Skill

github-actions

Write secure, optimized GitHub Actions workflows. Security-first approach with performance optimization. Use when: "GitHub Actions", "CI/CD pipeline", "workflow YAML", "deploy pipeline", "automate deployment", "debug workflow", "Actions security"

Install

npx claudepluginhub mikeparcewski/wicked-garden --plugin wicked-garden

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Write production-ready GitHub Actions workflows with security and performance built in.

Supporting Assets

refs/security.mdrefs/templates.mdrefs/troubleshooting.mdscripts/workflow_gen.py

SKILL.md

Similar Skills

kotlin-ktor-patterns

Provides Ktor server patterns for routing DSL, plugins (auth, CORS, serialization), Koin DI, WebSockets, services, and testApplication testing.

everything-claude-code

163.2k

deep-research

Conducts multi-source web research with firecrawl and exa MCPs: searches, scrapes pages, synthesizes cited reports. For deep dives, competitive analysis, tech evaluations, or due diligence.

everything-claude-code

163.2k

inventory-demand-planning

Provides demand forecasting, safety stock optimization, replenishment planning, and promotional lift estimation for multi-location retailers managing 300-800 SKUs.

everything-claude-code

163.2k

Stats

Stars8

Forks1

Last CommitApr 3, 2026

Actions

View Source View Plugin View on GitHub View README

GitHub Actions Workflow Writing

Write production-ready GitHub Actions workflows with security and performance built in.

When to Use

Creating new CI/CD workflows
Optimizing slow or expensive workflows
Adding deployment pipelines
Security scanning and compliance
Debugging workflow issues

Security-First Principles

Every workflow should follow these rules:

1. Explicit Permissions

# ALWAYS declare permissions explicitly
permissions:
  contents: read  # Minimum needed

# NEVER use write-all or leave permissions implicit

2. Pin Action Versions

# Good - pinned to SHA
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608  # v4.1.0

# Acceptable - pinned to major version
uses: actions/checkout@v4

# Bad - unpinned
uses: actions/checkout@main

3. Sanitize Inputs

# NEVER interpolate untrusted input directly
run: echo "${{ github.event.issue.title }}"  # DANGEROUS

# Use environment variables instead
env:
  TITLE: ${{ github.event.issue.title }}
run: echo "$TITLE"  # Safe

Core Patterns

Minimal CI

name: CI
on: [push, pull_request]
permissions:
  contents: read
concurrency:
  group: ci-${{ github.ref }}
  cancel-in-progress: true
jobs:
  test:
    runs-on: ubuntu-latest
    timeout-minutes: 10
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '20'
          cache: 'npm'
      - run: npm ci
      - run: npm test

Multi-Environment Deploy

jobs:
  deploy-staging:
    environment: staging
    # ...
  deploy-production:
    needs: deploy-staging
    environment: production
    # Requires approval in GitHub settings

OIDC for Cloud (No Secrets!)

permissions:
  id-token: write  # Required for OIDC
  contents: read
steps:
  - uses: aws-actions/configure-aws-credentials@v4
    with:
      role-to-assume: arn:aws:iam::123456789:role/github-actions
      aws-region: us-east-1

Performance Optimization

1. Caching

# Node.js (built into setup-node)
- uses: actions/setup-node@v4
  with:
    cache: 'npm'

# Python
- uses: actions/setup-python@v5
  with:
    cache: 'pip'

# Custom cache
- uses: actions/cache@v4
  with:
    path: ~/.cache/my-tool
    key: ${{ runner.os }}-my-tool-${{ hashFiles('**/lockfile') }}

2. Concurrency Control

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true  # Cancel stale runs

3. Path Filtering

on:
  push:
    paths:
      - 'src/**'
      - 'package.json'
    paths-ignore:
      - '**.md'
      - 'docs/**'

4. Matrix Strategy

strategy:
  matrix:
    node: [18, 20, 22]
    os: [ubuntu-latest, windows-latest]
  fail-fast: false  # Don't cancel others on failure

Common Mistakes

Mistake	Fix
No timeout	Add `timeout-minutes: 15`
No concurrency	Add concurrency group
Implicit permissions	Declare explicitly
`pull_request_target` misuse	Use `pull_request` unless you need write access
Unpinned actions	Pin to SHA or major version
Direct input interpolation	Use env vars

Workflow Generation

When generating workflows, follow this checklist:

Detect stack - Check for package.json, requirements.txt, Cargo.toml, etc.
Set permissions - Start with contents: read, add only what's needed
Add caching - Use built-in cache options when available
Set timeout - Default 10-15 min for CI, 30 for deploys
Add concurrency - Cancel stale runs
Document secrets - Comment required secrets at top

References

refs/security.md - Detailed security practices
refs/templates.md - Copy-paste templates
refs/troubleshooting.md - Common errors and fixes