From bitwarden-devops-engineer
Remediate GitHub Actions action findings identified by the action-audit skill. Applies the appropriate fix per action type — `@main` ref for internal `bitwarden/` actions, full SHA with inline version comment for external actions, or full replacement — across selected repos and creates draft PRs. Run the action-audit skill first to identify findings before using this skill. <example> User: Go ahead and fix the unpinned actions from the audit Action: Trigger action-remediate to apply fixes and create PRs </example> <example> User: Replace tj-actions/changed-files with the safe version across those repos Action: Trigger action-remediate to swap the action and create PRs </example>
How this skill is triggered — by the user, by Claude, or both
Slash command
/bitwarden-devops-engineer:action-remediateThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
- **No mutating API calls without confirmation.** `gh api` GET requests are allowed freely. Any call using `-X POST`, `-X PUT`, `-X PATCH`, or `-X DELETE` must be shown to the user and approved before execution.
gh api GET requests are allowed freely. Any call using -X POST, -X PUT, -X PATCH, or -X DELETE must be shown to the user and approved before execution..github/. Do not touch application code, scripts, or configuration outside of workflow files.Before proceeding, verify that the user has audit findings to act on. These should come from a prior run of the action-audit skill. Confirm:
bitwarden/ actions: change the ref to @main@main is the fixIf any of this is unclear, ask the user before continuing.
For each selected repo:
Ask the user for the base directory where their repos are cloned (if not already known). Check if a local clone exists at <base-dir>/<repo>. If not, inform the user and skip that repo.
Create a fix branch:
git checkout -b fix/action-remediation-<action-name-slug>
Apply the fix to each affected file based on the remediation approach:
bitwarden/ actions): Replace the ref with @main — e.g., uses: bitwarden/gh-actions/action@v1 → uses: bitwarden/gh-actions/action@main. No SHA resolution needed.uses: line with uses: <action>@<sha> # <original-ref>bitwarden/workflow-linter. Then swap uses: <old-action>@<ref> with uses: <new-action>@<sha> # <tag>Show a git diff of changes in this repo and get confirmation before proceeding.
After fixes are confirmed, for each repo:
git add .github/
git commit -m "Remediate <action-name> action usage"
gh pr create \
--title "Remediate <action-name> action usage" \
--body "$(cat <<'EOF'
## Summary
Remediates usage of `<action-name>` across this repository.
**Action taken:** <pin updated to `<sha>` / replaced with `<new-action>`>
**Reason:** <compromised action / deprecated action / unpinned reference>
EOF
)" \
--draft
Output a summary of all actions taken:
| Repo | Files Changed | PR Created | Notes |
|---|---|---|---|
| ... | ... | ... | ... |
Remind the user that code search results may have a lag and to verify no repos were missed by checking manually if this is a security incident.
npx claudepluginhub denobotion/ai-plugins --plugin bitwarden-devops-engineerCreates structured, bite-sized implementation plans from specs or requirements before writing code. Useful for breaking down multi-step tasks into testable steps with file structure and task boundaries.