From arn-infra
This skill should be used when the user says "infra pipeline", "arn infra pipeline", "create CI/CD pipeline", "set up deployment pipeline", "generate pipeline", "infra CI/CD", "deployment pipeline", "setup cicd", "generate github actions", "generate gitlab ci", "generate bitbucket pipeline", "infrastructure pipeline", "pipeline setup", "create deployment workflow", "cicd for infrastructure", "infra deployment pipeline", "set up infrastructure CI/CD", "arn-infra-pipeline", or wants to generate infrastructure-specific CI/CD pipelines with SOC 2 alignment, OIDC authentication, and environment-aware deployment stages.
npx claudepluginhub appsvortex/arness --plugin arn-infraThis skill uses the workspace's default tool permissions.
Provides UI/UX resources: 50+ styles, color palettes, font pairings, guidelines, charts for web/mobile across React, Next.js, Vue, Svelte, Tailwind, React Native, Flutter. Aids planning, building, reviewing interfaces.
Fetches up-to-date documentation from Context7 for libraries and frameworks like React, Next.js, Prisma. Use for setup questions, API references, and code examples.
Builds 3-5 year financial models for startups with cohort revenue projections, cost structures, cash flow, headcount plans, burn rate, runway, and scenario analysis.
Generate infrastructure-specific CI/CD pipelines (separate from application CI/CD) with SOC 2 alignment. This skill produces four pipeline jobs: PR validation, staging deployment, production promotion, and scheduled cleanup. It detects existing CI configurations from arn-spark and extends rather than replaces them.
The generated pipelines implement security best practices: OIDC authentication for cloud providers (no static credentials), separate IAM roles per environment, plan-as-artifact audit trails, and branch protection enforcement.
Read ## Arness from the project's CLAUDE.md. If no ## Arness section exists or Arness Infra fields are missing, inform the user: "Arness Infra is not configured for this project yet. Run /arn-infra-wizard to get started — it will set everything up automatically." Do not proceed without it.
Check the Deferred field. If Deferred: yes, inform the user: "Infrastructure is in deferred mode. CI/CD pipeline setup is not available until infrastructure is fully configured. Run /arn-infra-assess to un-defer." Stop.
Extract:
~/.arness/user-profile.yaml (or .claude/arness-profile.local.md if it exists — project override takes precedence). Apply the experience derivation mapping from ${CLAUDE_PLUGIN_ROOT}/skills/arn-infra-ensure-config/references/experience-derivation.md. If no profile exists, check for legacy Experience level in ## Arness as fallback.providers.md for per-provider IaC tool detailsenvironments.md for promotion rulestooling-manifest.json for available toolsExtract the CI/CD platform field from ## Arness config. If not present, auto-detect by scanning for .github/workflows/, .gitlab-ci.yml, or bitbucket-pipelines.yml.
Read the provider configuration:
Read <providers-config-path>
For each provider, extract:
Status: inactive)Read the environment configuration:
Read <environments-config-path>
Extract:
Read the tooling manifest:
Read <tooling-manifest-path>
Check for available CI/CD-relevant tools:
Scan for existing pipeline configurations:
Glob .github/workflows/*.yml
Glob .github/workflows/*.yaml
Glob .gitlab-ci.yml
Glob bitbucket-pipelines.yml
If existing CI/CD is found: Read and understand the existing pipeline structure. Present findings: "I found existing CI/CD pipelines: [list files]. Infrastructure pipelines will be generated as separate workflow files to extend, not replace, your existing setup."
If no existing CI/CD is found: Note: "No existing CI/CD detected. Generating infrastructure pipelines from scratch."
Based on the CI/CD platform from ## Arness config (auto-detected from CI config files, independent of the code hosting Platform):
| CI/CD Platform | Reference |
|---|---|
github-actions | Read the local override or plugin default for github-actions-patterns.md. |
gitlab-ci | Read the local override or plugin default for gitlab-ci-patterns.md. |
bitbucket-pipelines | Read the local override or plugin default for bitbucket-pipelines-patterns.md. |
none | Ask the user which CI/CD platform to target. If no preference, recommend GitHub Actions for GitHub-hosted repos, Bitbucket Pipelines for Bitbucket-hosted repos, or GitLab CI for self-hosted/GitLab-hosted repos. |
Load the security checklist:
Read the local override or plugin default for
pipeline-security-checklist.md.
