From 6fa544dcb8795c16319b186d8b608304cf365abc Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 29 Apr 2026 12:59:45 +0000
Subject: [PATCH 1/2] Update alerts-first dependency default

Agent-Logs-Url: https://github.com/githubnext/dependabot-campaign/sessions/26fa878e-43eb-4690-970e-ab49a10a9a74

Co-authored-by: mnkiefer <8320933+mnkiefer@users.noreply.github.com>
---
 .github/workflows/dependabot-campaign.md | 6 +++---
 README.md                                | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/dependabot-campaign.md b/.github/workflows/dependabot-campaign.md
index d0aa36a..44244fa 100644
--- a/.github/workflows/dependabot-campaign.md
+++ b/.github/workflows/dependabot-campaign.md
@@ -4,9 +4,9 @@ on:
   workflow_call:
     inputs:
       dependency-source:
-        description: Which dependency signals to process. Use auto to prefer PRs when present and fall back to security alerts.
+        description: Which dependency signals to process. Use alerts for the new default, or choose auto to prefer PRs when they are present.
         required: false
-        default: auto
+        default: alerts
         type: string
       mode:
         description: Operating mode for the caller repository or control plane.
@@ -107,7 +107,7 @@ Do not create custom databases or external trackers.
 
 Continuously reduce dependency risk and keep dependency remediation moving safely. Default to the lightweight path, and use campaign-style coordination only when project tracking or escalated routing adds value.
 
-Use `dependency-source`, `mode`, `project-sync`, and `summary-issue` as runtime toggles. Treat this workflow file as the source of truth for both policy and enrolled repositories.
+Use `dependency-source`, `mode`, `project-sync`, and `summary-issue` as runtime toggles. Default to `alerts` unless the caller explicitly wants PR-first handling. Treat this workflow file as the source of truth for both policy and enrolled repositories.
 
 ## Scope
 
diff --git a/README.md b/README.md
index 284d9e7..a349aba 100644
--- a/README.md
+++ b/README.md
@@ -57,7 +57,7 @@ The campaign workflow supports three signal modes through the `dependency-source
 - `prs`: operate only on Dependabot PRs
 - `alerts`: operate only on dependency security alerts, even if no PRs are raised
 
-Use `auto` as the default when you want one workflow that still works if a repository later moves away from opening Dependabot PRs.
+Use `alerts` as the default when you want security alerts to drive dependency operations without depending on Dependabot PRs. Choose `auto` only when you explicitly want PR-first behavior with an alerts fallback.
 
 ## Add To Another Repo
 

From 568d8491fc689a9220321cc6bbab81e39f687522 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 29 Apr 2026 13:00:49 +0000
Subject: [PATCH 2/2] Compile alerts-first campaign workflow

Agent-Logs-Url: https://github.com/githubnext/dependabot-campaign/sessions/26fa878e-43eb-4690-970e-ab49a10a9a74

