Pilot solution. by miroslavpojer · Pull Request #1 · AbsaOSS/organizational-workflows

miroslavpojer · 2026-02-10T09:42:48Z

Release Notes:

Added Microsoft Teams notifications for newly created or reopened security child issues (via Incoming Webhook / Adaptive Card).
Added send_to_teams.py CLI helper to post Markdown messages to Teams (supports stdin/file, dry-run, title/subtitle).
Improved promote_alerts.py issue sync logic with category persistence via secmeta and cleaner Teams message formatting.
Hardened GitHub CLI state changes with multi-strategy fallback (supports older gh versions without --state).
Fixed timezone-safe date handling by replacing deprecated datetime.utcnow() usage.
Removed unused/dead code paths and simplified data structures (including removing the unused title field from NotifiedIssue).
Added check_labels.py to validate required repository labels exist before running automation.
Enhanced run-all.sh to include label checks, add flags for Teams webhook forwarding, and provide a skip-label-check option.
Introduced reusable GitHub Actions workflows for security automation (shared workflows under workflows).
Added example caller workflows under worklows for easy adoption by application repositories.
Added documentation improvements in the security README, including a table of contents and expanded shared-workflow adoption guidance.

Closes https://github.com/absa-group/cps-qa/issues/121

HuvarVer

Seen the changes

…-run output

…bose logging

…promotion

… alerts

…ring in promote_alerts.py

…ues based on child issue creation

… to label orphan child issues for closure

…dates

…ation

…ptions

…ng labels on issue close

…ions

Zejnilovic

I did a 1st pass on the workflows. Checking logic and flow.

.github/workflows/aquasec-night-scan.yml

.github/workflows/remove-adept-to-close-on-issue-close.yml

github/security/worklows/aquasec-night-scan.yml

.github/workflows/aquasec-scan.yml

…e README

tmikula-dev · 2026-02-16T09:25:36Z

.github/workflows/aquasec-scan.yml

+      - name: Set up Python
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548
+        with:
+          python-version: '3.11'


We like to use python 3.14, if we can.

tmikula-dev · 2026-02-16T09:26:54Z

.github/workflows/aquasec-scan.yml

+          GH_TOKEN: ${{ github.token }}
+          TEAMS_WEBHOOK_URL: ${{ secrets.TEAMS_WEBHOOK_URL }}
+        run: |
+          org-workflows/github/security/run-all.sh


I don't think that run-all.sh is a good naming for script. As a reader, I can not know, what means all. I would rename the script.

Addressed in 4523867.

tmikula-dev · 2026-02-16T09:27:52Z

.github/workflows/remove-adept-to-close-on-issue-close.yml

+# Called from application repositories via workflow_call.
+# The caller must trigger on `issues: [closed]` and forward the event context.
+
+name: Remove sec:adept-to-close on close


We use capital first letters in the workflow naming. I would also add a label in the name for better understanding.

Addressed in 4523867.
decision: we will use only lower case labels.

tmikula-dev · 2026-02-16T09:32:21Z

github/security/worklows/aquasec-night-scan.yml

+
+jobs:
+  scan:
+    uses: AbsaOSS/organizational-workflows/.github/workflows/aquasec-scan.yml@master


I would add here a TODO comment, so we do not forget a spot, where we have to change the @master later.

Addressed in e57356e.

tmikula-dev

I had a time to look at first three workflow files, please react to my comments.

…safety checks

…scans

…h to sync_security_alerts.sh/

…ty_alerts.sh

github/security/check_labels.py

Zejnilovic

2nd pass. I expect to do 1 more max.

.gitignore

github/security/sync_security_alerts.sh

… in sync_security_alerts.sh

…ferences

…lerts.sh for consistency

github/security/collect_alert.sh

…istency

…NER and REPO_NAME variables

Inital data population. Development wil follow

802228e

miroslavpojer self-assigned this Feb 10, 2026

Improved repo README. Introduced draft regime for promoting alerts.

630087b

HuvarVer reviewed Feb 10, 2026

View reviewed changes

miroslavpojer added 9 commits February 10, 2026 15:08

security: make promote_alerts alert-hash-only + update labels and dry…

2456e4d

…-run output

Clean up of code after introduced changes.

a06dadf

Developer parents support.

