docs: add comprehensive team onboarding section to CVE Fixer workflow#84
Merged
jwm4 merged 7 commits intoambient-code:mainfrom Mar 30, 2026
Merged
docs: add comprehensive team onboarding section to CVE Fixer workflow#84jwm4 merged 7 commits intoambient-code:mainfrom
jwm4 merged 7 commits intoambient-code:mainfrom
Conversation
- Add Team Onboarding section with requirements and steps - Document component-to-repository mapping requirements - Explain ProdSec coordination needed - Detail GitHub and Jira access configuration - Include onboarding checklist and contact information - Update startupPrompt to warn first-time users about onboarding - Update systemPrompt with onboarding verification steps New teams must complete onboarding before using the workflow: 1. Component mapped in component-repository-mappings.json 2. ProdSec sets up Jira component for CVE tracking 3. Jira API credentials configured 4. GitHub CLI authenticated 5. Test workflow with sample CVE Co-authored-by: Claude (Anthropic) <noreply@anthropic.com>
Co-authored-by: Claude (Anthropic) <noreply@anthropic.com> Co-authored-by: Claude (Anthropic) <noreply@anthropic.com>
WalkthroughUpdated the CVE fixer workflow: added first-time onboarding prompts and a "Team Onboarding" README section, changed Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes 🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@workflows/cve-fixer/.ambient/ambient.json`:
- Line 4: The systemPrompt's "FIRST TIME SETUP" duplicates credential and
onboarding checks that are already enforced in the /cve.find command (which
validates JIRA_API_TOKEN and JIRA_EMAIL and checks component mappings), causing
maintenance and consistency issues; remove the detailed prerequisite checklist
from the systemPrompt and replace it with a single sentence such as "Note:
Commands will guide you through required setup steps on first use." so
enforcement remains centralized in /cve.find (keep references to JIRA_API_TOKEN,
JIRA_EMAIL validation and component-repository-mappings.json in the command
logic only).
In `@workflows/cve-fixer/README.md`:
- Around line 33-52: The README example JSON uses "primary_target" at the
repository root and omits required fields, so update the example to match the
schema used by component-repository-mappings.json: replace the root-level
"primary_target" with "default_branch", and add the required
"protected_branches", "active_release_branches", and "branch_strategy" keys at
the repo root; then add a nested "cve_fix_workflow" object that contains
"primary_target", "backport_targets", "automation", and "manual_intervention";
keep "github_url", "repo_type", and "build_location" as shown but ensure the
overall structure mirrors the provided correct repository configuration format
in the review comment.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: e68ddac8-f3e9-498a-a255-427b6c5c0ad2
📒 Files selected for processing (2)
workflows/cve-fixer/.ambient/ambient.jsonworkflows/cve-fixer/README.md
- Simplify systemPrompt to avoid duplicating /cve.find validation logic - Update README example JSON to match actual component-repository-mappings.json schema - Add complete cve_fix_workflow structure with all required fields Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
jwm4
requested changes
Mar 26, 2026
Contributor
jwm4
left a comment
jwm4
left a comment
There was a problem hiding this comment.
Adding a README seems like a good idea. However, it seems I was confused about the scope here. Since for now this is a narrowly targeted workflow, I think we should at least rename it "RHOAIENG CVE Fixer" so other users know it is not for them.
workflows/cve-fixer/README.md
Outdated
| Your team's Jira components must be mapped to GitHub repositories in `component-repository-mappings.json`. | ||
|
|
||
| **What you need to provide:** | ||
| - Jira component name (as it appears in RHOAIENG project) |
Contributor
There was a problem hiding this comment.
Is this really intended to be limited exclusively to RHOAIENG? I thought it was intended for any Red Hat product as long as the CVEs are reported in Jira by a product security organization.
Contributor
Author
There was a problem hiding this comment.
no, this was merged in by mistake.
Thank you for catching that, I am fixing it right away.
workflows/cve-fixer/README.md
Outdated
| - Configure CVE issue templates for your component | ||
| - Set up automated CVE discovery and Jira issue creation | ||
|
|
||
| **Contact:** Your ProdSec team representative to request component setup |
Contributor
There was a problem hiding this comment.
Can you provide more information about how someone finds their ProdSec team representative?
- Update JQL query: remove project=RHOAIENG, add labels=SecurityTracking to make workflow usable by teams outside of RHOAIENG - Add case-insensitive component name lookup against mapping file - Add llm-d component with inference-scheduler and routing-sidecar repos - Add llm-d Batch Gateway and auto-scaler repos under llm-d component - Add AI Evaluations component (eval-hub repos) - Clean up metadata: remove stale count fields from mapping file - Fix ambient.json startupPrompt: trim verbose FIRST TIME USER checklist - Fix README example JSON to match actual mapping schema - Fix README ProdSec contact to reference feature refinement process - Remove RHOAIENG-specific references to make docs team-agnostic Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Actionable comments posted: 2
♻️ Duplicate comments (1)
workflows/cve-fixer/README.md (1)
113-113:⚠️ Potential issue | 🟠 MajorRemove hard-coded
RHOAIENGfrom onboarding step 3.Line 113 contradicts the workflow’s generalized project support and can mis-onboard teams using other Jira projects.
