startr3k/devin-automation-action

# Devin Automated Security Remediation Engine Blueprint ## 📄 Section 1: Repository README.md # Devin Automated Security Remediation Engine A localized, Docker-based Custom GitHub Action designed to orchestrate autonomous security patching using the Devin v3 API as an architectural primitive. This engine is optimized for high-velocity, low-overhead vulnerability resolution by implementing a **Micro-Testing Isolation Boundary**, completely avoiding heavy environment compilation loops to resolve critical security bugs in minutes. ## System Architecture [Target Codebase: Issue Labeled] │ ▼ [GitHub Actions Runner VM] ──> [Builds & Runs Action Container] │ ▼ [Telemetry Summary Screen] <─── [Dispatches Surgical Prompt to Devin API] Instead of running an external, always-on listening daemon or webhook server, this architecture packages orchestration logic entirely inside an ephemeral container that leverages elastic GitHub Actions compute runner nodes. ## Repository Architecture Blueprint To ensure complete separation of concerns, the framework is divided into two decoupled layers: 1. **The Automation Engine (This Repository):** Contains the isolated execution environment, API orchestration scripts, and container definitions. 2. **The Target Codebase (`startr3k/superset`):** Contains only the `.yml` workflow tracking configuration, serving as the live environment where issues are discovered and autonomously patched via incoming Pull Requests. ├── action.yml # GitHub Action metadata and input bindings ├── Dockerfile # Containerized runtime configuration ├── requirements.txt # Production dependencies (requests) ├── main.py # Event processing and Devin orchestration script └── README.md # Deployment documentation ## Setup & Deployment Instructions ### 1. Provision Credentials To protect corporate infrastructure keys, all authorization is handled through GitHub's encrypted secrets subsystem. 1. Navigate to your forked repository (`startr3k/superset`) on GitHub. 2. Go to **Settings** -> **Secrets and variables** -> **Actions** -> **New repository secret**. 3. Create the following secrets: * `DEVIN_API_KEY`: Your Cognition organization service user API key. * `DEVIN_ORG_ID`: Your target Devin organization profile string. ### 2. Configure the Workflow Hook Inside your `startr3k/superset` repository, create the file `.github/workflows/devin-remediate.yml` and inject the action call string pointing to this engine: name: Devin Automated Remediation on: issues: types: [labeled] jobs: remediate: if: github.event.label.name == 'devin-remediate' runs-on: ubuntu-latest steps: - name: Checkout Target Codebase uses: actions/checkout@v4 - name: Dispatch Surgical Patch Task uses: startr3k/devin-automation-action@main with: devin_api_key: ${{ secrets.DEVIN_API_KEY }} devin_org_id: ${{ secrets.DEVIN_ORG_ID }} ## How to Simulate and Audit the Workflow ### Step 1: Open an Engineering Ticket Navigate to the **Issues** tab of your `startr3k/superset` fork, click **New Issue** -> **Open a blank issue**, and create the target patch request: * **Title:** "[SECURITY] Implement strict regex-based safe-URL redirect validation helper" * **Body:** "We need an isolated utility helper inside `superset/utils/core.py` named `is_safe_redirect_url(url: str, allowed_hosts: set) -> bool` to mitigate Open Redirect risks. Do NOT spin up the global Docker Compose setup or run full integration tests. Validate your logic locally by generating a scratchpad script (`verify_url.py`) using assertions for edge-case URL bypass patterns, execute it via the Python CLI, clean up the scratchpad, and submit a PR." ### Step 2: Label the Ticket Apply a label named exactly `devin-remediate` to the newly created issue. This event-tag instantly initializes the GitHub Actions pipeline. ### Step 3: Audit Live Telemetry & Playbooks 1. Move to the **Actions** tab of the repository and select the active run. 2. Once the container dispatches the payload, view the native **Workflow Run Summary** screen. 3. Review the live generated report, click the tracking link to monitor Devin's internal reasoning loop, tracebacks, and patch staging inside the active Devin developer console window.