From 17e097cb8c42cc22b2bff4bb238f0f94ce7b9381 Mon Sep 17 00:00:00 2001
From: Nicolas Hrubec <nico.hrubec@sentry.io>
Date: Thu, 19 Feb 2026 14:32:56 +0100
Subject: [PATCH] Be more explicit about how to fetch

---
 .github/workflows/fix-security-vulnerability.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/fix-security-vulnerability.yml b/.github/workflows/fix-security-vulnerability.yml
index ac3a22dba778..450e76d03625 100644
--- a/.github/workflows/fix-security-vulnerability.yml
+++ b/.github/workflows/fix-security-vulnerability.yml
@@ -36,6 +36,11 @@ jobs:
 
             IMPORTANT: Do NOT dismiss any alerts. Do NOT wait for approval.
 
+            IMPORTANT: To fetch the alert, use EXACTLY this command format (replacing <number> with the alert number):
+              gh api repos/getsentry/sentry-javascript/dependabot/alerts/<number>
+            Do NOT use --paginate, query parameters, GraphQL, curl, or any other approach.
+            Your allowed tools are narrowly scoped - only the exact command patterns listed will be permitted.
+
             If you can fix the vulnerability:
               Create a branch named fix/security-<alert-number>, apply the fix, and open a PR with your analysis
               in the PR description. Target the develop branch.