feat: generate .cve-fix/examples.md guidance for Observability repos

workflows/cve-fixer/.cve-fix/stolostron-grafana/examples.md

@@ -0,0 +1,30 @@
+<!-- last-analyzed: 2026-04-16 | cve-merged: 0 -->
+
+<!-- Insufficient PR history for full pattern extraction.
+     Update with /guidance.update after more CVE fixes are merged. -->
+
+## Titles
+- `Security: Fix CVE-YYYY-XXXXX (<package>)` (common across stolostron org)
+- `fix(cve): CVE-YYYY-XXXXX - <package>` (conventional commit style, also used in org)
+
+## Branches
+- `fix/cve-<id>-<pkg>-<branch>-attempt-N` (common across stolostron org)
+  - e.g. `fix/cve-2026-33186-grpc-go-release-2.14-attempt-1`
+
+## Files
+- `go.mod` + `go.sum` always change together for Go dependency updates
+
+## Co-upgrades
+- When bumping a Go dependency, always run `go mod tidy` to update `go.sum`
+- Go version bumps (`go.mod` directive) often require updating `Dockerfile` / `Containerfile.operator`
+
+## PR Description
+- Include CVE ID, severity, and affected package in description
+- Reference the target branch (e.g. `release-2.16`) when targeting non-default branches
+- Include test results section
+- For multi-branch fixes, create separate PRs per branch (not a single PR)
+
+## Don'ts
+- ❌ Do not combine multiple CVE fixes in a single PR
+- ❌ Do not target the wrong release branch (verify `--base` matches intended branch)
+- ❌ Do not skip `go mod tidy` — incomplete `go.sum` updates will fail CI

workflows/cve-fixer/.cve-fix/stolostron-kube-rbac-proxy/examples.md

@@ -0,0 +1,36 @@
+<!-- last-analyzed: 2026-04-16 | cve-merged: 10 -->
+
+## Titles
+- `fix(cve): CVE-YYYY-XXXXX - <package>` (5/30 merged PRs)
+  - e.g. `fix(cve): CVE-2026-33186 - google.golang.org/grpc`
+  - e.g. `fix(cve): CVE-2026-33186 - google.golang.org/grpc`
+- `Security: Fix CVE-YYYY-XXXXX (<package>)` (5/30 merged PRs)
+  - e.g. `Security: Fix CVE-2026-33186 (gRPC-Go) - release-2.13`
+  - e.g. `Security: Fix CVE-2026-33186 (gRPC-Go) - release-2.14`
+
+## Branches
+- `fix/cve-<id>-<pkg>-<branch>-attempt-N` (10/30 merged PRs)
+  - e.g. `fix/cve-2026-33186-grpc-go-backplane-2.10-attempt-1`
+  - e.g. `fix/cve-2026-33186-grpc-go-backplane-2.9-attempt-1`
+- `dependabot/<ecosystem>/<pkg>-<version>` (2/30 merged PRs)
+  - e.g. `dependabot/go_modules/golang.org/x/net-0.38.0`
+  - e.g. `dependabot/go_modules/golang.org/x/oauth2-0.27.0`
+
+## Files
+- `go.mod` + `go.sum` always change together for Go dependency updates
+- `Dockerfile` / `Containerfile.operator` may also be updated (Go version bumps)
+
+## Co-upgrades
+- When bumping a Go dependency, always run `go mod tidy` to update `go.sum`
+- Go version bumps (`go.mod` directive) often require updating `Dockerfile` / `Containerfile.operator`
+
+## PR Description
+- Include CVE ID, severity, and affected package in description
+- Reference the target branch (e.g. `release-2.16`) when targeting non-default branches
+- Include test results section
+- For multi-branch fixes, create separate PRs per branch (not a single PR)
+
+## Don'ts
+- ❌ Do not combine multiple CVE fixes in a single PR
+- ❌ Do not target the wrong release branch (verify `--base` matches intended branch)
+- ❌ Do not skip `go mod tidy` — incomplete `go.sum` updates will fail CI

