Handle already-fixed and no-alert cases in automation prompts

Agent outputs NO_ALERT or ALREADY_FIXED and stops early,
skipping verify and PR steps.

Co-authored-by: Ona <no-reply@ona.com>

Author: meysholdt

.ona/fix-codescan-alert.yaml

@@ -31,7 +31,14 @@ action:
           code scanning alert. Extract the alert number, HTML URL, rule ID, severity,
           file path and line number, tool name, and message.
 
-          Then apply the fix:
+          If the file is empty, null, or contains no alert, output
+          "NO_ALERT: No open code scanning alerts found." and stop.
+
+          Read the affected source file. If the issue described in the alert is
+          already fixed in the current code, output
+          "ALREADY_FIXED: <rule-id> in <file>:<line> is already resolved." and stop.
+
+          Otherwise, apply the fix:
           - **CodeQL alerts:** Apply the minimal code change. Follow the project's
             code style. Use the suggested fix pattern if one is provided.
           - **Dependency alerts (Trivy / OSV-Scanner):** Upgrade the vulnerable

.ona/fix-dependabot-alert.yaml

@@ -31,7 +31,13 @@ action:
           Dependabot alert. Extract the alert number, package name, vulnerable and
           patched versions, CVE ID, CVSS score, and manifest file path.
 
-          Then apply the fix:
+          If the file is empty, null, or contains no alert, output
+          "NO_ALERT: No open Dependabot alerts found." and stop.
+
+          Check whether the dependency is already at or above the patched version.
+          If so, output "ALREADY_FIXED: <package> is already at <version>." and stop.
+
+          Otherwise, apply the fix:
           1. Read the manifest file to understand how the dependency is declared.
           2. Upgrade the vulnerable dependency to the patched version (or newer).
              - If the version is in `pom.xml` properties or directly, update it there.