refactor: group CodeQL alerts by rule into single Linear issues

Multiple CodeQL alerts with the same rule ID (e.g., js/path-injection
in different files) are now grouped into one finding with all locations
and details included in the description.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: msukkari

.github/workflows/trivy-vulnerability-triage.yml

@@ -341,7 +341,7 @@ jobs:
             fi
 
             EXTRACTED=$(echo "$BODY" | jq '[.[] | {
-              id: ("codeql:" + (.rule.id // "") + "#" + ((.number // 0) | tostring)),
+              id: ("codeql:" + (.rule.id // "")),
               number: .number,
               rule_id: (.rule.id // ""),
               rule_description: (.rule.description // ""),
@@ -402,7 +402,7 @@ jobs:
 
             1. **Trivy scan results** in `trivy-alerts.json` — each entry has `id` (CVE ID, e.g., `CVE-2024-1234`)
             2. **Dependabot alerts** in `dependabot-alerts.json` — each entry has `id` (CVE ID or GHSA ID)
-            3. **CodeQL alerts** in `codeql-alerts.json` — each entry has `id` (prefixed, e.g., `codeql:js/sql-injection#33`)
+            3. **CodeQL alerts** in `codeql-alerts.json` — each entry has `id` (prefixed, e.g., `codeql:js/sql-injection`). Multiple entries may share the same `id` (same rule, different locations).
 
             ## Your Task
 
@@ -419,19 +419,20 @@ jobs:
                - Include the affected package, severity, remediation steps, and whether it is direct or transitive.
 
             4. For **CodeQL findings**:
-               - Each CodeQL alert is a **separate finding** — do NOT group alerts by rule ID. Two alerts with the
-                 same rule but different files/locations must be separate entries.
-               - Use the `id` field as `cveId` (e.g., `codeql:js/path-injection#18`).
+               - **Group all alerts with the same `id` (rule ID) into a single entry.** Multiple alerts for
+                 the same rule in different files/locations should produce ONE finding, not separate ones.
+               - Use the `id` field as `cveId` (e.g., `codeql:js/path-injection`).
                - Set `source` to `"codeql"`.
-               - Set `affectedPackage` to the file path from `location_path`.
+               - Set `affectedPackage` to a comma-separated list of affected file paths, or the primary one
+                 if there are many.
                - Normalize `security_severity_level` to uppercase (CRITICAL/HIGH/MEDIUM/LOW).
-               - The `description` should include:
+               - The `description` MUST include details for **every alert instance** in the group:
                  - The rule ID and what it detects
-                 - The exact file path and line number(s) from the alert
-                 - A link to the alert URL (`html_url`)
-                 - An explanation of the specific code at that location and why it's flagged
+                 - For **each** alert: the exact file path, line number(s), and a link to its alert URL (`html_url`)
+                 - For **each** alert: an explanation of the specific code at that location and why it's flagged
                  - Concrete remediation steps with code examples where possible
                  - A link to the CodeQL rule documentation
+                 - A summary count (e.g., "This rule was triggered in 3 locations:")
 
             5. For each finding, determine:
                - A short `title` suitable for a Linear issue title.