From 7f1c63fb222f05c9aeef66ccb8e555fe99a34972 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Tue, 14 Apr 2026 15:59:29 +0000
Subject: [PATCH 1/2] ci: add automated security patch workflow

---
 .github/workflows/security-update.yml | 49 +++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)
 create mode 100644 .github/workflows/security-update.yml

diff --git a/.github/workflows/security-update.yml b/.github/workflows/security-update.yml
new file mode 100644
index 0000000..25b11fa
--- /dev/null
+++ b/.github/workflows/security-update.yml
@@ -0,0 +1,49 @@
+# Per-repo caller workflow.
+# Copy this file into each repo that should receive automated security fixes.
+# The reusable workflow lives in getditto/.github.
+# See TINES_AUTOMATION.md for the full design.
+
+name: Security Update
+
+on:
+  workflow_dispatch:
+    inputs:
+      ecosystem:
+        description: 'Package ecosystem (npm, cargo, docker, go, python)'
+        required: true
+        type: choice
+        options:
+          - npm
+          - cargo
+          - docker
+          - go
+          - python
+      alerts:
+        description: 'JSON array of {package, version, cve, manifest}'
+        required: true
+        type: string
+      linear_tickets:
+        description: 'Comma-separated Linear ticket IDs'
+        required: false
+        type: string
+      batch_id:
+        description: 'Unique batch identifier'
+        required: true
+        type: string
+      reviewers:
+        description: 'Comma-separated GitHub teams/users to request review from'
+        required: false
+        type: string
+        default: 'security-team,copilot'
+
+jobs:
+  fix:
+    uses: getditto/.github/.github/workflows/security-update-claude.yml@main
+    with:
+      ecosystem: ${{ inputs.ecosystem }}
+      alerts: ${{ inputs.alerts }}
+      linear_tickets: ${{ inputs.linear_tickets }}
+      batch_id: ${{ inputs.batch_id }}
+      reviewers: ${{ inputs.reviewers }}
+    secrets:
+      ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}

From b686094af6281b2064648ab23af9b0060eb84fda Mon Sep 17 00:00:00 2001
From: Bulzan Sergiu <bulzan.sergiu@gmail.com>
Date: Wed, 22 Apr 2026 17:57:05 +0300
Subject: [PATCH 2/2] Apply suggestion from @busec0

---
 .github/workflows/security-update.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/security-update.yml b/.github/workflows/security-update.yml
index 25b11fa..d06159c 100644
--- a/.github/workflows/security-update.yml
+++ b/.github/workflows/security-update.yml
@@ -38,7 +38,7 @@ on:
 
 jobs:
   fix:
-    uses: getditto/.github/.github/workflows/security-update-claude.yml@main
+    uses: getditto/ditto/.github/workflows/security-update-claude.yml@main
     with:
       ecosystem: ${{ inputs.ecosystem }}
       alerts: ${{ inputs.alerts }}