update workflow

Author: nicohrubec

.github/workflows/fix-security-vulnerability.yml

@@ -22,6 +22,7 @@ jobs:
       contents: write
       pull-requests: write
       security-events: read
+      issues: write
     steps:
       - uses: actions/checkout@v4
         with:
@@ -34,6 +35,16 @@ jobs:
             /fix-security-vulnerability ${{ github.event.alert.number || github.event.inputs.alert }}
 
             IMPORTANT: Do NOT dismiss any alerts. Do NOT wait for approval.
-            Create a branch, apply the fix, and open a PR with your analysis
-            in the PR description. Target the develop branch.
+
+            If you can fix the vulnerability:
+              Create a branch, apply the fix, and open a PR with your analysis
+              in the PR description. Target the develop branch.
+
+            If you determine the alert should NOT be fixed (version-specific test package,
+            false positive, no upstream fix available, dev-only acceptable risk, etc.):
+              Do NOT dismiss the alert. Instead, open a GitHub issue with:
+              - Title: "Security: Dismiss Dependabot alert #<number> - <package-name>"
+              - Label: "Security"
+              - Body: Include the full vulnerability details, your analysis,
+                the recommended dismissal reason, and why the alert cannot/should not be fixed.
           claude_args: '--max-turns 20'