workflows/cve-fixer/.cve-fix/stolostron-kube-state-metrics/examples.md

@@ -0,0 +1,33 @@
+<!-- last-analyzed: 2026-04-16 | cve-merged: 4 -->
+
+## Titles
+- `Security: Fix CVE-YYYY-XXXXX (<package>)` (4/15 merged PRs)
+  - e.g. `Security: Fix CVE-2026-33186 (grpc-go)`
+  - e.g. `Security: Fix CVE-2026-33186 (grpc-go)`
+
+## Branches
+- `fix/cve-<id>-<pkg>-<branch>-attempt-N` (4/15 merged PRs)
+  - e.g. `fix/cve-2026-33186-grpc-go-release-2.14-attempt-1`
+  - e.g. `fix/cve-2026-33186-grpc-go-release-2.15-attempt-1`
+- `dependabot/<ecosystem>/<pkg>-<version>` (2/15 merged PRs)
+  - e.g. `dependabot/go_modules/github.com/golang-jwt/jwt/v5-5.2.2`
+  - e.g. `dependabot/go_modules/golang.org/x/crypto-0.35.0`
+
+## Files
+- `go.mod` + `go.sum` always change together for Go dependency updates
+- `Dockerfile` / `Containerfile.operator` may also be updated (Go version bumps)
+
+## Co-upgrades
+- When bumping a Go dependency, always run `go mod tidy` to update `go.sum`
+- Go version bumps (`go.mod` directive) often require updating `Dockerfile` / `Containerfile.operator`
+
+## PR Description
+- Include CVE ID, severity, and affected package in description
+- Reference the target branch (e.g. `release-2.16`) when targeting non-default branches
+- Include test results section
+- For multi-branch fixes, create separate PRs per branch (not a single PR)
+
+## Don'ts
+- ❌ Do not combine multiple CVE fixes in a single PR
+- ❌ Do not target the wrong release branch (verify `--base` matches intended branch)
+- ❌ Do not skip `go mod tidy` — incomplete `go.sum` updates will fail CI

workflows/cve-fixer/.cve-fix/stolostron-memcached-exporter/examples.md

@@ -0,0 +1,30 @@
+<!-- last-analyzed: 2026-04-16 | cve-merged: 0 -->
+
+<!-- Insufficient PR history for full pattern extraction.
+     Update with /guidance.update after more CVE fixes are merged. -->
+
+## Titles
+- `Security: Fix CVE-YYYY-XXXXX (<package>)` (common across stolostron org)
+- `fix(cve): CVE-YYYY-XXXXX - <package>` (conventional commit style, also used in org)
+
+## Branches
+- `fix/cve-<id>-<pkg>-<branch>-attempt-N` (common across stolostron org)
+  - e.g. `fix/cve-2026-33186-grpc-go-release-2.14-attempt-1`
+
+## Files
+- `go.mod` + `go.sum` always change together for Go dependency updates
+
+## Co-upgrades
+- When bumping a Go dependency, always run `go mod tidy` to update `go.sum`
+- Go version bumps (`go.mod` directive) often require updating `Dockerfile` / `Containerfile.operator`
+
+## PR Description
+- Include CVE ID, severity, and affected package in description
+- Reference the target branch (e.g. `release-2.16`) when targeting non-default branches
+- Include test results section
+- For multi-branch fixes, create separate PRs per branch (not a single PR)
+
+## Don'ts
+- ❌ Do not combine multiple CVE fixes in a single PR
+- ❌ Do not target the wrong release branch (verify `--base` matches intended branch)
+- ❌ Do not skip `go mod tidy` — incomplete `go.sum` updates will fail CI

workflows/cve-fixer/.cve-fix/stolostron-multicluster-observability-addon/examples.md

@@ -0,0 +1,30 @@
+<!-- last-analyzed: 2026-04-16 | cve-merged: 4 -->
+
+## Titles
+- `Security: Fix CVE-YYYY-XXXXX (<package>)` (4/10 merged PRs)
+  - e.g. `Security: Fix CVE-2026-33186 (grpc-go)`
+  - e.g. `Security: Fix CVE-2026-33186 (grpc-go)`
+
+## Branches
+- `fix/cve-<id>-<pkg>-<branch>-attempt-N` (4/10 merged PRs)
+  - e.g. `fix/cve-2026-33186-grpc-go-release-2.14-attempt-1`
+  - e.g. `fix/cve-2026-33186-grpc-go-release-2.15-attempt-1`
+
+## Files
+- `go.mod` + `go.sum` always change together for Go dependency updates
+- `Dockerfile` / `Containerfile.operator` may also be updated (Go version bumps)
+
+## Co-upgrades
+- When bumping a Go dependency, always run `go mod tidy` to update `go.sum`
+- Go version bumps (`go.mod` directive) often require updating `Dockerfile` / `Containerfile.operator`
+
+## PR Description
+- Include CVE ID, severity, and affected package in description
+- Reference the target branch (e.g. `release-2.16`) when targeting non-default branches
+- Include test results section
+- For multi-branch fixes, create separate PRs per branch (not a single PR)
+
+## Don'ts
+- ❌ Do not combine multiple CVE fixes in a single PR
+- ❌ Do not target the wrong release branch (verify `--base` matches intended branch)
+- ❌ Do not skip `go mod tidy` — incomplete `go.sum` updates will fail CI

