workflow's input type. Tines sends a plain string via the API; choice was an unnecessary divergence. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/security-update-claude.yml | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/.github/workflows/security-update-claude.yml b/.github/workflows/security-update-claude.yml index e1449d4..6dee899 100644 --- a/.github/workflows/security-update-claude.yml +++ b/.github/workflows/security-update-claude.yml @@ -9,13 +9,7 @@ on: ecosystem: description: "Package ecosystem (npm, cargo, docker, go, python)" required: true - type: choice - options: - - npm - - cargo - - docker - - go - - python + type: string alerts: description: "JSON array of {package, version, cve, manifest}" required: true From d92fde39031b56778f3796891a83d3f5f52f4793 Mon Sep 17 00:00:00 2001 From: John Cunningham Date: Thu, 7 May 2026 11:01:24 -0700 Subject: [PATCH 4/6] Add explicit permissions block to security-update caller The reusable workflow needs contents: write and pull-requests: write, and the caller must grant them since reusable workflow permissions are constrained by the caller. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/security-update-claude.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/security-update-claude.yml b/.github/workflows/security-update-claude.yml index 6dee899..7380567 100644 --- a/.github/workflows/security-update-claude.yml +++ b/.github/workflows/security-update-claude.yml @@ -28,6 +28,10 @@ on: type: string default: "security-team,copilot" +permissions: + contents: write + pull-requests: write + jobs: fix: uses: getditto/sec-tools-public/.github/workflows/security-update-claude.yml@main From 6b89270347c7ee095a5c5c688fb33d6e87d54c0d Mon Sep 17 00:00:00 2001 From: John Cunningham Date: Thu, 7 May 2026 11:07:09 -0700 Subject: [PATCH 5/6] Restore original workflow name Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/security-update-claude.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security-update-claude.yml b/.github/workflows/security-update-claude.yml index 7380567..b105911 100644 --- a/.github/workflows/security-update-claude.yml +++ b/.github/workflows/security-update-claude.yml @@ -1,7 +1,7 @@ # Per-repo caller workflow for automated security patching. # The reusable workflow lives in getditto/sec-tools-public. -name: Security Update +name: 'Security Dependency Update (Claude Code)' on: workflow_dispatch: From d3fc9002caea4621bb9e52cfc43e7ea920e1b520 Mon Sep 17 00:00:00 2001 From: John Cunningham Date: Thu, 7 May 2026 11:33:05 -0700 Subject: [PATCH 6/6] Rename job ID to avoid fix/fix display in Actions UI Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/security-update-claude.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security-update-claude.yml b/.github/workflows/security-update-claude.yml index b105911..de2d5b3 100644 --- a/.github/workflows/security-update-claude.yml +++ b/.github/workflows/security-update-claude.yml @@ -33,7 +33,7 @@ permissions: pull-requests: write jobs: - fix: + forward-to-sec-tools-public: uses: getditto/sec-tools-public/.github/workflows/security-update-claude.yml@main with: ecosystem: ${{ inputs.ecosystem }}