Remove obsolete parts

.github/copilot-instructions.md

@@ -1,10 +1,37 @@
 Copilot instructions for Organizational Workflows
 
 Purpose
-TBD
+A collection of reusable GitHub Actions workflows with Python automation backends.
+Each workflow domain is a self-contained package under `src/`. The workflows are
+designed to be called via `workflow_call` from other repositories.
 
 Structure
-TBD
+```text
+src/
+├── core/                        # Shared foundation (GitHub API, config, helpers)
+│   ├── github/                  # GitHub CLI wrappers (issues, projects)
+│   │   ├── client.py            # run_gh / run_cmd subprocess helpers
+│   │   ├── issues.py            # Issue CRUD (create, edit, comment, labels)
+│   │   └── projects.py          # Projects V2 GraphQL (priority sync)
+│   ├── config.py                # Logging setup, RUNNER_DEBUG parsing
+│   ├── helpers.py               # Pure utilities (sha256, iso_date, normalize_path)
+│   ├── models.py                # Shared data models (Issue)
+│   ├── priority.py              # Severity-to-priority mapping
+│   └── rendering.py             # Generic Markdown template renderer
+│
+├── security/                    # Security workflow domain
+│   ├── main.py                  # Pipeline orchestrator (check → collect → promote)
+│   ├── check_labels.py          # Verify required labels exist
+│   ├── collect_alert.py         # Fetch code-scanning alerts → JSON
+│   ├── promote_alerts.py        # Create/update Issues from alerts
+│   ├── send_to_teams.py         # Send Adaptive Card to Teams webhook
+│   ├── constants.py             # Labels, event types, metadata types
+│   ├── alerts/                  # Alert domain (parsing, models)
+│   ├── issues/                  # Issue management (sync, builder, secmeta)
+│   └── notifications/           # Teams webhook notifications
+│
+tests/                           # Mirrors src/ structure
+```
 
 Python style
 - Python 3.14
@@ -19,8 +46,8 @@ Python style
 Patterns
 - Classes with `__init__` cannot throw exceptions
 - Use private methods (`_method_name`) for internal class helpers
-- All info logs must start with "Security workflow -" prefix
-- Never disable pylint behaviour in the code
+- All logs must start with "<Domain> -" prefix (e.g., "Security -")
+- Never disable pylint behavior in the code
 
 Testing
 - Mirror src structure: `src/security/module.py` -> `tests/security/test_module.py`

.github/workflows/aquasec-scan.yml

@@ -14,12 +14,9 @@
 # limitations under the License.
 #
 
-# Reusable workflow – Aquasec Scan + Security Alerts to Issues.
-#
-# Called from application repositories via workflow_call.
-# The caller triggers on schedule / workflow_dispatch and passes the required secrets.
+# SECURITY reusable workflow – AquaSec Scan + Security Alerts to Issues.
 
-name: Aquasec Scan
+name: AquaSec Scan
 
 on:
   workflow_call:
@@ -29,16 +26,17 @@ on:
         required: false
         type: boolean
         default: false
+
       severity-priority-map:
         description: >
           Comma-separated severity=priority pairs that map alert severities to
-          priority values on the GitHub Project (e.g.
-          'Critical=Blocker,High=Urgent,Medium=Normal'). Only listed severities
-          get a priority; unlisted ones are left empty. When not set, priority
+          priority values on the GitHub Project (e.g.'Critical=Blocker,High=Urgent,Medium=Normal').
+          Only listed severities get a priority. Unlisted ones are left empty. When not set, priority
           is skipped entirely.
         required: false
         type: string
         default: ''
+
       project-number:
         description: >
           GitHub Projects V2 number (org-level) where a Priority single-select
@@ -47,6 +45,7 @@ on:
         required: false
         type: number
         default: 0
+
       project-org:
         description: >
           GitHub organisation that owns the Projects V2 board. Use when the
@@ -55,6 +54,7 @@ on:
         required: false
         type: string
         default: ''
+
     secrets:
       AQUA_KEY:
         required: true
@@ -66,28 +66,20 @@ on:
         required: true
       TEAMS_WEBHOOK_URL:
         required: false
-      GH_PROJECT_ONLY_TOKEN:
-        description: >
-          Classic PAT with 'project' scope on an account that is a member of the
-          org that owns the ProjectV2 board. Required only when the project lives
-          in a different organisation than the calling repository. When omitted,
-          github.token is used (works only for same-org projects).
-        required: false
 
 permissions:
   contents: read
   actions: read
   issues: write
   security-events: write
-  repository-projects: write
 
 jobs:
   aquasec-scan:
-    name: Aquasec Scan
+    name: AquaSec Scan
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           persist-credentials: false
           fetch-depth: 0
@@ -102,8 +94,8 @@ jobs:
           repository-id: ${{ secrets.AQUA_REPOSITORY_ID }}
           verbose-logging: ${{ inputs.verbose-logging }}
 
