feat: Draft migrate to issue-based flow

Author: chriswblake

.github/steps/-step.txt

@@ -1,42 +1,38 @@
-<!--
-  <<< Author notes: Step 1 >>>
-  Choose 3-5 steps for your course.
-  The first step is always the hardest, so pick something easy!
-  Link to docs.github.com for further explanations.
-  Encourage users to open new tabs for steps!
-  TBD-step-1-notes.
--->
-
 ## Step 1: Enable CodeQL
 
-👋 Hello! Welcome to the GitHub Skills course: Enable code scanning! 
+In this first step, we'll be learning more about CodeQL and how to use it to secure your source code.
+
+### What is GitHub code scanning?
 
-Let's get started!  
+[Code scanning](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning) is a capability that allows development teams to integrate security testing tools into the software development process. This is done using GitHub Actions. With code scanning, you can integrate many different types of tools including SAST, container, and infrastructure as code security tools.
 
-In this first step, we'll be learning more about CodeQL and how to use it to secure your source code. 
+### What is CodeQL?
 
-**What is GitHub code scanning**: _[Code scanning](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning)_ is a capability that allows development teams to integrate security testing tools into the software development process. This is done using GitHub Actions. With code scanning, you can integrate many different types of tools including SAST, container, and infrastructure as code security tools.
+[CodeQL](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql) is a static analysis testing tool that helps you identify security weaknesses such as SQL injection, cross-site scripting, and code injection issues.
 
-**What is CodeQL**: _[CodeQL](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql)_ is a static analysis testing tool that helps you identify security weaknesses such as SQL injection, cross-site scripting, and code injection issues.
+### ⌨️ Activity: Enable code scanning with CodeQL
 
-### :keyboard: Activity: Enable code scanning with CodeQL
-  
 First, we will enable code scanning with CodeQL in our repository.
 
 1. Open a new browser tab, and work on the steps in your second tab while you read the instructions in this tab.
-2. Navigate to the **Settings** tab at the top of your newly created repository.
-3. Under the **Security** section on the left side, select **Code security and analysis**.
-4. Scroll down to the section titled **Code scanning**. For the purpose of this course, we will focus on CodeQL analysis.
-5. Click on the **Set up** dropdown menu and choose **Default**.
-![enable-code-scanning-default.png](/images/enable-code-scanning-default.png)
-
-Let's take a look at the configuration options in the modal:
-  
-  - **Languages to analyze:** These are the languages that will be scanned by CodeQL. In this case, we will be scanning in `Python`.  
-  - **Query suites:** CodeQL [queries](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql#about-codeql-queries) are packaged in bundles called "suites". This section allows you to choose which query suite to use.  We'll leave this set as **Default** for this exercise. For more information, see "[About CodeQL queries](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql#about-codeql-queries)." 
-  - **Events:** This section tells CodeQL when to scan. In this case, it's set to scan on any pull request to the `main` branch.
-    
-![codeql-default-configuration-box.png](/images/codeql-default-configuration-box.png)
-
-6. Click **Enable CodeQL**
-7. Wait about 20 seconds then refresh this page (the one you're following instructions from). [GitHub Actions](https://docs.github.com/en/actions) will automatically update to the next step.
+
+1. Navigate to the **Settings** tab at the top of your newly created repository.
+
+1. Under the **Security** section on the left side, select **Code security and analysis**.
+
+1. Scroll down to the section titled **Code scanning**. For the purpose of this exercise, we will focus on CodeQL analysis.
+
+1. Click on the **Set up** dropdown menu and choose **Default**.
+   ![enable-code-scanning-default.png](/images/enable-code-scanning-default.png)
+
+   Let's take a look at the configuration options in the modal:
+
+   - **Languages to analyze:** These are the languages that will be scanned by CodeQL. In this case, we will be scanning in `Python`.
+   - **Query suites:** CodeQL [queries](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql#about-codeql-queries) are packaged in bundles called "suites". This section allows you to choose which query suite to use. We'll leave this set as **Default** for this exercise. For more information, see "[About CodeQL queries](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql#about-codeql-queries)."
+   - **Events:** This section tells CodeQL when to scan. In this case, it's set to scan on any pull request to the `main` branch.
+
+   ![codeql-default-configuration-box.png](/images/codeql-default-configuration-box.png)
+
+1. Click **Enable CodeQL**
+
+1. With CodeQL now enabled, Mona will check your progress and share the next steps.

