github-actions

Use when adding CI/CD, creating workflows, auditing GitHub Actions, or fixing action pinning. Creates and audits workflows for SHA pinning and permissions.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "github-actions" with this command: npx skills add tartinerlabs/skills/tartinerlabs-skills-github-actions

Language Conventions

Infer language style from the project:

  • Analyse existing workflows, commit messages, and documentation to detect the project's language variant (US English, UK English, etc.)
  • Match the spelling conventions found in the project (e.g., "optimize" vs "optimise", "customize" vs "customise")
  • Maintain consistency with the project's established language style throughout workflow files and comments

Mode Detection

Determine the mode based on context:

  • Create mode: No .github/workflows/ directory exists, or user explicitly asks to create/add a workflow
  • Audit mode: .github/workflows/*.yml files exist, or user explicitly asks to audit/review/fix workflows

Create Mode

1. Detect Project Type

Scan for project indicators:

  • package.json → Node.js/JS/TS
  • go.mod → Go
  • requirements.txt / pyproject.toml / setup.py → Python
  • Cargo.toml → Rust
  • Gemfile → Ruby

2. Detect Package Manager (JS/TS projects)

  • pnpm-lock.yaml → pnpm
  • bun.lock / bun.lockb → bun
  • yarn.lock → yarn
  • package-lock.json → npm

3. Generate Workflow

Apply all rules from the rules/ directory when generating workflows. Read each rule file for detailed requirements and examples.

4. Workflow Template

Adapt this CI template to the detected project type and package manager (replace <pm> with the detected package manager):

name: CI

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

permissions:
  contents: read

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  ci:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 'lts/*'
          cache: '<pm>'
      - run: <pm> install --frozen-lockfile
      - run: <pm> check
      - run: <pm> test
      - run: <pm> build

Audit Mode

1. Scan Workflows

Read all files in .github/workflows/*.yml and audit against every rule in the rules/ directory.

2. Report Format

## GitHub Actions Audit Results

### HIGH Severity
- `.github/workflows/ci.yml:15` - `codecov/codecov-action@v4` → pin to commit SHA

### MEDIUM Severity
- `.github/workflows/ci.yml` - Missing concurrency group → add concurrency block

### Summary
- High: X
- Medium: Y
- Low: Z
- Files scanned: N

3. Auto-Fix

After reporting, apply fixes. Look up commit SHAs for pinning using gh api.

Rules

Read individual rule files for detailed checks and examples:

RuleSeverityFile
Action pinningHIGHrules/action-pinning.md
PermissionsHIGHrules/permissions.md
ConcurrencyMEDIUMrules/concurrency.md
Node versionMEDIUMrules/node-version.md
CachingMEDIUMrules/caching.md
TriggersLOWrules/triggers.md
Matrix strategyLOWrules/matrix.md

Assumptions

  • GitHub CLI (gh) is available for looking up action commit SHAs
  • The project is hosted on GitHub

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

security

No summary provided by upstream source.

Repository SourceNeeds Review
-65
tartinerlabs
Coding

github-actions

No summary provided by upstream source.

Repository SourceNeeds Review
-287
dalestudy
General

project-structure

No summary provided by upstream source.

Repository SourceNeeds Review
-71
tartinerlabs