-      - name: Upload Scan Results to GitHub Security
-        uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2
+      - name: Upload scan results to GitHub Security and quality
+        uses: github/codeql-action/upload-sarif@7434149006143a4d75b82a2f411ef15b03ccc2d7
         with:
           sarif_file: ${{ steps.aquasec.outputs.nightscan-sarif-file }}
           category: aquasec
@@ -113,16 +105,16 @@ jobs:
     needs: aquasec-scan
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout security scripts
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           repository: AbsaOSS/organizational-workflows
           ref: master
           path: org-workflows
           persist-credentials: false
 
       - name: Set up Python
-        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
         with:
           python-version: '3.14'
           cache: 'pip'
@@ -131,13 +123,13 @@ jobs:
       - name: Install dependencies
         run: pip install -r org-workflows/requirements.txt
 
-      - name: Run alert-to-issue sync
+      - name: Create issues from security alerts
         env:
+          PYTHONPATH: org-workflows/src
           GH_TOKEN: ${{ github.token }}
-          GH_PROJECT_ONLY_TOKEN: ${{ secrets.GH_PROJECT_ONLY_TOKEN }}
           TEAMS_WEBHOOK_URL: ${{ secrets.TEAMS_WEBHOOK_URL }}
           SEVERITY_PRIORITY_MAP: ${{ inputs.severity-priority-map }}
           PROJECT_NUMBER: ${{ inputs.project-number }}
           PROJECT_ORG: ${{ inputs.project-org }}
         run: |
-          python3 org-workflows/src/security/sync_security_alerts.py
+          python3 org-workflows/src/security/main.py

README.md

@@ -36,7 +36,7 @@ docs/                       # per-solution documentation
 ## Shared workflows
 
 Application repositories adopt a solution by adding a short **caller workflow** that delegates to the reusable workflow in this repo.
-Ready-to-copy example caller workflows are located in [`docs/security/example_workflows/`](docs/security/example_workflows/).
+Ready-to-copy example caller workflows are located in [`docs/security/example_workflows/`](docs/security/example_workflow/).
 See each solution's documentation for details and required secrets.
 
 ## Next

docs/security/example_workflows/aquasec-night-scan.yml → docs/security/aquasec-night-scan-example.yml

@@ -14,12 +14,9 @@
 # limitations under the License.
 #
 
-# Example caller workflow – add this to your application repository as
-# .github/workflows/aquasec-night-scan.yml
-#
-# It delegates to the reusable workflow in the organizational-workflows repo.
+# Example caller workflow – Add this to your repository as .github/workflows/aquasec-night-scan.yml
 
-name: Aquasec Night Scan
+name: AquaSec Night Scan
 
 on:
   schedule:
@@ -35,21 +32,17 @@ permissions:
   actions: read
   issues: write
   security-events: write
-  repository-projects: write
 
 jobs:
   scan:
     uses: AbsaOSS/organizational-workflows/.github/workflows/aquasec-scan.yml@c1fa5b54ff24fea071415da89abc4f0506344f01
     with:
       severity-priority-map: 'Critical=Blocker,High=Urgent,Medium=Normal,Low=Minor'
-      project-number: 42   # Replace with your org's GitHub Project number for priority tracking
-      project-org: 'my-org'  # Replace with the org that owns the project (if different from repo org)
+      project-number: 42
+      project-org: 'my-org'
     secrets:
       AQUA_KEY: ${{ secrets.AQUA_KEY }}
       AQUA_SECRET: ${{ secrets.AQUA_SECRET }}
       AQUA_GROUP_ID: ${{ secrets.AQUA_GROUP_ID }}
       AQUA_REPOSITORY_ID: ${{ secrets.AQUA_REPOSITORY_ID }}
       TEAMS_WEBHOOK_URL: ${{ secrets.TEAMS_WEBHOOK_URL }}
-      # Required only when project-org differs from this repository's org.
-      # See docs/security/security.md – "Cross-org project token" for how to create it.
-      GH_PROJECT_ONLY_TOKEN: ${{ secrets.GH_PROJECT_ONLY_TOKEN }}