Refactor automations: split into 3 command steps + agent prompt

1. Install gh CLI (skips if already present)
2. Authenticate gh via git credential helper
3. Fetch highest-severity alert via gh api, write to /tmp

Agent prompt then reads the JSON file instead of calling the API.

Co-authored-by: Ona <no-reply@ona.com>

Author: meysholdt

.ona/fix-codescan-alert.yaml

@@ -14,16 +14,21 @@ action:
     - task:
         command: |
           set -e
-          if ! command -v gh &>/dev/null; then
-            echo "Installing GitHub CLI..."
-            (type -p wget >/dev/null || (sudo apt update && sudo apt-get install wget -y))
-            sudo mkdir -p -m 755 /etc/apt/keyrings
-            out=$(mktemp) && wget -nv -O$out https://cli.github.com/packages/githubcli-archive-keyring.gpg && cat $out | sudo tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null
-            sudo chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg
-            echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null
-            sudo apt update && sudo apt install gh -y
+          if command -v gh &>/dev/null; then
+            echo "gh already installed: $(gh --version | head -1)"
+            exit 0
           fi
+          echo "Installing GitHub CLI..."
+          (type -p wget >/dev/null || (sudo apt update && sudo apt-get install wget -y))
+          sudo mkdir -p -m 755 /etc/apt/keyrings
+          out=$(mktemp) && wget -nv -O$out https://cli.github.com/packages/githubcli-archive-keyring.gpg && cat $out | sudo tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null
+          sudo chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg
+          echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null
+          sudo apt update && sudo apt install gh -y
           echo "gh version: $(gh --version | head -1)"
+    - task:
+        command: |
+          set -e
           TOKEN=$(git credential fill <<EOF | grep password | cut -d= -f2
           protocol=https
           host=github.com
@@ -32,14 +37,22 @@ action:
           )
           echo "$TOKEN" | gh auth login --with-token
           gh auth status
+    - task:
+        command: |
+          set -e
+          OWNER=$(gh repo view --json owner -q '.owner.login')
+          REPO=$(gh repo view --json name -q '.name')
+          gh api "repos/${OWNER}/${REPO}/code-scanning/alerts" \
+            --jq '[.[] | select(.state=="open")] | sort_by(.rule.security_severity_level // "low") | reverse | .[0]' \
+            > /tmp/codescan-alert.json
+          echo "Selected alert:"
+          cat /tmp/codescan-alert.json | head -50
     - agent:
         prompt: |
-          Query the GitHub code scanning alerts for this repository using the GitHub CLI:
-
-            gh api repos/{owner}/{repo}/code-scanning/alerts \
-              --jq '[.[] | select(.state=="open")] | sort_by(.rule.security_severity_level // "low") | reverse | .[0]'
+          Read the file /tmp/codescan-alert.json which contains the highest-severity
+          open code scanning alert for this repository.
 
-          From the highest-severity open alert, extract:
+          From the alert, extract:
           1. Alert number and HTML URL
           2. Rule ID and description
           3. Severity level

.ona/fix-dependabot-alert.yaml

@@ -14,16 +14,21 @@ action:
     - task:
         command: |
           set -e
-          if ! command -v gh &>/dev/null; then
-            echo "Installing GitHub CLI..."
-            (type -p wget >/dev/null || (sudo apt update && sudo apt-get install wget -y))
-            sudo mkdir -p -m 755 /etc/apt/keyrings
-            out=$(mktemp) && wget -nv -O$out https://cli.github.com/packages/githubcli-archive-keyring.gpg && cat $out | sudo tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null
-            sudo chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg
-            echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null
-            sudo apt update && sudo apt install gh -y
+          if command -v gh &>/dev/null; then
+            echo "gh already installed: $(gh --version | head -1)"
+            exit 0
           fi
+          echo "Installing GitHub CLI..."
+          (type -p wget >/dev/null || (sudo apt update && sudo apt-get install wget -y))
+          sudo mkdir -p -m 755 /etc/apt/keyrings
+          out=$(mktemp) && wget -nv -O$out https://cli.github.com/packages/githubcli-archive-keyring.gpg && cat $out | sudo tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null
+          sudo chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg
+          echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null
+          sudo apt update && sudo apt install gh -y
           echo "gh version: $(gh --version | head -1)"
+    - task:
+        command: |
+          set -e
           TOKEN=$(git credential fill <<EOF | grep password | cut -d= -f2
           protocol=https
           host=github.com
@@ -32,14 +37,22 @@ action:
           )
           echo "$TOKEN" | gh auth login --with-token
           gh auth status
+    - task:
+        command: |
+          set -e
+          OWNER=$(gh repo view --json owner -q '.owner.login')
+          REPO=$(gh repo view --json name -q '.name')
+          gh api "repos/${OWNER}/${REPO}/dependabot/alerts" \
+            --jq '[.[] | select(.state=="open")] | sort_by(.security_advisory.cvss.score) | reverse | .[0]' \
+            > /tmp/dependabot-alert.json
+          echo "Selected alert:"
+          cat /tmp/dependabot-alert.json | head -50
     - agent:
         prompt: |
-          Query the GitHub Dependabot alerts for this repository using the GitHub CLI:
-
-            gh api repos/{owner}/{repo}/dependabot/alerts \
-              --jq '[.[] | select(.state=="open")] | sort_by(.security_advisory.cvss.score) | reverse | .[0]'
+          Read the file /tmp/dependabot-alert.json which contains the highest-severity
+          open Dependabot alert for this repository.
 
-          From the highest-severity open alert, extract:
+          From the alert, extract:
           1. Alert number
           2. Package name and ecosystem
           3. Vulnerable version range