From kagents
GitHub Actions workflow patterns — reusable workflows, composite actions, GitHub App Token, least-privilege permissions, matrix builds, caching, Quality Gate pipelines, pwsh shell. USE FOR: creating CI/CD workflows, optimizing pipeline structure, implementing GitHub Actions best practices. DO NOT USE FOR: analyzing failed workflow runs (use github-actions-debugging) or release branching strategy (use releaseflow-domain).
npx claudepluginhub grexyloco/k.agentsThis skill uses the workspace's default tool permissions.
```yaml
Guides Next.js Cache Components and Partial Prerendering (PPR) with cacheComponents enabled. Implements 'use cache', cacheLife(), cacheTag(), revalidateTag(), static/dynamic optimization, and cache debugging.
Guides building MCP servers enabling LLMs to interact with external services via tools. Covers best practices, TypeScript/Node (MCP SDK), Python (FastMCP).
Share bugs, ideas, or general feedback.
# Kann als workflow_call UND direkt als pull_request genutzt werden
on:
pull_request:
branches: [master, main, 'dev/v*', 'release/v*']
paths-ignore: ['**/*.md', 'examples/**']
workflow_call:
outputs:
quality-success:
description: "Quality Gate bestanden"
value: ${{ jobs.quality-gate.outputs.quality-success }}
- name: Generate App Token
id: app-token
uses: actions/create-github-app-token@v2
with:
app-id: ${{ vars.RELEASEFLOW_APP_ID }}
private-key: ${{ secrets.RELEASEFLOW_APP_PRIVATE_KEY }}
- uses: actions/checkout@v4
with:
fetch-depth: 0
fetch-tags: true
token: ${{ steps.app-token.outputs.token }}
Warum App Token statt PAT:
on: push Workflowsjobs:
quality-gate:
runs-on: ${{ vars.UBUNTU_VERSION || 'ubuntu-24.04' }}
outputs:
quality-success: ${{ steps.evaluate.outputs.quality-success }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
# 1. Security (GitLeaks)
# 2. Strukturvalidierung
# 3. Lint (PSScriptAnalyzer)
# 4. Tests (Pester)
# 5. Evaluation (aggregiert)
# 6. Summary
release:
needs: quality-gate
if: needs.quality-gate.outputs.quality-success == 'true'
# ...
runs-on: ${{ vars.UBUNTU_VERSION || 'ubuntu-24.04' }}
permissions:
contents: read
actions: read
pull-requests: read
Nur write vergeben wenn der Job tatsächlich schreibt (Tags, PRs, Commits).
- name: Run Script
shell: pwsh # NICHT 'powershell'!
run: |
$ErrorActionPreference = 'Stop'
& "./.github/scripts/Run-PesterTests.ps1"
Komplexe Logik gehört nicht inline ins YAML — auslagern in .github/scripts/:
- name: Quality Gate auswerten
shell: pwsh
run: |
& "./.github/scripts/Invoke-QualityGateEvaluation.ps1" `
-GitLeaksOutcome '${{ steps.gitleaks.outcome }}' `
-LintSuccess '${{ steps.lint.outputs.analysis-success }}'
if ($env:GITHUB_OUTPUT) {
"quality-success=true" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
}
release:
if: |
(
github.event.pull_request.merged == true &&
startsWith(github.head_ref, 'release/v')
) || github.event_name == 'workflow_dispatch'
update-badges:
needs: [quality-gate, release]
if: always() # Auch bei Release-Fehler Badges aktualisieren
continue-on-error: true # Darf Pipeline nicht blockieren
strategy:
matrix:
os: [ubuntu-latest, windows-latest, macos-latest]
fail-fast: false
runs-on: ${{ matrix.os }}
- uses: actions/cache@v4
with:
path: ~/.nuget/packages
key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.csproj') }}
restore-keys: ${{ runner.os }}-nuget-
permissions: Block immer explizit setzen::add-mask::${{ secrets.TOKEN }}pull_request_target mit Checkout des PR-Branches