From 7b99ccb2734f34883e2ff094d5dfadcfc321e0c2 Mon Sep 17 00:00:00 2001
From: Akshay Pant <akpant@redhat.com>
Date: Fri, 12 Jun 2026 04:42:48 +0000
Subject: [PATCH] chore: add CVE fixer guidance file
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Generated by /onboard — teaches the CVE fixer workflow how to create
fix PRs matching this repo's conventions (branch naming, files that
change together, co-upgrades, GOTOOLCHAIN pinning, etc.).
Based on analysis of 16 merged CVE/security PRs.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Akshay Pant <akpant@redhat.com>
---
 .cve-fix/examples.md | 72 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 72 insertions(+)
 create mode 100644 .cve-fix/examples.md

diff --git a/.cve-fix/examples.md b/.cve-fix/examples.md
new file mode 100644
index 000000000..a8cda912e
--- /dev/null
+++ b/.cve-fix/examples.md
@@ -0,0 +1,72 @@
+<!-- last-analyzed: 2026-06-12 | cve-merged: 16 -->
+
+## Titles
+
+- `fix(security): backport <version> fixes to <release-branch>` (security code fixes, 3/16 PRs)
+- `[release-v0.42.2] fix(deps): update <package> to fix <GHSA-ID>` (GHSA dep bumps, 2/16 PRs)
+- `chore(deps): bump <module> from <old> to <new>` (dependabot-style dep bumps, 8/16 PRs)
+- Prefix `[DNM]` for work-in-progress backport PRs not yet ready to merge
+
+## Branches
+
+- Security code fixes: `security-<short-description>-<release-branch-hyphenated>` (e.g. `security-header-hijacking-v0-42-x`)
+- Manual dep bumps: `deps/<package>` or `update-<package>-security-fix` (e.g. `deps/go-jose`, `update-go-jose-security-fix`)
+- Backport per release branch: one branch per release stream (e.g. `deps/go-jose-v0.42`)
+
+## Files
+
+- Go dependency CVEs: `go.mod`, `go.sum` (always together)
+- GitHub App token / host-header security: `pkg/provider/github/app/token.go`, `pkg/provider/github/github.go`, `pkg/provider/github/parse_payload.go`
+- Webhook security: `pkg/adapter/incoming.go`, `pkg/adapter/sinker.go`
+- Remote task resolution: `pkg/resolve/remote.go`
+- Tests always accompany code changes: `pkg/adapter/incoming_test.go`, `pkg/provider/github/app/token_test.go`, `pkg/resolve/remote_test.go`
+
+## Co-upgrades
+
+- When bumping `go-jose/v3`, also bump `go-jose/v4` (and vice versa) — both must be at fixed versions together (12/16 dep PRs)
+- Security backports to older release branches: also update `go-jose/v3`, `go-jose/v4`, and `tektoncd/pipeline` on that branch
+
+## PR Description
+
+Use the repo's standard template sections (in order):
+
+```markdown
+## 📝 Description of the Change
+<what changed and why — include bullet points for each security hardening>
+
+### How this backport was done
+<step-by-step: which branch, API differences resolved, dependency bumps, GOTOOLCHAIN pinning>
+
+### Commits
+| Commit | Description |
+|--------|-------------|
+| `<sha>` | `<conventional commit message>` |
+
+## 👨🏻‍ Linked Jira
+<Jira ticket or N/A>
+
+## 🔗 Linked GitHub Issue
+Fixes #<issue> (or N/A)
+
+## 🧪 Testing Strategy
+- [x] Unit tests
+- [ ] Integration tests
+- [ ] End-to-end tests
+- [ ] Manual testing
+- [ ] Not Applicable
+
+Validation run locally:
+- `make test`
+- `make lint-go`
+- `go test ./pkg/adapter` (for adapter/webhook changes)
+
+## 🤖 AI Assistance
+<note if AI was used>
+```
+
+## Don'ts
+
+- ❌ Do not combine multiple release-branch backports in one PR — one PR per release branch
+- ❌ Do not skip `go.sum` when updating `go.mod` — always commit both together
+- ❌ Do not bump `go-jose/v3` without also bumping `go-jose/v4` in the same PR
+- ❌ Do not use `GOTOOLCHAIN=local` — pin `GOTOOLCHAIN` to the exact Go version in the branch's `go.mod` (e.g. `GOTOOLCHAIN=go1.24.2`)