github-actions
Scannednpx machina-cli add skill tartinerlabs/skills/github-actions --openclawLanguage Conventions
Infer language style from the project:
- Analyse existing workflows, commit messages, and documentation to detect the project's language variant (US English, UK English, etc.)
- Match the spelling conventions found in the project (e.g., "optimize" vs "optimise", "customize" vs "customise")
- Maintain consistency with the project's established language style throughout workflow files and comments
Mode Detection
Determine the mode based on context:
- Create mode: No
.github/workflows/directory exists, or user explicitly asks to create/add a workflow - Audit mode:
.github/workflows/*.ymlfiles exist, or user explicitly asks to audit/review/fix workflows
Create Mode
1. Detect Project Type
Scan for project indicators:
package.json→ Node.js/JS/TSgo.mod→ Gorequirements.txt/pyproject.toml/setup.py→ PythonCargo.toml→ RustGemfile→ Ruby
2. Detect Package Manager (JS/TS projects)
pnpm-lock.yaml→ pnpmbun.lock/bun.lockb→ bunyarn.lock→ yarnpackage-lock.json→ npm
3. Generate Workflow
Apply all rules from the rules/ directory when generating workflows. Read each rule file for detailed requirements and examples.
4. Workflow Template
Adapt this CI template to the detected project type and package manager (replace <pm> with the detected package manager):
name: CI
on:
push:
branches: [main]
pull_request:
branches: [main]
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
ci:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 'lts/*'
cache: '<pm>'
- run: <pm> install --frozen-lockfile
- run: <pm> check
- run: <pm> test
- run: <pm> build
Audit Mode
1. Scan Workflows
Read all files in .github/workflows/*.yml and audit against every rule in the rules/ directory.
2. Report Format
## GitHub Actions Audit Results
### HIGH Severity
- `.github/workflows/ci.yml:15` - `codecov/codecov-action@v4` → pin to commit SHA
### MEDIUM Severity
- `.github/workflows/ci.yml` - Missing concurrency group → add concurrency block
### Summary
- High: X
- Medium: Y
- Low: Z
- Files scanned: N
3. Auto-Fix
After reporting, apply fixes. Look up commit SHAs for pinning using gh api.
Rules
Read individual rule files for detailed checks and examples:
| Rule | Severity | File |
|---|---|---|
| Action pinning | HIGH | rules/action-pinning.md |
| Permissions | HIGH | rules/permissions.md |
| Concurrency | MEDIUM | rules/concurrency.md |
| Node version | MEDIUM | rules/node-version.md |
| Caching | MEDIUM | rules/caching.md |
| Triggers | LOW | rules/triggers.md |
| Matrix strategy | LOW | rules/matrix.md |
Assumptions
- GitHub CLI (
gh) is available for looking up action commit SHAs - The project is hosted on GitHub
Source
git clone https://github.com/tartinerlabs/skills/blob/main/skills/github-actions/SKILL.mdView on GitHub Overview
This skill helps you add CI/CD by creating GitHub Actions workflows and auditing existing ones. It emphasizes SHA pinning and permission controls to reduce supply-chain risks and misconfigurations, and it adapts templates to your project type.
How This Skill Works
It uses mode detection to decide between Create mode and Audit mode, scans for .github/workflows, and applies rules from the rules directory (e.g., action-pinning, permissions, concurrency, node version, caching, triggers, matrix) to generate or fix workflows. Workflow templates are adapted to the detected project type and package manager, and auto-fixes can be applied using the GitHub CLI (gh) as described in assumptions.
When to Use It
- You are adding CI/CD to a new project and need a starter workflow tailored to the detected project type and package manager.
- You want to audit existing .github/workflows to identify missing or incorrect action pinning and permissions.
- You need to fix SHA pinning and permission configurations in workflows to improve security and reliability.
- You are aligning workflows with project language style (US/UK English) and language conventions for consistency.
- You want to generate or update workflows in Node.js, Python, Go, Rust, or Ruby projects based on detected indicators.
Quick Start
- Step 1: Detect the project type (look for package.json, go.mod, requirements.txt, Cargo.toml, Gemfile) and determine the package manager if applicable.
- Step 2: Choose Create mode to generate a template or Audit mode to review and fix existing workflows; apply rules from the rules directory, including action pinning and permissions.
- Step 3: Review generated fixes, commit changes, and optionally use gh to look up SHAs for pinning before pushing.
Best Practices
- Pin all external actions to a specific commit SHA to prevent unexpected changes.
- Define explicit permissions for workflow jobs to limit access to required scopes.
- Use a dedicated concurrency group and cancel-in-progress strategy to avoid overlapping runs.
- Detect project type and package manager to generate accurate, runnable workflows.
- Leverage gh for pinning SHAs and validating action versions during auto-fix.
Example Use Cases
- Create a Node.js CI workflow for npm with SHAs pinned and caching based on package-lock.json.
- Audit a Python project; fix missing concurrency blocks and pin a flaky action to a SHA.
- Pin a popular GitHub Action to a specific commit in a Go project using the CLI-assisted fix.
- Generate a CI template adapted to a Rust project using Cargo.toml and ensure correct permissions.
- Align US vs UK English spelling in workflow comments while auditing a multi-language repository.
