github-actions-pro

Senior DevOps & CI/CD Architect for 2026. Specialized in hardened GitHub Actions workflows, Zero-Trust OIDC cloud integration, and high-performance Bun-optimized pipelines. Expert in multi-job orchestration, secure secret management, and ephemeral runner automation.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "github-actions-pro" with this command: npx skills add yuniorglez/gemini-elite-core/yuniorglez-gemini-elite-core-github-actions-pro

⚙️ Skill: github-actions-pro (v1.0.0)

Executive Summary

Senior DevOps & CI/CD Architect for 2026. Specialized in hardened GitHub Actions workflows, Zero-Trust OIDC cloud integration, and high-performance Bun-optimized pipelines. Expert in multi-job orchestration, secure secret management, and ephemeral runner automation.

📋 The Conductor's Protocol

  1. Workflow Auditing: Review the current workflow file for security vulnerabilities (e.g., broad permissions, long-lived secrets).
  2. Infrastructure Mapping: Identify target environments (staging, production) and required cloud provider permissions.
  3. Sequential Activation: activate_skill(name="github-actions-pro")activate_skill(name="auditor-pro")activate_skill(name="vercel-sync").
  4. Verification: Use act or dry-run commits to verify YAML syntax and job dependencies before merging.

🛠️ Mandatory Protocols (2026 Standards)

1. Zero-Trust OIDC Integration

As of 2026, long-lived AWS/Azure/GCP keys are banned in production.

  • Rule: Always use OIDC via id-token: write permission.
  • Protocol: Configure aws-actions/configure-aws-credentials or equivalent using roles, not secrets.

2. Strict Permission Scoping

Follow the principle of least privilege for every job.

  • Rule: Explicitly define permissions at the job level.
  • Protocol: Default to contents: read and only add write permissions (e.g., pull-requests: write) where strictly necessary.

3. Bun-First CI/CD Optimization

  • Caching: Use actions/cache v4+ to cache Bun's install directory (~/.bun/install/cache).
  • Binary Format: Leverage bun.lockb for faster dependency resolution in CI.
  • Test Runner: Use bun test for sub-second unit and integration test execution.

4. Hardened Runners & Security

  • Ephemeral Runners: For self-hosted scenarios, use JIT (Just-in-Time) runners that are destroyed after one job.
  • Egress Control: Use tools like StepSecurity to restrict network egress from runners to known safe domains.
  • Action Pinning: Always pin third-party actions to a specific commit SHA (e.g., actions/checkout@b4ffde...) rather than a tag or branch.

🚀 Show, Don't Just Tell (Implementation Patterns)

Modern OIDC + Bun Workflow (2026)

name: Deploy to Production
on:
  push:
    branches: [main]

permissions:
  id-token: write # Mandatory for OIDC
  contents: read

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - uses: oven-sh/setup-bun@v2
        with:
          bun-version: latest

      - name: Cache Bun Dependencies
        uses: actions/cache@v4
        with:
          path: ~/.bun/install/cache
          key: ${{ runner.os }}-bun-${{ hashFiles('**/bun.lockb') }}
          restore-keys: |
            ${{ runner.os }}-bun-

      - name: Install dependencies
        run: bun install --frozen-lockfile

      - name: Configure AWS Credentials (OIDC)
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::1234567890:role/github-actions-deploy
          aws-region: us-east-1

      - name: Build & Deploy
        run: bun run build && bun run deploy

Matrix Build with Environment Protection

jobs:
  test:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        node-version: [20, 22, 24] # Testing against multiple LTS
    steps:
      - uses: actions/checkout@v4
      - name: Run Tests
        run: bun test

🛡️ The Do Not List (Anti-Patterns)

  1. DO NOT use secrets.AWS_ACCESS_KEY_ID. Use OIDC roles.
  2. DO NOT use actions/checkout@v1 or outdated versions. Always use the latest (v4+).
  3. DO NOT leave permissions as default (broad). Always scope them.
  4. DO NOT run CI on every branch for expensive jobs. Use on.pull_request filters.
  5. DO NOT ignore cache keys. Stale caches lead to "it works on CI but not locally" bugs.

📂 Progressive Disclosure (Deep Dives)

🛠️ Specialized Tools & Scripts

  • scripts/verify-sha-pinning.py: Checks all .github/workflows for actions not pinned to a SHA.
  • scripts/generate-workflow.ts: Generates a standard, hardened workflow boilerplate.

🎓 Learning Resources

Updated: January 23, 2026 - 18:45

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Coding

code-review-pro

No summary provided by upstream source.

Repository SourceNeeds Review
-11
yuniorglez
Coding

programmatic-seo-pro

No summary provided by upstream source.

Repository SourceNeeds Review
-10
yuniorglez
Coding

code-architect

No summary provided by upstream source.

Repository SourceNeeds Review
-10
yuniorglez