From bitwarden-devops-engineer
Audit GitHub Actions action usage across an org. Searches for a specific action (incident mode) or sweeps all workflow files for non-compliant action references (audit mode). Produces a read-only report of findings with compliance status and resolved SHAs. Does not modify any files. <example> User: We need to check if any repos are using tj-actions/changed-files Action: Trigger action-audit in incident mode for that action </example> <example> User: Can you find all unpinned actions across the org? Action: Trigger action-audit in audit mode </example>
How this skill is triggered — by the user, by Claude, or both
Slash command
/bitwarden-devops-engineer:action-auditThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
- **This skill is strictly read-only.** Do not modify, create, or delete any files.
gh api GET requests are allowed freely. Do not use -X POST, -X PUT, -X PATCH, or -X DELETE.Before classifying any action reference, read ${CLAUDE_PLUGIN_ROOT}/skills/bitwarden-workflow-linter-rules/SKILL.md and apply the step_pinned rule as the compliance definition for all steps below. That skill is the single source of truth for what is and is not compliant.
incident (default): Targeted search for a specific action — used when an action is compromised or deprecated.audit: Sweep all workflow files org-wide for any non-compliant action references.Determine the mode from the user's request:
tj-actions/changed-files), use incident mode.action-remediate skill).Incident mode — search for the specific action:
gh search code "uses: <action-name>" --owner <org> --path .github/workflows/ --limit 100
Also search without the uses: prefix to catch indirect references:
gh search code "<action-name>" --owner <org> --path .github/workflows/ --limit 100
Audit mode — find all workflow files and extract uses: references:
gh search code "uses:" --owner <org> --path .github/workflows/ --limit 100
Then apply the step_pinned compliance filter from ${CLAUDE_PLUGIN_ROOT}/skills/bitwarden-workflow-linter-rules/SKILL.md to each reference.
Note: GitHub code search indexes can lag by minutes to hours after a recent push. Results may not reflect the very latest commits. Flag this caveat in the output.
For each uses: reference (excluding local ./ paths), determine:
uses: value (full line)internal — starts with bitwarden/third-party — all others (excluding local)hash — pinned to a full 40-char SHAtag — pinned to a version tag (e.g., @v3, @v1.2.3)branch — pointing to a named branch (e.g., @main, @master)none — no ref at allstep_pinned rule from ${CLAUDE_PLUGIN_ROOT}/skills/bitwarden-workflow-linter-rules/SKILL.md — ✅ if compliant, ❌ otherwise.Display a table:
| Repo | File | Current Reference | Type | Pin Status | Compliant |
|---|---|---|---|---|---|
| ... | ... | ... | ... | ... | ... |
In incident mode, include all rows. In audit mode, omit compliant (✅) rows.
If there are no non-compliant findings, inform the user and stop.
Apply the correct fix approach based on action type and mode. Do not treat all non-compliant references the same way.
Incident mode — replacement action provided:
If the user mentioned a replacement action in Step 1, do not resolve a SHA for the compromised action. Instead, resolve the SHA for the replacement action:
gh api repos/<owner>/<repo>/commits/<ref> --jq '.sha'
Present the resolved replacement SHA and a verification link (https://github.com/<owner>/<repo>/commit/<sha>) to the user. Ask for confirmation before finalizing.
Internal actions (bitwarden/):
@main. No SHA resolution needed.@main and may be intentional (e.g., frozen during a security incident or pinned for reproducibility). Inform the user and ask whether to change it to @main before including it in the remediation list.Third-party actions:
gh api repos/<owner>/<repo>/commits/<ref> --jq '.sha'
Where <owner>/<repo> is the action's repo and <ref> is the target tag or main.
Present to the user:
https://github.com/<owner>/<repo>/commit/<sha>Ask: "Does this SHA look correct? Type yes to confirm, or provide a different SHA."
Wait for confirmation before finalizing the report.
In audit mode, group unique third-party actions and resolve each once rather than per-occurrence.
Output a final summary:
| Repo | File | Current Reference | Type | Compliant | Remediation |
|---|---|---|---|---|---|
| ... | ... | ... | ... | ... | ... |
The Remediation column should contain:
change ref to @main@abc123...def456 # v4.1.1)Inform the user that they can use the action-remediate skill to apply fixes based on these findings.
npx claudepluginhub denobotion/ai-plugins --plugin bitwarden-devops-engineerCreates structured, bite-sized implementation plans from specs or requirements before writing code. Useful for breaking down multi-step tasks into testable steps with file structure and task boundaries.