.github/steps/0-welcome.md

@@ -1,56 +1,53 @@
-<!--
-  <<< Author notes: Step 2 >>>
-  Start this step by acknowledging the previous step.
-  Define terms and link to docs.github.com.
-  TBD-step-2-notes.
--->
-
 ## Step 2: Review and Triage CodeQL Alerts
 
-_Way to go! You got CodeQL running! :tada:_
+Now we will review the CodeQL scan results, triage an alert, and create a GitHub issue to track an alert.
+
+### What is GitHub Actions
+
+GitHub Actions is the automation and CI/CD platform within GitHub. We use GitHub Actions to orchestrate and execute security scans with code scanning. GitHub Actions is a continuous integration and continuous delivery (CI/CD) platform that allows you to automate your build, test, and deployment pipeline. For more information on GitHub Actions, see "[Understanding GitHub Actions](https://docs.github.com/en/actions/learn-github-actions/understanding-github-actions)."
 
-In this exercise, we'll review the CodeQL scan results, triage an alert, and create a GitHub issue to track an alert.
+### What is CWE
 
-**What is GitHub Actions**: GitHub Actions is the automation and CI/CD platform within GitHub. We use GitHub Actions to orchestrate and execute security scans with code scanning. GitHub Actions is a continuous integration and continuous delivery (CI/CD) platform that allows you to automate your build, test, and deployment pipeline. For more information on GitHub Actions, see "[Understanding GitHub Actions](https://docs.github.com/en/actions/learn-github-actions/understanding-github-actions)."
+Common Weakness Enumeration (CWE) is a category system for hardware and software weaknesses and vulnerabilities. Think of it as a way to describe and categorize security issues in an application's source code. For more information on CWEs, see the Wikipedia article "[Common Weakness Enumeration](https://en.wikipedia.org/wiki/Common_Weakness_Enumeration)."
 
-**What is CWE**: Common Weakness Enumeration (CWE) is a category system for hardware and software weaknesses and vulnerabilities. Think of it as a way to describe and categorize security issues in an application's source code. For more information on CWEs, see the Wikipedia article "[Common Weakness Enumeration](https://en.wikipedia.org/wiki/Common_Weakness_Enumeration)."
+### ⌨️ Activity: View the status of a CodeQL scan
 
-### :keyboard: Activity 1: View the status of a CodeQL scan
+In this activity, we'll explore GitHub Actions to view the status of a CodeQL scan.
 
-In this activity, we'll explore GitHub Actions to view the status of a CodeQL scan.  
 1. In your new repository, go to your Actions page by selecting **Actions** from the top navigation bar. If the CodeQL Action run is still executing, you will see a yellow spinner indicating the scan is still in progress. This typically takes about 4 minutes to complete.
-2. Select the run by clicking on **CodeQL Setup**.
 
-![codeql-setup](/images/codeql-setup.png)
+1. Select the run by clicking on **CodeQL Setup**.
+
+   ![codeql-setup](/images/codeql-setup.png)
+
+   Notice that more information is available inside the Actions run. Feel free to explore this section to view information such as the CodeQL logs, duration, status, and artifacts generated by CodeQL.
 
-Notice that more information is available inside the Actions run. Feel free to explore this section to view information such as the CodeQL logs, duration, status, and artifacts generated by CodeQL.
+   Once the scan is complete, a green check will show next to the execution.
 
-Once the scan is complete, a green check will show next to the execution.  
-  
-### :keyboard: Activity 2: View all CodeQL Alerts
+### ⌨️ Activity: View all CodeQL Alerts
 
-In this activity, we will view the CodeQL findings in the Security page of your repository. The Security page is where all security related information is displayed. 
+In this activity, we will view the CodeQL findings in the Security page of your repository. The Security page is where all security related information is displayed.
 
-1. Navigate to the **Security** tab in the top navigation bar of your repository.  
-2. Select **Code scanning** under the "Vulnerability alerts" heading in left-side navigation bar.
+1. Navigate to the **Security** tab in the top navigation bar of your repository.
 
-This screen will contain all the vulnerabilities identified by CodeQL inside this repository's codebase. Explore the different filters and search capabilities in this page. These filtering capabilities become very helpful when you're working with many findings!
+1. Select **Code scanning** under the "Vulnerability alerts" heading in left-side navigation bar.
 
+   This screen will contain all the vulnerabilities identified by CodeQL inside this repository's codebase. Explore the different filters and search capabilities in this page. These filtering capabilities become very helpful when you're working with many findings!
 
