Auto Copilot Autofix (High & Medium Only) #3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Auto Copilot Autofix (High & Medium Only) | |
| on: | |
| workflow_run: | |
| workflows: ["CodeQL Advanced"] | |
| types: [completed] | |
| jobs: | |
| auto-fix: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: read | |
| contents: write | |
| pull-requests: write | |
| steps: | |
| - name: Trigger Autofix for High & Medium alerts | |
| env: | |
| GH_TOKEN: ${{ secrets.AUTOFIX_TOKEN }} | |
| OWNER: ${{ github.repository_owner }} | |
| REPO: ${{ github.event.repository.name }} | |
| run: | | |
| for SEVERITY in "critical" "error" "warning"; do | |
| echo "====== Processing severity: $SEVERITY ======" | |
| ALERTS=$(gh api \ | |
| "/repos/$OWNER/$REPO/code-scanning/alerts?severity=$SEVERITY&state=open&per_page=100" \ | |
| --jq '[.[] | .number]') | |
| COUNT=$(echo $ALERTS | jq 'length') | |
| echo "Found $COUNT alerts with severity: $SEVERITY" | |
| if [ "$COUNT" -eq 0 ]; then | |
| continue | |
| fi | |
| for NUMBER in $(echo $ALERTS | jq -r '.[]'); do | |
| echo "--- Alert #$NUMBER ($SEVERITY) ---" | |
| EXISTING=$(gh api \ | |
| /repos/$OWNER/$REPO/code-scanning/alerts/$NUMBER/autofix \ | |
| --jq '.status' 2>/dev/null || echo "none") | |
| if [ "$EXISTING" = "success" ]; then | |
| echo "✅ Fix already exists, committing directly..." | |
| else | |
| echo "⏳ Generating fix..." | |
| gh api -X POST \ | |
| /repos/$OWNER/$REPO/code-scanning/alerts/$NUMBER/autofix || { | |
| echo "⚠️ Failed to trigger autofix for #$NUMBER, skipping" | |
| continue | |
| } | |
| for i in 1 2 3; do | |
| sleep 30 | |
| EXISTING=$(gh api \ | |
| /repos/$OWNER/$REPO/code-scanning/alerts/$NUMBER/autofix \ | |
| --jq '.status' 2>/dev/null || echo "none") | |
| echo " Attempt $i: status = $EXISTING" | |
| [ "$EXISTING" = "success" ] && break | |
| done | |
| fi | |
| if [ "$EXISTING" = "success" ]; then | |
| BRANCH="autofix/${SEVERITY}/alert-${NUMBER}" | |
| gh api -X POST \ | |
| /repos/$OWNER/$REPO/code-scanning/alerts/$NUMBER/autofix/commits \ | |
| -f target_ref="$BRANCH" && \ | |
| echo "✅ Committed fix to branch: $BRANCH" || \ | |
| echo "❌ Failed to commit fix for alert #$NUMBER" | |
| else | |
| echo "⚠️ Autofix not available for alert #$NUMBER (status: $EXISTING), skipping" | |
| fi | |
| done | |
| done |