workflows/cve-fixer/.cve-fix/stolostron-multicluster-observability-operator/examples.md

@@ -0,0 +1,32 @@
+<!-- last-analyzed: 2026-04-16 | cve-merged: 4 -->
+
+## Titles
+- `Security: Fix CVE-YYYY-XXXXX (<package>)` (4/12 merged PRs)
+  - e.g. `Security: Fix CVE-2026-33186 (grpc-go)`
+  - e.g. `Security: Fix CVE-2026-33186 (grpc-go)`
+
+## Branches
+- `fix/cve-<id>-<pkg>-<branch>-attempt-N` (4/12 merged PRs)
+  - e.g. `fix/cve-2026-33186-grpc-go-release-2.14-attempt-1`
+  - e.g. `fix/cve-2026-33186-grpc-go-release-2.15-attempt-1`
+- `dependabot/<ecosystem>/<pkg>-<version>` (1/12 merged PRs)
+  - e.g. `dependabot/go_modules/go.opentelemetry.io/otel/sdk-1.40.0`
+
+## Files
+- `go.mod` + `go.sum` always change together for Go dependency updates
+- `Dockerfile` / `Containerfile.operator` may also be updated (Go version bumps)
+
+## Co-upgrades
+- When bumping a Go dependency, always run `go mod tidy` to update `go.sum`
+- Go version bumps (`go.mod` directive) often require updating `Dockerfile` / `Containerfile.operator`
+
+## PR Description
+- Include CVE ID, severity, and affected package in description
+- Reference the target branch (e.g. `release-2.16`) when targeting non-default branches
+- Include test results section
+- For multi-branch fixes, create separate PRs per branch (not a single PR)
+
+## Don'ts
+- ❌ Do not combine multiple CVE fixes in a single PR
+- ❌ Do not target the wrong release branch (verify `--base` matches intended branch)
+- ❌ Do not skip `go mod tidy` — incomplete `go.sum` updates will fail CI

workflows/cve-fixer/.cve-fix/stolostron-node-exporter/examples.md

@@ -0,0 +1,28 @@
+<!-- last-analyzed: 2026-04-16 | cve-merged: 0 -->
+
+## Titles
+- `Security: Fix CVE-YYYY-XXXXX (<package>)` (common across stolostron org)
+- `fix(cve): CVE-YYYY-XXXXX - <package>` (conventional commit style, also used in org)
+
+## Branches
+- `fix/cve-<id>-<pkg>-<branch>-attempt-N` (common across stolostron org)
+  - e.g. `fix/cve-2026-33186-grpc-go-release-2.14-attempt-1`
+
+## Files
+- `go.mod` + `go.sum` always change together for Go dependency updates
+- `Dockerfile` / `Containerfile.operator` may also be updated (Go version bumps)
+
+## Co-upgrades
+- When bumping a Go dependency, always run `go mod tidy` to update `go.sum`
+- Go version bumps (`go.mod` directive) often require updating `Dockerfile` / `Containerfile.operator`
+
+## PR Description
+- Include CVE ID, severity, and affected package in description
+- Reference the target branch (e.g. `release-2.16`) when targeting non-default branches
+- Include test results section
+- For multi-branch fixes, create separate PRs per branch (not a single PR)
+
+## Don'ts
+- ❌ Do not combine multiple CVE fixes in a single PR
+- ❌ Do not target the wrong release branch (verify `--base` matches intended branch)
+- ❌ Do not skip `go mod tidy` — incomplete `go.sum` updates will fail CI