0e8582f

feat: enhance issue synchronization with parent-child linking and ver…

61b6ba5

…bose logging

feat: add run-all.sh script to streamline alert collection and issue …

5807c2c

…promotion

feat: add epic label to parent issue creation for better categorization

3240e56

feat: enhance issue body templates and metadata handling for security…

80ee7a0

… alerts

feat: add parent issue lifecycle event handling and alert state filte…

4f6a71c

…ring in promote_alerts.py

feat: enhance issue body templates and add logic to reopen parent iss…

e33701f

…ues based on child issue creation

miroslavpojer changed the title ~~Inital data population. Development wil follow~~ Initial data population. Development will follow Feb 12, 2026

miroslavpojer added 7 commits February 12, 2026 09:12

feat: remove obsolete security event processing scripts and add logic…

c89da2b

… to label orphan child issues for closure

feat: add license headers to security scripts and workflows

b76046d

feat: mark security metric scripts as deprecated with guidance for up…

6daf2b7

…dates

feat: enhance issue synchronization and add Teams notification integr…

4665122

…ation

feat: add label verification script and enhance run-all.sh with new o…

e4a8d20

…ptions

feat: update README with new sections and enhance workflow for removi…

607e731

…ng labels on issue close

feat: add Aquasec Night Scan workflow and update README with new sect…

c5a4768

…ions

miroslavpojer changed the title ~~Initial data population. Development will follow~~ Pilot solution. Feb 12, 2026

miroslavpojer marked this pull request as ready for review February 12, 2026 15:16

miroslavpojer requested review from Zejnilovic and tmikula-dev February 13, 2026 08:31

Zejnilovic reviewed Feb 13, 2026

View reviewed changes

feat: replace Aquasec Night Scan workflow with Aquasec Scan and updat…

3c1f47e

…e README

tmikula-dev reviewed Feb 16, 2026

View reviewed changes

miroslavpojer added 4 commits February 16, 2026 10:54

feat: enhance issue label removal workflow with improved logging and …

8286253

…safety checks

feat: update workflow dependencies and concurrency group for Aquasec …

87145b8

…scans

feat: update label casing in workflows and scripts, renamed run-all.s…

4523867

…h to sync_security_alerts.sh/

feat: add TODO comment to pin specific SHA for Aquasec scan workflow

e57356e

miroslavpojer requested review from HuvarVer, Zejnilovic and tmikula-dev February 16, 2026 10:31

feat: update script reference in Aquasec scan workflow to sync_securi…

168c6f7

…ty_alerts.sh

Zejnilovic reviewed Feb 17, 2026

View reviewed changes

github/security/check_labels.py Outdated Show resolved Hide resolved

Zejnilovic reviewed Feb 17, 2026

View reviewed changes

.gitignore Outdated Show resolved Hide resolved

github/security/sync_security_alerts.sh Outdated Show resolved Hide resolved

github/security/sync_security_alerts.sh Outdated Show resolved Hide resolved

github/security/sync_security_alerts.sh Outdated Show resolved Hide resolved

miroslavpojer added 4 commits February 17, 2026 12:35

feat: rename check_labels.py to check_labels.sh and update references…

7f411e7

… in sync_security_alerts.sh

feat: remove redundant exit statement from sync_security_alerts.sh

9401187

feat: unify repo argument format in sync scripts and update README re…

0060474

…ferences

feat: rename security-alerts-to-issues job and update sync_security_a…

372ba56

…lerts.sh for consistency

Zejnilovic reviewed Feb 18, 2026

View reviewed changes

github/security/collect_alert.sh Outdated Show resolved Hide resolved

miroslavpojer added 2 commits February 18, 2026 09:19

feat: update SKIP_LABEL_CHECK and FORCE variable assignments for cons…

d7f83d0

…istency

feat: simplify repository handling in collect_alert.sh by removing OW…

f6614b2

…NER and REPO_NAME variables

tmikula-dev approved these changes Feb 18, 2026

View reviewed changes

miroslavpojer merged commit b5b6caf into master Feb 18, 2026

miroslavpojer deleted the feature/add-logic-or-alter-to-issue-sync branch February 18, 2026 12:20

Conversation

miroslavpojer commented Feb 10, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

HuvarVer left a comment

Choose a reason for hiding this comment

Uh oh!

Zejnilovic left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

tmikula-dev Feb 16, 2026

Choose a reason for hiding this comment

Uh oh!

tmikula-dev Feb 16, 2026

Choose a reason for hiding this comment

Uh oh!

miroslavpojer Feb 16, 2026

Choose a reason for hiding this comment

Uh oh!

tmikula-dev Feb 16, 2026

Choose a reason for hiding this comment

Uh oh!

miroslavpojer Feb 16, 2026

Choose a reason for hiding this comment

Uh oh!

tmikula-dev Feb 16, 2026

Choose a reason for hiding this comment

Uh oh!

miroslavpojer Feb 16, 2026

Choose a reason for hiding this comment

Uh oh!

tmikula-dev left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Zejnilovic left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

miroslavpojer commented Feb 10, 2026 •

edited

Loading