Proposed fix
- - Ensure your Jira component exists in RHOAIENG + - Ensure your Jira component exists in your team’s Jira projectAs per coding guidelines "Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity."
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@workflows/cve-fixer/README.md` at line 113, Remove the hard-coded literal "RHOAIENG" from onboarding step 3 in the README and replace it with a generic placeholder or variable (e.g., "your Jira project" or JIRA_PROJECT) and brief instruction on how to find or set the correct project for their team; update the sentence that currently reads "Ensure your Jira component exists in RHOAIENG" so it no longer names RHOAIENG but instead references the placeholder and/or links to where users can confirm their project or component.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@workflows/cve-fixer/.claude/commands/cve.find.md`:
- Around line 103-111: The mapping lookup uses dirname "$0" to build
MAPPING_FILE which breaks when the script runs from another CWD; change it to
build MAPPING_FILE relative to the repository root instead (e.g., use git
rev-parse --show-toplevel or a provided REPO_ROOT env var) and then append the
path to component-repository-mappings.json, updating the MAPPING_FILE
assignment; ensure you keep the existing fallback behavior if the repo-root
detection fails so COMPONENT_NAME canonicalization still proceeds safely.
In `@workflows/cve-fixer/component-repository-mappings.json`:
- Around line 385-519: Multiple repositories in the "llm-d" and "AI Evaluations"
components (e.g., keys like "llm-d/llm-d-inference-scheduler",
"opendatahub-io/llm-d-inference-scheduler",
"red-hat-data-services/llm-d-inference-scheduler",
"red-hat-data-services/llm-d-routing-sidecar", "llm-d-incubation/batch-gateway",
"opendatahub-io/batch-gateway", "red-hat-data-services/batch-gateway",
"llm-d/llm-d-workload-variant-autoscaler",
"opendatahub-io/workload-variant-autoscaler",
"red-hat-data-services/workload-variant-autoscaler", "eval-hub/eval-hub",
"opendatahub-io/eval-hub", "red-hat-data-services/eval-hub") are missing the
cve_fix_workflow field required by /cve.fix; add a cve_fix_workflow object to
each repository entry with "primary_target": "main" and a "backport_targets"
array listing that repo’s active release branches (or an empty array if none) so
cve.fix can reference cve_fix_workflow.primary_target and backport targets
consistently.
---
Duplicate comments:
In `@workflows/cve-fixer/README.md`:
- Line 113: Remove the hard-coded literal "RHOAIENG" from onboarding step 3 in
the README and replace it with a generic placeholder or variable (e.g., "your
Jira project" or JIRA_PROJECT) and brief instruction on how to find or set the
correct project for their team; update the sentence that currently reads "Ensure
your Jira component exists in RHOAIENG" so it no longer names RHOAIENG but
instead references the placeholder and/or links to where users can confirm their
project or component.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 6c93aefe-68f5-49fe-9d09-30d805be5bbb
📒 Files selected for processing (4)
workflows/cve-fixer/.ambient/ambient.jsonworkflows/cve-fixer/.claude/commands/cve.find.mdworkflows/cve-fixer/README.mdworkflows/cve-fixer/component-repository-mappings.json
- Fix cve.find mapping file path: replace unreliable dirname "$0" with cwd-relative path and repo-root fallback - Add cve_fix_workflow field to all new llm-d and AI Evaluations repos - Add full AI Evaluations component repos (trustyai-service-operator, lm-evaluation-harness, llama-stack-provider-trustyai-garak, eval-hub upstream/midstream/downstream with real branch data) - Add container_to_repo_mapping for odh-ta-lmes-driver and odh-ta-lmes-job - Remove hardcoded RHOAIENG reference from README onboarding step 3 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Replace RHOAIENG-specific Jira issue key examples with generic PROJ-XXXXX placeholders across cve.find.md, cve.fix.md, and README.md to make the workflow fully team-agnostic. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
…mands" This reverts commit a23f47c.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds comprehensive team onboarding documentation to the CVE Fixer workflow to clarify setup requirements for new teams.
Changes
README.md
.ambient/ambient.json
Why This Change?
The workflow requires teams to be properly onboarded before use, but this was not documented anywhere. New teams need to:
component-repository-mappings.jsonWithout this documentation, teams would encounter errors and not know how to get started.
Testing
Co-authored-by: Claude (Anthropic) noreply@anthropic.com