Skip to content

chore: add .cve-fix/examples.md guidance for CVE fixer workflow#2780

Open
theakshaypant wants to merge 1 commit into
tektoncd:mainfrom
theakshaypant:add-cve-fix-guidance
Open

chore: add .cve-fix/examples.md guidance for CVE fixer workflow#2780
theakshaypant wants to merge 1 commit into
tektoncd:mainfrom
theakshaypant:add-cve-fix-guidance

Conversation

@theakshaypant

@theakshaypant theakshaypant commented Jun 12, 2026

Copy link
Copy Markdown
Member

Adds .cve-fix/examples.md so the CVE fixer workflow knows how to
create fix PRs matching this repo's conventions.

Patterns extracted from analysis of 16 merged CVE/security PRs:

  • Branch naming: security-<description>-<release-branch-hyphenated> for code fixes; deps/<package> for dep bumps
  • Co-upgrades: go-jose/v3 and go-jose/v4 must always be bumped together
  • Files: security fixes touch pkg/adapter/incoming.go, pkg/provider/github/app/token.go, pkg/resolve/remote.go
  • GOTOOLCHAIN: pin to the exact version in the branch's go.mod (e.g. GOTOOLCHAIN=go1.24.2)
  • PR template: uses the repo's standard sections (📝 Description, 🔗 Linked Issue, 🧪 Testing Strategy)

Generated by /onboard — run /guidance.update after more CVE fixes merge to improve coverage.

🤖 Generated by /onboard

@linux-foundation-easycla

linux-foundation-easycla Bot commented Jun 12, 2026
edited
Loading

Copy link
Copy Markdown

CLA Signed
The committers listed above are authorized under a signed CLA.

  • ✅ login: theakshaypant / name: Akshay Pant (ebc8fe5)

gemini-code-assist[bot]
gemini-code-assist Bot reviewed Jun 12, 2026
View reviewed changes

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request adds a new documentation file .cve-fix/examples.md that outlines guidelines, naming conventions, templates, and best practices for handling CVE fixes and backports. No review comments were provided, and there is no additional feedback on these changes.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

@theakshaypant theakshaypant force-pushed the add-cve-fix-guidance branch from c611ca5 to b735fa1 Compare June 12, 2026 06:26
@zakisk zakisk force-pushed the add-cve-fix-guidance branch 2 times, most recently from 0c8fba1 to 6e7b6d9 Compare June 17, 2026 05:32
@theakshaypant theakshaypant force-pushed the add-cve-fix-guidance branch from 6e7b6d9 to ebc8fe5 Compare June 17, 2026 05:39
@theakshaypant @claude
chore: add CVE fixer guidance file
7b99ccb 
Generated by /onboard — teaches the CVE fixer workflow how to create
fix PRs matching this repo's conventions (branch naming, files that
change together, co-upgrades, GOTOOLCHAIN pinning, etc.).
Based on analysis of 16 merged CVE/security PRs.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Akshay Pant <akpant@redhat.com>
@theakshaypant theakshaypant force-pushed the add-cve-fix-guidance branch from ebc8fe5 to 7b99ccb Compare June 17, 2026 05:43
@theakshaypant

theakshaypant commented Jun 17, 2026

Copy link
Copy Markdown
Member Author

@jkhelil is this a hard requirement for auto-CVE fixes?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@theakshaypant