Simplify command steps for demo readability

meysholdt · ona-agent · meysholdt · commit beb5e9ba95f2 · 2026-03-08T18:59:49.000Z
- Install: 3 lines, no version detection logic
- Login: single pipeline, no temp variables
- API call: use gh's {owner}/{repo} placeholders

Co-authored-by: Ona &lt;no-reply@ona.com&gt;
diff --git a/.ona/fix-codescan-alert.yaml b/.ona/fix-codescan-alert.yaml
@@ -11,40 +11,23 @@ action:
     maxParallel: 1
     maxTotal: 10
   steps:
+    # Step 1: Install gh CLI if not present
     - task:
         command: |
-          set -e
-          if command -v gh &>/dev/null; then
-            echo "gh already installed: $(gh --version | head -1)"
-            exit 0
-          fi
-          echo "Installing GitHub CLI..."
-          GH_VERSION=$(curl -s https://api.github.com/repos/cli/cli/releases/latest | grep -oP '"tag_name":\s*"v\K[^"]+')
-          curl -sL "https://github.com/cli/cli/releases/download/v${GH_VERSION}/gh_${GH_VERSION}_linux_amd64.tar.gz" | tar xz -C /tmp
-          sudo mv "/tmp/gh_${GH_VERSION}_linux_amd64/bin/gh" /usr/local/bin/gh
-          rm -rf "/tmp/gh_${GH_VERSION}_linux_amd64"
-          echo "gh version: $(gh --version | head -1)"
+          command -v gh && exit 0
+          curl -sL https://github.com/cli/cli/releases/latest/download/gh_2.74.0_linux_amd64.tar.gz | tar xz -C /tmp
+          sudo mv /tmp/gh_2.74.0_linux_amd64/bin/gh /usr/local/bin/gh
+    # Step 2: Authenticate gh using the git credential helper
     - task:
         command: |
-          set -e
-          TOKEN=$(git credential fill <<EOF | grep password | cut -d= -f2
-          protocol=https
-          host=github.com
-
-          EOF
-          )
-          echo "$TOKEN" | gh auth login --with-token
-          gh auth status
+          printf 'protocol=https\nhost=github.com\n\n' | git credential fill | awk -F= '/password/{print $2}' | gh auth login --with-token
+    # Step 3: Fetch the highest-severity open code scanning alert
     - task:
         command: |
-          set -e
-          OWNER=$(gh repo view --json owner -q '.owner.login')
-          REPO=$(gh repo view --json name -q '.name')
-          gh api "repos/${OWNER}/${REPO}/code-scanning/alerts" \
+          gh api repos/{owner}/{repo}/code-scanning/alerts \
             --jq '[.[] | select(.state=="open")] | sort_by(.rule.security_severity_level // "low") | reverse | .[0]' \
             > /tmp/codescan-alert.json
-          echo "Selected alert:"
-          cat /tmp/codescan-alert.json | head -50
+          cat /tmp/codescan-alert.json
     - agent:
         prompt: |
           Read the file /tmp/codescan-alert.json which contains the highest-severity
diff --git a/.ona/fix-dependabot-alert.yaml b/.ona/fix-dependabot-alert.yaml
@@ -11,40 +11,23 @@ action:
     maxParallel: 1
     maxTotal: 10
   steps:
+    # Step 1: Install gh CLI if not present
     - task:
         command: |
-          set -e
-          if command -v gh &>/dev/null; then
-            echo "gh already installed: $(gh --version | head -1)"
-            exit 0
-          fi
-          echo "Installing GitHub CLI..."
-          GH_VERSION=$(curl -s https://api.github.com/repos/cli/cli/releases/latest | grep -oP '"tag_name":\s*"v\K[^"]+')
-          curl -sL "https://github.com/cli/cli/releases/download/v${GH_VERSION}/gh_${GH_VERSION}_linux_amd64.tar.gz" | tar xz -C /tmp
-          sudo mv "/tmp/gh_${GH_VERSION}_linux_amd64/bin/gh" /usr/local/bin/gh
-          rm -rf "/tmp/gh_${GH_VERSION}_linux_amd64"
-          echo "gh version: $(gh --version | head -1)"
+          command -v gh && exit 0
+          curl -sL https://github.com/cli/cli/releases/latest/download/gh_2.74.0_linux_amd64.tar.gz | tar xz -C /tmp
+          sudo mv /tmp/gh_2.74.0_linux_amd64/bin/gh /usr/local/bin/gh
+    # Step 2: Authenticate gh using the git credential helper
     - task:
         command: |
-          set -e
-          TOKEN=$(git credential fill <<EOF | grep password | cut -d= -f2
-          protocol=https
-          host=github.com
-
-          EOF
-          )
-          echo "$TOKEN" | gh auth login --with-token
-          gh auth status
+          printf 'protocol=https\nhost=github.com\n\n' | git credential fill | awk -F= '/password/{print $2}' | gh auth login --with-token
+    # Step 3: Fetch the highest-severity open Dependabot alert
     - task:
         command: |
-          set -e
-          OWNER=$(gh repo view --json owner -q '.owner.login')
-          REPO=$(gh repo view --json name -q '.name')
-          gh api "repos/${OWNER}/${REPO}/dependabot/alerts" \
+          gh api repos/{owner}/{repo}/dependabot/alerts \
             --jq '[.[] | select(.state=="open")] | sort_by(.security_advisory.cvss.score) | reverse | .[0]' \
             > /tmp/dependabot-alert.json
-          echo "Selected alert:"
-          cat /tmp/dependabot-alert.json | head -50
+          cat /tmp/dependabot-alert.json
     - agent:
         prompt: |
           Read the file /tmp/dependabot-alert.json which contains the highest-severity
