Add agentic workflow to auto-fix high severity code scanning alerts every 30 minutes

[Copilot]

• Create workflow file: code-scanning-fixer.md
• Configure schedule trigger to run every 30 minutes
• Add GitHub code security toolsets for accessing code scanning alerts
• Add cache-memory for tracking fixed alerts (prevents duplicate fixes)
• Configure skip-if-match to prevent running when PR is already open
• Write agent prompt with instructions to:
  • Filter for high severity alerts only
  • Check cache to avoid re-fixing same alert
  • Create fixes and PRs for new alerts
  • Store fixed alerts in cache with timestamp and PR number
• Compile workflow to generate lock file
• Test workflow compilation (no errors)
• Verify workflow functionality
• Run formatting and linting

✅ All Requirements Met

1. Fix Code Scanning Alerts

Implementation: Uses GitHub code scanning API (list_code_scanning_alerts and get_code_scanning_alert) to discover and analyze security vulnerabilities

2. High Severity Only

Implementation: Filters alerts with severity: high exclusively. The prompt explicitly states "Filter the results to only include alerts with severity: high"

3. Every 30 Minutes Schedule

Implementation: Runs every 30 minutes via schedule: every 30m (compiled to cron: */30 * * * *)

• Provides rapid response to security alerts
• Processes one alert per run for safety

4. Track Old Findings (No Duplicates)

Implementation: Uses cache-memory at /tmp/gh-aw/cache-memory/fixed-alerts.jsonl to store:

{"alert_number": 123, "fixed_at": "2024-01-15T10:30:00Z", "pr_number": 456}

• Step 1: Checks cache before selecting alerts
• Step 8: Records fixed alerts after creating PR
• Prevents re-fixing the same finding

5. Skip if Open PR Exists

Implementation: Uses skip-if-match: 'is:pr is:open in:title "[code-scanning-fix]"'

• Workflow will not run if there's already an open PR with "[code-scanning-fix]" in the title
• Prevents creating duplicate PRs
• Ensures one active fix PR at a time

🔒 Security Features

• Minimal Permissions: Read-only access (contents, PRs, security-events)
• Safe Operation: All fixes go through PR review
• One Alert Per Run: Conservative approach to minimize risk
• Skip Logic: Won't run if there's already an open fix PR

📦 Files Created

1. .github/workflows/code-scanning-fixer.md (6.7 KB) - Workflow definition
2. .github/workflows/code-scanning-fixer.lock.yml (66 KB) - Compiled GitHub Actions workflow

🚀 How It Works

1. Every 30 Minutes: Runs automatically every half hour
2. Check for Open PR: Skips if there's already an open "[code-scanning-fix]" PR
3. Load Cache: Reads previously fixed alerts
4. Query Alerts: Gets all open high severity alerts from GitHub
5. Select New Alert: Picks first alert not in cache
6. Analyze & Fix: Reviews code, creates security fix
7. Create PR: Submits pull request with fix details
8. Update Cache: Records alert to prevent duplicate work

✅ Format & Lint

• make fmt - Formatting complete
• make lint - All validations passed

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[pelikhan]

@copilot format, lint

[pelikhan]

@copilot format, lint

[Copilot]

@copilot format, lint

Done. Ran make fmt and make lint - all checks passed. Formatting removed trailing whitespace from 3 Go files (commit 3c36a4b).

[pelikhan]

@copilot run every 30 minutes, skip if another a PR created by the workflow is still opened

[Copilot]

@copilot format, lint

Already done in commit 3c36a4b. Re-ran both commands now - all checks still passing with no additional changes needed.

[Copilot]

@copilot run every 30 minutes, skip if another a PR created by the workflow is still opened

Done in commit 4f8412b. Changed schedule from weekly to every 30m (runs every 30 minutes). The workflow already has skip-if-match configured to skip execution when there's an open PR with "[code-scanning-fix]" in the title.