Skip to content

SPO-480: Port getditto/ditto automated security patch action to getditto/react-ditto#87

Merged
John Cunningham (SausCode) merged 6 commits intomasterfrom
johncunningham/spo-480-port-getdittoditto-automated-security-patch-action-to
May 7, 2026
Merged

SPO-480: Port getditto/ditto automated security patch action to getditto/react-ditto#87
John Cunningham (SausCode) merged 6 commits intomasterfrom
johncunningham/spo-480-port-getdittoditto-automated-security-patch-action-to

Conversation

@SausCode
Copy link
Copy Markdown
Contributor

@SausCode John Cunningham (SausCode) commented May 7, 2026
edited
Loading

SPO-480: Port security patch automation to react-ditto

SPO-480

Summary

  • Adds .github/workflows/security-update-claude.yml — a thin caller workflow for Tines-driven automated security patching
  • The reusable workflow (Claude prompt, PR creation logic) lives in getditto/sec-tools-public; this file just forwards inputs and secrets
  • Named security-update-claude.yml to match what Tines dispatches

Prerequisites

  • ANTHROPIC_API_KEY secret provisioned
  • GH_TOKEN_SECURITY_PATCHES secret provisioned (IT pending)
  • SPO-893 merged in sec-tools-public (reusable workflow uses workflow_call)

Test plan

  • After prerequisites met, trigger a manual workflow dispatch with a test payload
  • Verify a fix PR is opened on this repo by the bot identity
  • Verify CI runs on the generated PR

Supersedes #85

John Cunningham (SausCode) and others added 6 commits May 7, 2026 09:45
@SausCode
SPO-480: Port getditto/ditto automated security patch action to getdi…
212a2ed 
…tto/react-ditto
@SausCode @claude
Add security-update caller workflow pointing to sec-tools-public
dc5a03a 
Thin caller for Tines-driven automated security patching. The reusable
workflow (Claude prompt, PR creation logic) lives in
getditto/sec-tools-public; this file just forwards inputs and secrets.

Closes: SPO-480

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@SausCode @claude
Revert ecosystem input to type: string
795c464 
Match the original workflow's input type. Tines sends a plain string
via the API; choice was an unnecessary divergence.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@SausCode @claude
Add explicit permissions block to security-update caller
d92fde3 
The reusable workflow needs contents: write and pull-requests: write,
and the caller must grant them since reusable workflow permissions are
constrained by the caller.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@SausCode @claude
Restore original workflow name
6b89270 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@SausCode @claude
Rename job ID to avoid fix/fix display in Actions UI
d3fc900 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@SausCode John Cunningham (SausCode) marked this pull request as ready for review May 7, 2026 18:52
kk-0110
Kevin Killoran (kk-0110) approved these changes May 7, 2026
View reviewed changes
Copy link
Copy Markdown

@kk-0110 Kevin Killoran (kk-0110) left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@SausCode John Cunningham (SausCode) merged commit f47e280 into master May 7, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kk-0110 Kevin Killoran (kk-0110) kk-0110 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@SausCode @kk-0110