Invoke the arn-infra-pipeline-builder agent via the Task tool with:
--- PLATFORM CONTEXT --- CI/CD platform: [github-actions | gitlab-ci | bitbucket-pipelines] Existing CI/CD files: [list of detected files, or "none"] --- END PLATFORM CONTEXT ---
--- PROVIDER CONFIGURATION --- [For each active provider:] Provider: [name] Scope: [components] IaC tool: [tool] --- END PROVIDER CONFIGURATION ---
--- ENVIRONMENT CONFIGURATION --- Environments: [list in promotion order] Promotion pipeline: [env1 --> env2 --> env3] [For each environment:] Environment: [name] Auto-deploy: [yes | no] Approval required: [yes | no] --- END ENVIRONMENT CONFIGURATION ---
--- TOOLING CONTEXT --- Available security scanners: [checkov, trivy, or "none"] Available cost tools: [infracost, or "none"] Validation ceiling: [0-4] --- END TOOLING CONTEXT ---
--- INSTRUCTIONS --- Generate infrastructure CI/CD pipeline jobs. The number of jobs depends on the user's experience level:
Beginner (2-job pipeline):
Intermediate (3-job pipeline):
Expert (4-job pipeline):
PR Validation Job: Triggers on every PR that modifies IaC files (*.tf, .hcl, Pulumi., cdk.json, *.bicep, kubernetes/). Runs:
Staging Deployment Job: Triggers on merge to main (or configured branch). Applies the exact plan reviewed in the PR. Respects auto-deploy flag from environment config.
Production Promotion Job: Manual trigger only. Requires approval gate (environment protection rules). Applies from the staging-verified state.
Scheduled Cleanup Job: Daily cron that checks for expired TTLs from active-resources.json. Creates issues or sends notifications (does not auto-destroy).
Security requirements (SOC 2 alignment):
If extending existing CI/CD, add infrastructure jobs as new workflow files or new stages. Do not modify existing application CI/CD steps. --- END INSTRUCTIONS ---
Verify that the pipeline builder agent returned at least one pipeline configuration file. If no files were produced, follow the "Pipeline builder returns empty output" error handling procedure before proceeding.
Invoke the arn-infra-security-auditor agent via the Task tool with:
--- FILES TO AUDIT --- [Generated pipeline configuration files from Step 4] --- END FILES TO AUDIT ---
--- AUDIT CONTEXT --- Audit type: CI/CD pipeline security review Provider(s): [list] Compliance: SOC 2 alignment --- END AUDIT CONTEXT ---
--- TOOLING CONTEXT --- Available security scanners: [checkov | trivy | none -- from tooling manifest] Available secret scanners: [trufflehog | gitleaks | none -- from tooling manifest] --- END TOOLING CONTEXT ---
--- INSTRUCTIONS --- Review the generated pipeline configurations for security issues:
If security issues are found: Apply fixes to the generated pipeline before presenting to the user. Note what was changed: "The security auditor found [N] issues. I've applied fixes: [list]."
Present each generated pipeline file to the user:
"Here are the generated infrastructure CI/CD pipelines:
Platform: [GitHub Actions | GitLab CI | Bitbucket Pipelines] Security audit: [Passed | N issues found and fixed]
[For each file:] [filename]:
[generated content]
Jobs included:
Required setup:
Ask (using AskUserQuestion):
"How would you like to proceed with the generated pipelines?"
Options:
Upon user approval, write generated pipeline files to the appropriate locations:
.github/workflows/infra-*.yml.gitlab-ci-infra.yml or included filesbitbucket-pipelines.ymlPresent the summary:
Infrastructure Pipeline Summary:
Required manual setup:
Recommended next steps:
"Infrastructure CI/CD is ready. Here is the recommended path:
/arn-infra-env to configure environment isolation and promotion/arn-infra-secrets to set up secrets management for your pipelines/arn-infra-deploy to deploy to your first environmentOr run /arn-infra-wizard for the full guided pipeline."
## Arness config missing: Suggest running /arn-infra-wizard to get started. Stop.none: Inform the user that no CI/CD platform was detected. Suggest running /arn-infra-init to re-detect, or specify a target platform manually. Stop./arn-infra-init to configure providers. Stop.