Add Ona automations for Dependabot and code scanning alerts

- fix-dependabot-alert: picks highest-severity Dependabot alert, upgrades
  the dependency, runs tests, opens a PR
- fix-codescan-alert: picks highest-severity code scanning alert (CodeQL,
  Trivy, OSV-Scanner), applies fix, runs tests, opens a PR

Co-authored-by: Ona <no-reply@ona.com>

Author: meysholdt

.ona/fix-codescan-alert.yaml

@@ -0,0 +1,88 @@
+name: fix-codescan-alert
+description: >-
+  Picks the highest-severity open code scanning alert, applies a fix,
+  verifies tests pass, and opens a pull request.
+triggers:
+  - context:
+      projects: {}
+    manual: {}
+action:
+  limits:
+    maxParallel: 1
+    maxTotal: 10
+  steps:
+    - agent:
+        prompt: |
+          Query the GitHub code scanning alerts for this repository using the GitHub CLI:
+
+            gh api repos/{owner}/{repo}/code-scanning/alerts \
+              --jq '[.[] | select(.state=="open")] | sort_by(.rule.security_severity_level // "low") | reverse | .[0]'
+
+          From the highest-severity open alert, extract:
+          1. Alert number and HTML URL
+          2. Rule ID and description
+          3. Severity level
+          4. File path and line number (from `most_recent_instance.location`)
+          5. The tool that reported it (CodeQL, Trivy, OSV-Scanner, etc.)
+          6. The alert message
+
+          Read the affected source file and surrounding context to understand the issue.
+
+          If the alert is about a vulnerable dependency (from Trivy or OSV-Scanner),
+          identify the dependency, its current version, and the fixed version from the
+          alert details.
+
+          Do NOT make any code changes yet.
+
+    - agent:
+        prompt: |
+          Using the alert identified in the previous step, apply the fix:
+
+          **For code quality / CodeQL alerts:**
+          1. Apply the minimal code change that resolves the alert.
+          2. Follow the project's code style and conventions.
+          3. If the alert suggests a specific fix pattern, follow it.
+
+          **For dependency vulnerability alerts (Trivy / OSV-Scanner):**
+          1. Upgrade the vulnerable dependency to a patched version.
+          2. If the version is inherited from a parent BOM, add an explicit
+             version override in `pom.xml` properties or `<dependencyManagement>`.
+
+          Do NOT commit or run tests yet.
+
+    - agent:
+        prompt: |
+          Verify the fix from the previous step:
+
+          1. Run `./mvnw compile test` to compile and run all tests.
+          2. If compilation or tests fail:
+             a. Read the error output carefully.
+             b. Identify whether the failure is caused by the fix or a pre-existing issue.
+             c. If caused by the fix, adjust the code and retry.
+             d. Rerun `./mvnw compile test`.
+             e. Repeat until all tests pass.
+          3. Once tests pass, confirm the fix is complete.
+
+    - pullRequest:
+        branch: codescan-fix/
+        title: 'CodeScan-Fix: '
+        description: |
+          ## Code Scanning Alert
+
+          | Field | Value |
+          |-------|-------|
+          | **Alert** | [View alert](<alert-html-url>) |
+          | **Rule** | `<rule-id>` |
+          | **Severity** | <severity> |
+          | **Tool** | <tool-name> |
+          | **File** | `<file-path>:<line-number>` |
+          | **Message** | <alert-message> |
+
+          ## What changed
+
+          <one-or-two-sentence explanation of the fix and why it resolves the alert>
+
+          ## Verification
+
+          - [x] `./mvnw compile test` passes
+          - [x] Fix is minimal and preserves existing behavior

.ona/fix-dependabot-alert.yaml

@@ -0,0 +1,87 @@
+name: fix-dependabot-alert
+description: >-
+  Picks the highest-severity open Dependabot alert, upgrades the
+  vulnerable dependency, verifies tests pass, and opens a pull request.
+triggers:
+  - context:
+      projects: {}
+    manual: {}
+action:
+  limits:
+    maxParallel: 1
+    maxTotal: 10
+  steps:
+    - agent:
+        prompt: |
+          Query the GitHub Dependabot alerts for this repository using the GitHub CLI:
+
+            gh api repos/{owner}/{repo}/dependabot/alerts \
+              --jq '[.[] | select(.state=="open")] | sort_by(.security_advisory.cvss.score) | reverse | .[0]'
+
+          From the highest-severity open alert, extract:
+          1. Alert number
+          2. Package name and ecosystem
+          3. Vulnerable version range
+          4. Patched version (from `security_advisory.vulnerabilities[].first_patched_version`)
+          5. CVE ID and CVSS score
+          6. Advisory summary
+          7. The manifest file path (e.g. `pom.xml`)
+
+          Read the manifest file to understand how the dependency is declared.
+          Determine whether the version is pinned directly or inherited from a parent BOM.
+
+          Do NOT make any code changes yet.
+
+    - agent:
+        prompt: |
+          Using the alert identified in the previous step:
+
+          1. Upgrade the vulnerable dependency to the patched version (or newer).
+             - If the version is declared in `pom.xml` properties or directly, update it there.
+             - If it is inherited from a parent BOM (e.g. Spring Boot parent), check whether
+               upgrading the parent resolves the vulnerability. If not, add an explicit
+               version override in the `<properties>` or `<dependencyManagement>` section.
+          2. Follow the project's existing conventions for dependency management.
+
+          Do NOT commit or run tests yet.
+
+    - agent:
+        prompt: |
+          Verify the fix from the previous step:
+
+          1. Run `./mvnw compile test` to compile and run all tests.
+          2. If compilation or tests fail:
+             a. Read the error output carefully.
+             b. Identify whether the failure is caused by the upgrade or a pre-existing issue.
+             c. If caused by the upgrade, check for breaking API changes and adapt the code.
+             d. Rerun `./mvnw compile test`.
+             e. Repeat until all tests pass.
+          3. Run `./mvnw dependency:tree -Dincludes=<groupId>:<artifactId>` to confirm
+             the vulnerable version is no longer in the dependency tree.
+          4. Once tests pass and the old version is gone, confirm the fix is complete.
+
+    - pullRequest:
+        branch: dependabot-fix/
+        title: 'Dependabot-Fix: '
+        description: |
+          ## Dependabot Alert
+
+          | Field | Value |
+          |-------|-------|
+          | **Alert** | [View alert](https://github.com/ona-samples/github-security/security/dependabot/<alert-number>) |
+          | **CVE** | `<cve-id>` |
+          | **CVSS** | <cvss-score> |
+          | **Package** | `<package-name>` |
+          | **Vulnerable** | `<vulnerable-version>` |
+          | **Fixed** | `<patched-version>` |
+          | **Advisory** | <advisory-summary> |
+
+          ## What changed
+
+          <one-or-two-sentence explanation of the dependency upgrade and why it resolves the vulnerability>
+
+          ## Verification
+
+          - [x] `./mvnw compile test` passes
+          - [x] `./mvnw dependency:tree` confirms vulnerable version is removed
+          - [x] Upgrade is minimal and preserves existing behavior