workflows/cve-fixer/.cve-fix/stolostron-observatorium-operator/examples.md

@@ -0,0 +1,30 @@
+<!-- last-analyzed: 2026-04-16 | cve-merged: 0 -->
+
+## Titles
+- `Security: Fix CVE-YYYY-XXXXX (<package>)` (common across stolostron org)
+- `fix(cve): CVE-YYYY-XXXXX - <package>` (conventional commit style, also used in org)
+
+## Branches
+- `fix/cve-<id>-<pkg>-<branch>-attempt-N` (common across stolostron org)
+  - e.g. `fix/cve-2026-33186-grpc-go-release-2.14-attempt-1`
+
+## Files
+- `go.mod` + `go.sum` always change together for Go dependency updates
+- `Dockerfile` / `Containerfile.operator` may also be updated (Go version bumps)
+- `vendor/` directory is vendored — run `go mod vendor` after dependency changes
+
+## Co-upgrades
+- When bumping a Go dependency, always run `go mod tidy` to update `go.sum`
+- This repo vendors dependencies — run `go mod vendor` after `go mod tidy`
+- Go version bumps (`go.mod` directive) often require updating `Dockerfile` / `Containerfile.operator`
+
+## PR Description
+- Include CVE ID, severity, and affected package in description
+- Reference the target branch (e.g. `release-2.16`) when targeting non-default branches
+- Include test results section
+- For multi-branch fixes, create separate PRs per branch (not a single PR)
+
+## Don'ts
+- ❌ Do not combine multiple CVE fixes in a single PR
+- ❌ Do not target the wrong release branch (verify `--base` matches intended branch)
+- ❌ Do not skip `go mod tidy` — incomplete `go.sum` updates will fail CI

workflows/cve-fixer/.cve-fix/stolostron-observatorium/examples.md

@@ -0,0 +1,30 @@
+<!-- last-analyzed: 2026-04-16 | cve-merged: 4 -->
+
+## Titles
+- `Security: Fix CVE-YYYY-XXXXX (<package>)` (4/19 merged PRs)
+  - e.g. `Security: Fix CVE-2026-33186 (grpc-go)`
+  - e.g. `Security: Fix CVE-2026-33186 (grpc-go)`
+
+## Branches
+- `fix/cve-<id>-<pkg>-<branch>-attempt-N` (4/19 merged PRs)
+  - e.g. `fix/cve-2026-33186-grpc-go-release-2.14-attempt-1`
+  - e.g. `fix/cve-2026-33186-grpc-go-release-2.15-attempt-1`
+
+## Files
+- `go.mod` + `go.sum` always change together for Go dependency updates
+- `Dockerfile` / `Containerfile.operator` may also be updated (Go version bumps)
+
+## Co-upgrades
+- When bumping a Go dependency, always run `go mod tidy` to update `go.sum`
+- Go version bumps (`go.mod` directive) often require updating `Dockerfile` / `Containerfile.operator`
+
+## PR Description
+- Include CVE ID, severity, and affected package in description
+- Reference the target branch (e.g. `release-2.16`) when targeting non-default branches
+- Include test results section
+- For multi-branch fixes, create separate PRs per branch (not a single PR)
+
+## Don'ts
+- ❌ Do not combine multiple CVE fixes in a single PR
+- ❌ Do not target the wrong release branch (verify `--base` matches intended branch)
+- ❌ Do not skip `go mod tidy` — incomplete `go.sum` updates will fail CI

workflows/cve-fixer/.cve-fix/stolostron-prometheus-alertmanager/examples.md

@@ -0,0 +1,32 @@
+<!-- last-analyzed: 2026-04-16 | cve-merged: 5 -->
+
+## Titles
+- `Security: Fix CVE-YYYY-XXXXX (<package>)` (4/26 merged PRs)
+  - e.g. `Security: Fix CVE-2026-33186 (grpc-go)`
+  - e.g. `Security: Fix CVE-2026-33186 (grpc-go)`
+- `Other CVE title format` (1/26 merged PRs)
+  - e.g. `[release-2.10] fix: CVE-2023-45288 ensure golang/x/net is 0.23+`
+
+## Branches
+- `fix/cve-<id>-<pkg>-<branch>-attempt-N` (4/26 merged PRs)
+  - e.g. `fix/cve-2026-33186-grpc-go-release-2.14-attempt-1`
+  - e.g. `fix/cve-2026-33186-grpc-go-release-2.15-attempt-1`
+
+## Files
+- `go.mod` + `go.sum` always change together for Go dependency updates
+- `Dockerfile` / `Containerfile.operator` may also be updated (Go version bumps)
+
+## Co-upgrades
+- When bumping a Go dependency, always run `go mod tidy` to update `go.sum`
+- Go version bumps (`go.mod` directive) often require updating `Dockerfile` / `Containerfile.operator`
+
+## PR Description
+- Include CVE ID, severity, and affected package in description
+- Reference the target branch (e.g. `release-2.16`) when targeting non-default branches
+- Include test results section
+- For multi-branch fixes, create separate PRs per branch (not a single PR)
+
+## Don'ts
+- ❌ Do not combine multiple CVE fixes in a single PR
+- ❌ Do not target the wrong release branch (verify `--base` matches intended branch)
+- ❌ Do not skip `go mod tidy` — incomplete `go.sum` updates will fail CI