Co-authored-by: mnkiefer <8320933+mnkiefer@users.noreply.github.com>
---
 .../workflows/dependabot-campaign.lock.yml    | 26 +++++++++----------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/dependabot-campaign.lock.yml b/.github/workflows/dependabot-campaign.lock.yml
index b886a3a..a88a7a8 100644
--- a/.github/workflows/dependabot-campaign.lock.yml
+++ b/.github/workflows/dependabot-campaign.lock.yml
@@ -1,4 +1,4 @@
-# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"50b4dc86166f6aa269b37555ad829674c34a6a6457d743f67543310c5b086c23","compiler_version":"v0.71.1","strict":true,"agent_id":"copilot"}
+# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"648a9da0181d3bd8b16eb1ec137e023b9b90c86703218afa4a14e1ddbcce2618","compiler_version":"v0.71.1","strict":true,"agent_id":"copilot"}
 # gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"239aec45b78c8799417efdd5bc6d8cc036629ec1","version":"v0.71.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.28","digest":"sha256:a8834e285807654bf680154faa710d43fe4365a0868142f5c20e48c85e137a7a","pinned_image":"ghcr.io/github/gh-aw-firewall/agent:0.25.28@sha256:a8834e285807654bf680154faa710d43fe4365a0868142f5c20e48c85e137a7a"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.28","digest":"sha256:93290f2393752252911bd7c39a047f776c0b53063575e7bde4e304962a9a61cb","pinned_image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.28@sha256:93290f2393752252911bd7c39a047f776c0b53063575e7bde4e304962a9a61cb"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.28","digest":"sha256:844c18280f82cd1b06345eb2f4e91966b34185bfc51c9f237c3e022e848fb474","pinned_image":"ghcr.io/github/gh-aw-firewall/squid:0.25.28@sha256:844c18280f82cd1b06345eb2f4e91966b34185bfc51c9f237c3e022e848fb474"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.0"},{"image":"ghcr.io/github/github-mcp-server:v1.0.2"},{"image":"node:lts-alpine","digest":"sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f","pinned_image":"node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f"}]}
 #    ___                   _   _      
 #   / _ \                 | | (_)     
@@ -69,8 +69,8 @@ name: "Dependabot Operations + Project Board"
   workflow_call:
     inputs:
       dependency-source:
-        default: auto
-        description: Which dependency signals to process. Use auto to prefer PRs when present and fall back to security alerts.
+        default: alerts
+        description: Which dependency signals to process. Use alerts for the new default, or choose auto to prefer PRs when they are present.
         required: false
         type: string
       mode:
@@ -297,14 +297,14 @@ jobs:
         run: |
           bash "${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh"
           {
-          cat << 'GH_AW_PROMPT_e84cace7937a15ce_EOF'
+          cat << 'GH_AW_PROMPT_878259d20e312503_EOF'
           <system>
-          GH_AW_PROMPT_e84cace7937a15ce_EOF
+          GH_AW_PROMPT_878259d20e312503_EOF
           cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md"
           cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md"
           cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md"
           cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md"
-          cat << 'GH_AW_PROMPT_e84cace7937a15ce_EOF'
+          cat << 'GH_AW_PROMPT_878259d20e312503_EOF'
           <safe-output-tools>
           Tools: add_comment(max:50), create_issue(max:2), update_issue(max:100), missing_tool, missing_data, noop
           </safe-output-tools>
@@ -336,12 +336,12 @@ jobs:
           {{/if}}
           </github-context>
           
-          GH_AW_PROMPT_e84cace7937a15ce_EOF
+          GH_AW_PROMPT_878259d20e312503_EOF
           cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md"
-          cat << 'GH_AW_PROMPT_e84cace7937a15ce_EOF'
+          cat << 'GH_AW_PROMPT_878259d20e312503_EOF'
           </system>
           {{#runtime-import .github/workflows/dependabot-campaign.md}}
-          GH_AW_PROMPT_e84cace7937a15ce_EOF
+          GH_AW_PROMPT_878259d20e312503_EOF
           } > "$GH_AW_PROMPT"
       - name: Interpolate variables and render templates
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
@@ -524,9 +524,9 @@ jobs:
           mkdir -p "${RUNNER_TEMP}/gh-aw/safeoutputs"
           mkdir -p /tmp/gh-aw/safeoutputs
           mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs
-          cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_d62a6baa24c13647_EOF'
+          cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_14c4e0cfe1d8fb7c_EOF'
           {"add_comment":{"max":50},"create_issue":{"max":2},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{},"update_issue":{"allow_body":true,"max":100}}
-          GH_AW_SAFE_OUTPUTS_CONFIG_d62a6baa24c13647_EOF
+          GH_AW_SAFE_OUTPUTS_CONFIG_14c4e0cfe1d8fb7c_EOF
       - name: Write Safe Outputs Tools
         env:
           GH_AW_TOOLS_META_JSON: |
@@ -803,7 +803,7 @@ jobs:
           
           mkdir -p /home/runner/.copilot
           GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node)
-          cat << GH_AW_MCP_CONFIG_5c29c9a0aadf9575_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs"
+          cat << GH_AW_MCP_CONFIG_3203c9cbf28d5676_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs"
           {
             "mcpServers": {
               "github": {
@@ -844,7 +844,7 @@ jobs:
               "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}"
             }
           }
-          GH_AW_MCP_CONFIG_5c29c9a0aadf9575_EOF
+          GH_AW_MCP_CONFIG_3203c9cbf28d5676_EOF
       - name: Clean git credentials
         continue-on-error: true
         run: bash "${RUNNER_TEMP}/gh-aw/actions/clean_git_credentials.sh"