From e64e09be01f8ae657b63009393f174e84be6833e Mon Sep 17 00:00:00 2001 From: Rafael Date: Thu, 4 Jun 2026 11:47:52 -0400 Subject: [PATCH 1/5] probe --- .probe-write-test.txt | 1 + 1 file changed, 1 insertion(+) create mode 100644 .probe-write-test.txt diff --git a/.probe-write-test.txt b/.probe-write-test.txt new file mode 100644 index 0000000..32f95c0 --- /dev/null +++ b/.probe-write-test.txt @@ -0,0 +1 @@ +hi \ No newline at end of file From 703bd5f04720ed43299e9de43b72f4fc21387395 Mon Sep 17 00:00:00 2001 From: Rafael Date: Thu, 4 Jun 2026 11:48:02 -0400 Subject: [PATCH 2/5] remove probe --- .probe-write-test.txt | 1 - 1 file changed, 1 deletion(-) delete mode 100644 .probe-write-test.txt diff --git a/.probe-write-test.txt b/.probe-write-test.txt deleted file mode 100644 index 32f95c0..0000000 --- a/.probe-write-test.txt +++ /dev/null @@ -1 +0,0 @@ -hi \ No newline at end of file From 70e6f2d74bc924ce0a11af638f6deb8a73703662 Mon Sep 17 00:00:00 2001 From: Rafael Date: Thu, 4 Jun 2026 11:48:17 -0400 Subject: [PATCH 3/5] ci: use org variable for CURSOR_PREFERRED_MODEL --- README.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 02183fa..70c6b07 100644 --- a/README.md +++ b/README.md @@ -88,6 +88,11 @@ projectIgnorePaths: Consumer repos need these secrets (set at org or repo level): - `CURSOR_API_KEY` — for the triage/fix agents -- `CURSOR_PREFERRED_MODEL` — model for agent invocations - `ADMIN_APP_ID` + `ADMIN_APP_PRIVATE_KEY` — GitHub App for write access - `SOCKET_API_TOKEN` — Socket.dev API token + +## Required variables + +Consumer repos need these variables (set at org or repo level): + +- `CURSOR_PREFERRED_MODEL` — model for agent invocations From c38a1cbe87554fc30c997126899e0bba6afa8d41 Mon Sep 17 00:00:00 2001 From: Rafael Date: Thu, 4 Jun 2026 11:52:21 -0400 Subject: [PATCH 4/5] ci: use org variable for CURSOR_PREFERRED_MODEL --- .github/workflows/vuln-remediation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/vuln-remediation.yml b/.github/workflows/vuln-remediation.yml index 03ce3cb..747a14c 100644 --- a/.github/workflows/vuln-remediation.yml +++ b/.github/workflows/vuln-remediation.yml @@ -297,7 +297,7 @@ jobs: if git diff --quiet; then export DATE="$(date -u +%Y-%m-%d)" - curl -fsSL https://raw.githubusercontent.com/kernel/security-workflows/${{ inputs.security-workflows-ref }}/.github/workflows/vuln-remediation/fix-prompt.md | envsubst '${GITHUB_REPOSITORY} ${DATE}' | agent -p --model ${{ secrets.CURSOR_PREFERRED_MODEL }} --workspace . --trust --force --output-format=text + curl -fsSL https://raw.githubusercontent.com/kernel/security-workflows/${{ inputs.security-workflows-ref }}/.github/workflows/vuln-remediation/fix-prompt.md | envsubst '${GITHUB_REPOSITORY} ${DATE}' | agent -p --model ${{ vars.CURSOR_PREFERRED_MODEL }} --workspace . --trust --force --output-format=text fi - name: Validate remediation diff From 1c9e52519d5e3569e9589bfb5d9967810fc52a6e Mon Sep 17 00:00:00 2001 From: Rafael Date: Thu, 4 Jun 2026 11:52:42 -0400 Subject: [PATCH 5/5] ci: use org variable for CURSOR_PREFERRED_MODEL --- .github/workflows/semgrep.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index bfc085d..2f517e7 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -103,4 +103,4 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | export CODEBASE_DESCRIPTION="${{ inputs.codebase-description }}" - curl -fsSL https://raw.githubusercontent.com/kernel/security-workflows/main/.github/workflows/semgrep-triage-prompt.md | envsubst '${GITHUB_REPOSITORY} ${CODEBASE_DESCRIPTION}' | agent -p --model ${{ secrets.CURSOR_PREFERRED_MODEL }} --force --output-format=text + curl -fsSL https://raw.githubusercontent.com/kernel/security-workflows/main/.github/workflows/semgrep-triage-prompt.md | envsubst '${GITHUB_REPOSITORY} ${CODEBASE_DESCRIPTION}' | agent -p --model ${{ vars.CURSOR_PREFERRED_MODEL }} --force --output-format=text