workflows/cve-fixer/.cve-fix/stolostron-prometheus-operator/examples.md

@@ -0,0 +1,30 @@
+<!-- last-analyzed: 2026-04-16 | cve-merged: 4 -->
+
+## Titles
+- `fix(cve): CVE-YYYY-XXXXX - <package>` (4/22 merged PRs)
+  - e.g. `fix(cve): CVE-2026-33186 - google.golang.org/grpc [release-2.17]`
+  - e.g. `fix(cve): CVE-2026-33186 - google.golang.org/grpc [release-2.16]`
+
+## Branches
+- `fix/cve-<id>-<pkg>-<branch>-attempt-N` (4/22 merged PRs)
+  - e.g. `fix/cve-2026-33186-grpc-release-2.17-attempt-1`
+  - e.g. `fix/cve-2026-33186-grpc-release-2.16-attempt-1`
+
+## Files
+- `go.mod` + `go.sum` always change together for Go dependency updates
+- `Dockerfile` / `Containerfile.operator` may also be updated (Go version bumps)
+
+## Co-upgrades
+- When bumping a Go dependency, always run `go mod tidy` to update `go.sum`
+- Go version bumps (`go.mod` directive) often require updating `Dockerfile` / `Containerfile.operator`
+
+## PR Description
+- Include CVE ID, severity, and affected package in description
+- Reference the target branch (e.g. `release-2.16`) when targeting non-default branches
+- Include test results section
+- For multi-branch fixes, create separate PRs per branch (not a single PR)
+
+## Don'ts
+- ❌ Do not combine multiple CVE fixes in a single PR
+- ❌ Do not target the wrong release branch (verify `--base` matches intended branch)
+- ❌ Do not skip `go mod tidy` — incomplete `go.sum` updates will fail CI

workflows/cve-fixer/.cve-fix/stolostron-prometheus/examples.md

@@ -0,0 +1,33 @@
+<!-- last-analyzed: 2026-04-16 | cve-merged: 4 -->
+
+## Titles
+- `Security: Fix CVE-YYYY-XXXXX (<package>)` (4/27 merged PRs)
+  - e.g. `Security: Fix CVE-2026-33186 (grpc-go)`
+  - e.g. `Security: Fix CVE-2026-33186 (grpc-go)`
+
+## Branches
+- `fix/cve-<id>-<pkg>-<branch>-attempt-N` (4/27 merged PRs)
+  - e.g. `fix/cve-2026-33186-grpc-go-release-2.14-attempt-1`
+  - e.g. `fix/cve-2026-33186-grpc-go-release-2.15-attempt-1`
+- `dependabot/<ecosystem>/<pkg>-<version>` (3/27 merged PRs)
+  - e.g. `dependabot/go_modules/github.com/golang-jwt/jwt/v5-5.2.2`
+  - e.g. `dependabot/go_modules/golang.org/x/crypto-0.35.0`
+
+## Files
+- `go.mod` + `go.sum` always change together for Go dependency updates
+- `Dockerfile` / `Containerfile.operator` may also be updated (Go version bumps)
+
+## Co-upgrades
+- When bumping a Go dependency, always run `go mod tidy` to update `go.sum`
+- Go version bumps (`go.mod` directive) often require updating `Dockerfile` / `Containerfile.operator`
+
+## PR Description
+- Include CVE ID, severity, and affected package in description
+- Reference the target branch (e.g. `release-2.16`) when targeting non-default branches
+- Include test results section
+- For multi-branch fixes, create separate PRs per branch (not a single PR)
+
+## Don'ts
+- ❌ Do not combine multiple CVE fixes in a single PR
+- ❌ Do not target the wrong release branch (verify `--base` matches intended branch)
+- ❌ Do not skip `go mod tidy` — incomplete `go.sum` updates will fail CI