Merge analyze + fix agent prompts into one step per automation

meysholdt · ona-agent · meysholdt · commit e21bc873d7b4 · 2026-03-09T13:07:10.000Z
Co-authored-by: Ona &lt;no-reply@ona.com&gt;
diff --git a/.ona/fix-codescan-alert.yaml b/.ona/fix-codescan-alert.yaml
@@ -27,38 +27,16 @@ action:
           cat /tmp/codescan-alert.json
     - agent:
         prompt: |
-          Read the file /tmp/codescan-alert.json which contains the highest-severity
-          open code scanning alert for this repository.
-
-          From the alert, extract:
-          1. Alert number and HTML URL
-          2. Rule ID and description
-          3. Severity level
-          4. File path and line number (from `most_recent_instance.location`)
-          5. The tool that reported it (CodeQL, Trivy, OSV-Scanner, etc.)
-          6. The alert message
-
-          Read the affected source file and surrounding context to understand the issue.
-
-          If the alert is about a vulnerable dependency (from Trivy or OSV-Scanner),
-          identify the dependency, its current version, and the fixed version from the
-          alert details.
-
-          Do NOT make any code changes yet.
-
-    - agent:
-        prompt: |
-          Using the alert identified in the previous step, apply the fix:
-
-          **For code quality / CodeQL alerts:**
-          1. Apply the minimal code change that resolves the alert.
-          2. Follow the project's code style and conventions.
-          3. If the alert suggests a specific fix pattern, follow it.
-
-          **For dependency vulnerability alerts (Trivy / OSV-Scanner):**
-          1. Upgrade the vulnerable dependency to a patched version.
-          2. If the version is inherited from a parent BOM, add an explicit
-             version override in `pom.xml` properties or `<dependencyManagement>`.
+          Read /tmp/codescan-alert.json which contains the highest-severity open
+          code scanning alert. Extract the alert number, HTML URL, rule ID, severity,
+          file path and line number, tool name, and message.
+
+          Then apply the fix:
+          - **CodeQL alerts:** Apply the minimal code change. Follow the project's
+            code style. Use the suggested fix pattern if one is provided.
+          - **Dependency alerts (Trivy / OSV-Scanner):** Upgrade the vulnerable
+            dependency to a patched version. If inherited from a parent BOM, add
+            an explicit version override in `pom.xml`.
 
           Do NOT commit or run tests yet.
 
diff --git a/.ona/fix-dependabot-alert.yaml b/.ona/fix-dependabot-alert.yaml
@@ -27,33 +27,16 @@ action:
           cat /tmp/dependabot-alert.json
     - agent:
         prompt: |
-          Read the file /tmp/dependabot-alert.json which contains the highest-severity
-          open Dependabot alert for this repository.
+          Read /tmp/dependabot-alert.json which contains the highest-severity open
+          Dependabot alert. Extract the alert number, package name, vulnerable and
+          patched versions, CVE ID, CVSS score, and manifest file path.
 
-          From the alert, extract:
-          1. Alert number
-          2. Package name and ecosystem
-          3. Vulnerable version range
-          4. Patched version (from `security_advisory.vulnerabilities[].first_patched_version`)
-          5. CVE ID and CVSS score
-          6. Advisory summary
-          7. The manifest file path (e.g. `pom.xml`)
-
-          Read the manifest file to understand how the dependency is declared.
-          Determine whether the version is pinned directly or inherited from a parent BOM.
-
-          Do NOT make any code changes yet.
-
-    - agent:
-        prompt: |
-          Using the alert identified in the previous step:
-
-          1. Upgrade the vulnerable dependency to the patched version (or newer).
-             - If the version is declared in `pom.xml` properties or directly, update it there.
-             - If it is inherited from a parent BOM (e.g. Spring Boot parent), check whether
-               upgrading the parent resolves the vulnerability. If not, add an explicit
-               version override in the `<properties>` or `<dependencyManagement>` section.
-          2. Follow the project's existing conventions for dependency management.
+          Then apply the fix:
+          1. Read the manifest file to understand how the dependency is declared.
+          2. Upgrade the vulnerable dependency to the patched version (or newer).
+             - If the version is in `pom.xml` properties or directly, update it there.
+             - If inherited from a parent BOM, add an explicit version override.
+          3. Follow the project's existing conventions.
 
           Do NOT commit or run tests yet.
 
