From bitwarden-devops-engineer
Reference for all Bitwarden workflow linter (bwwl) rules. Covers all 10 linter rules split into two categories: mechanical rules that can be applied automatically (name_capitalized, permissions_exist, pinned_job_runner, step_pinned, underscore_outputs, job_environment_prefix, check_pr_target) and judgment rules requiring user input (name_exists, step_approved, run_actionlint). Use the workflow-audit skill to run the linter and report findings, and the workflow-fix skill to apply fixes. <example> User: What does the step_pinned rule check for? Action: Consult this skill for the rule definition and fix procedure </example> <example> User: How do I fix a permissions_exist finding? Action: Consult this skill for the fix procedure </example>
How this skill is triggered — by the user, by Claude, or both
Slash command
/bitwarden-devops-engineer:bitwarden-workflow-linter-rulesThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
**`name_capitalized`**
name_capitalized
name: value does not start with a capital letter.permissions_exist
permissions: key.permissions: {} at the workflow level if all jobs are missing it, or at the individual job level if only some jobs are missing it. Prefer job-level permissions.pinned_job_runner
runs-on: uses an unpinned label.ubuntu-latest → ubuntu-24.04windows-latest → windows-2022macos-latest → macos-14step_pinned
Bitwarden enforces two distinct pinning requirements depending on who owns the action. Steps with no uses: field and local actions (starting with ./) are skipped entirely.
Trigger (internal actions): A uses: reference starting with bitwarden/ is not pinned to @main. Exception: references of the form bitwarden/sm-action[/path]@<any-ref> are compliant at any ref and never trigger this rule.
Trigger (external actions): A uses: reference not starting with bitwarden/ is not pinned to a full 40-character commit SHA, or is missing an inline version comment.
Fix (internal actions):
@main (e.g., bitwarden/gh-actions/azure-login@v1 → bitwarden/gh-actions/azure-login@main)@main is the required and compliant state.Fix (external actions):
gh api repos/{owner}/{repo}/commits/{ref} --jq '.sha'https://github.com/{owner}/{repo}/commit/{sha}) to the user before applying.uses: value with {action}@{sha} and add a comment with the original tag: # {original-ref}uses: actions/checkout@v4 → uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4underscore_outputs
$GITHUB_OUTPUT write or outputs: block uses hyphens or camelCase instead of underscores.job_environment_prefix
SCREAMING_SNAKE_CASE.SCREAMING_SNAKE_CASE and update all usages within the job.check_pr_target
pull_request_target has jobs not restricted to the default branch.if: github.ref == 'refs/heads/<default-branch>'. Determine the repo's default branch rather than assuming main. If the job already has an if: condition, combine with && (e.g., if: <existing-condition> && github.ref == 'refs/heads/<default-branch>').name_exists
name: key entirely.name: key at the correct level with a capitalized value.step_approved
uses: references an action not on the Bitwarden approved actions list.bitwarden/workflow-linter's approved actions config.run_actionlint (complex findings)
actionlint reports an error that is not a simple formatting issue (e.g., type mismatches in expressions, invalid context references, shell script errors).shellcheck style warnings with a clear single-line fix) may be applied automatically.npx claudepluginhub denobotion/ai-plugins --plugin bitwarden-devops-engineerCreates structured, bite-sized implementation plans from specs or requirements before writing code. Useful for breaking down multi-step tasks into testable steps with file structure and task boundaries.