-### :keyboard: Activity 3: Review an Alert
+### ⌨️ Activity 3: Review an Alert
 
-In this activity, we will explore the alert UI. We'll review the data flow of the vulnerability, indentify what part of the code the alert impacts, and get more information about the alert.
+In this activity, we will explore the alert UI. We'll review the data flow of the vulnerability, identify what part of the code the alert impacts, and get more information about the alert.
 
 **Alert status:** This section displays the current alert status (open or closed), identifies the branch where the scan detected the alert, and shows the timestamp of the alert.
-  
+
 ![alert-status](/images/alert-status.png)
 
-**Location information:** This section describes which part of the code is vulnerable.  
-  
+**Location information:** This section describes which part of the code is vulnerable.
+
 ![location-information](/images/location-information.png)
 
-**Paths:** Clicking on "Show paths" will give you additional insights into the alert's data flow. The modal shows us where the user input (we call that a "source") flows through the application until it's acted on (we call this the "sink"). This visualizes the flow of data through your application. 
-  
+**Paths:** Clicking on "Show paths" will give you additional insights into the alert's data flow. The modal shows us where the user input (we call that a "source") flows through the application until it's acted on (we call this the "sink"). This visualizes the flow of data through your application.
+
 **Recommendations:** This section provides a quick overview of the tool (CodeQL in this case), Rule ID, and even allows you to view the CodeQL query used to find this vulnerability. You can view the query by clicking **View source**. Additionally, this pane includes recommendations for fixing this vulnerability. Click **Show more** to view the full recommendation.
 
 ![recommendations](/images/recommendations.png)
@@ -62,27 +59,38 @@ In this activity, we will explore the alert UI. We'll review the data flow of th
 **Alert triage:** Use the buttons at the top right of the alert to triage or create a new issue for the alert. Don't do anything yet. We'll get into these buttons in a moment. 😄
 
 **Additional info:** Finally, the right-side panel contains information such as tags, CWE information, and the severity of the alert
-  ![additional-information.png](/images/additiona-information.png)
+![additional-information.png](/images/additiona-information.png)
 
+### ⌨️ Activity: Dismiss an Alert
 
-### :keyboard: Activity 4: Dismiss an Alert
 Now that we're familiar with the alert layout, let's work through the process of closing one.
 
 1. Inside this same alert, click **Dismiss alert**, choose any reason for dismissal, and add a short note.
-2. Click **Dismiss alert**.
-3. At this point, the alert will change its state to "Dismissed". You can now see the change you made in the audit trail at the bottom of the alert.
-4. Navigate back to **Security** > **Code scanning alerts**.  You'll see that you only have 1 alert listed.
-5. Click **1 Closed**.  This will bring you to the closed alerts where you can view the alert you just closed.
+
+1. Click **Dismiss alert**.
+
+1. At this point, the alert will change its state to "Dismissed". You can now see the change you made in the audit trail at the bottom of the alert.
+
+1. Navigate back to **Security** > **Code scanning alerts**. You'll see that you only have 1 alert listed.
+
+1. Click **1 Closed**. This will bring you to the closed alerts where you can view the alert you just closed.
+
    ![one-closed-alert.png](/images/one-closed-alert.png)
 
-7. (Optional) You can also reopen the alert by opening it, then selecting **Reopen alert**.
+1. (Optional) You can also reopen the alert by opening it, then selecting **Reopen alert**.
+
+### ⌨️ Activity: Create a GitHub Issue for an Alert
 
-### :keyboard: Activity 5: Create a GitHub Issue for an Alert
 This last step will show you how to create a GitHub Issue to track the work that goes into resolving a vulnerability. Issues provide a space for collaboration for a security problem and can be assigned to people or teams.
-  
+
 1. Open one of the open alerts that CodeQL identified from the scan.
-2. Click the green **Create issue** button at the top right of the alert. If you don't see this button, check the status of the alert to make sure it's an open alert.
-3. Add any details you would like to include in the new issue form.  
-4. Click **Submit new issue**.
-5. To view the your issue, click **Issues** in the top navigation bar of your repository.
-6. Wait about 20 seconds then refresh this page (the one you're following instructions from). [GitHub Actions](https://docs.github.com/en/actions) will automatically update to the next step.
+
+1. Click the green **Create issue** button at the top right of the alert. If you don't see this button, check the status of the alert to make sure it's an open alert.
+
+1. Add any details you would like to include in the new issue form.
+
+1. Click **Submit new issue**.
+
+1. To view the your issue, click **Issues** in the top navigation bar of your repository.
+
+1. With the new issue opened for managing the fix, Mona will check your progress and share the next steps.