fix: examples.md PRs go to component repos, not ambient-code/workflows

vmrh21 · claude · vmrh21 · commit f8efd9449e85 · 2026-04-16T19:23:33.000-04:00
The mapping update PR goes to ambient-code/workflows (correct).
The .cve-fix/examples.md files go as separate PRs to each component
repo (e.g. stolostron/multicluster-observability-operator), not to
the workflows repo.

Two separate PRs created per /onboard run:
1. ambient-code/workflows ← mapping update only
2. Each component repo ← .cve-fix/examples.md only

Co-Authored-By: Claude Sonnet 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/workflows/cve-fixer/.claude/commands/onboard.md b/workflows/cve-fixer/.claude/commands/onboard.md
@@ -316,26 +316,16 @@ to `ambient-code/workflows` containing both the mapping update and the guidance
    python3 -m json.tool "$MAPPING_FILE" > /dev/null && echo "✅ JSON valid"
    git add "$MAPPING_FILE"
 
-   # Add .cve-fix/examples.md for each repo
-   for i in "${!REPO_URLS[@]}"; do
-     REPO_FULL=$(echo "${REPO_URLS[$i]}" | sed 's|https://github.com/||')
-     EXAMPLES_DIR="workflows/cve-fixer/.cve-fix/$(echo "$REPO_FULL" | tr '/' '-')"
-     mkdir -p "$EXAMPLES_DIR"
-     echo "${GENERATED_EXAMPLES[$i]}" > "${EXAMPLES_DIR}/examples.md"
-     git add "${EXAMPLES_DIR}/examples.md"
-   done
-
    git commit -m "feat: onboard ${COMPONENT_NAME} to CVE fixer workflow
 
-   - Add ${COMPONENT_NAME} to component-repository-mappings.json
-   - Generate .cve-fix/examples.md guidance for each repo
+   Add ${COMPONENT_NAME} to component-repository-mappings.json
 
    Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>"
 
    git push "$REMOTE" "$BRANCH_NAME"
    ```
 
-8. **Create Pull Request**
+8. **Create PR to `ambient-code/workflows`** (mapping update only)
 
    ```bash
    gh pr create \
@@ -360,12 +350,72 @@ to `ambient-code/workflows` containing both the mapping update and the guidance
    - [ ] Verify Jira component name matches exactly
    - [ ] Verify repo URLs and active branch names
    - [ ] Add container image names if missing
-   - [ ] Review generated examples.md files
 
    🤖 Generated by /onboard"
    ```
 
-9. **Cleanup**
+9. **Open separate PRs to each component repo** with `.cve-fix/examples.md`
+
+   The guidance files go to the COMPONENT repos themselves, not to `ambient-code/workflows`.
+   For each repo in the component:
+
+   ```bash
+   for i in "${!REPO_URLS[@]}"; do
+     REPO_FULL=$(echo "${REPO_URLS[$i]}" | sed 's|https://github.com/||')
+     REPO_DIR="/tmp/onboard-${REPO_FULL//\//-}"
+
+     # Check write access / fork if needed
+     PUSH_ACCESS=$(gh api repos/${REPO_FULL} --jq '.permissions.push' 2>/dev/null)
+     FORK_USER=$(gh api user --jq '.login' 2>/dev/null)
+
+     if [ "$PUSH_ACCESS" != "true" ]; then
+       gh repo fork "$REPO_FULL" --clone=false 2>/dev/null || true
+       gh repo sync "${FORK_USER}/$(echo $REPO_FULL | cut -d/ -f2)" --source "$REPO_FULL" --branch main
+       git clone "https://github.com/${FORK_USER}/$(echo $REPO_FULL | cut -d/ -f2).git" "$REPO_DIR"
+       REPO_REMOTE="origin"
+       PR_HEAD="${FORK_USER}:add-cve-fix-guidance"
+     else
+       git clone "https://github.com/${REPO_FULL}.git" "$REPO_DIR"
+       REPO_REMOTE="origin"
+       PR_HEAD="add-cve-fix-guidance"
+     fi
+
+     cd "$REPO_DIR"
+     git checkout -b add-cve-fix-guidance
+     mkdir -p .cve-fix
+     echo "${GENERATED_EXAMPLES[$i]}" > .cve-fix/examples.md
+     git add .cve-fix/examples.md
+     git commit -m "chore: add CVE fixer guidance file
+
+Generated by /onboard — teaches the CVE fixer workflow how to create
+fix PRs matching this repo's conventions.
+
+Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>"
+     git push "$REPO_REMOTE" add-cve-fix-guidance
+
+     gh pr create \
+       --repo "$REPO_FULL" \
+       --base main \
+       --head "$PR_HEAD" \
+       --title "chore: add .cve-fix/examples.md guidance for CVE fixer workflow" \
+       --body "Adds \`.cve-fix/examples.md\` so the CVE fixer workflow knows how to
+create fix PRs matching this repo's conventions (branch naming, files that
+change together, co-upgrades, etc.).
+
+Generated by \`/onboard\` based on analysis of ${CVE_COUNT} merged CVE PRs.
+
+🤖 Generated by /onboard"
+
+     cd /tmp
+     rm -rf "$REPO_DIR"
+   done
+   ```
+
+   **This is separate from the workflows PR** — each component repo gets its own PR
+   with just the `.cve-fix/examples.md` file. The reviewer merges it into their repo,
+   and the CVE fixer will use it automatically on the next run.
+
+10. **Cleanup**
 
    ```bash
    rm -rf /tmp/workflows-onboard
@@ -383,4 +433,7 @@ to `ambient-code/workflows` containing both the mapping update and the guidance
 - Branch info is auto-discovered from GitHub — review and correct if needed
 - Container image names can be added later by editing the mapping or re-running `/onboard`
 - Generated `.cve-fix/examples.md` improves over time — run `/guidance.update` after more CVE PRs are merged
-- Fork of `ambient-code/workflows` is created automatically if you lack write access
+- **Two separate PRs are created**:
+  1. PR to `ambient-code/workflows` — adds the component to the mapping file
+  2. Separate PRs to each component repo — adds `.cve-fix/examples.md` guidance files
+- Fork of the target repo is created automatically if you lack write access to it
