Stats
Actions
Tags
'%20stop-opacity%3D'0.16'%2F%3E%3Cstop%20offset%3D'1'%20stop-color%3D'rgb(200%2C90%2C60)'%20stop-opacity%3D'0.03'%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D'320'%20height%3D'200'%20fill%3D'url(%23g)'%2F%3E%3Ccircle%20cx%3D'250'%20cy%3D'56'%20r%3D'92'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.06'%2F%3E%3Ccircle%20cx%3D'64'%20cy%3D'172'%20r%3D'58'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.05'%2F%3E%3C%2Fsvg%3E)
From mthines-agent-skills
Generates or audits GitHub Actions workflows with best practices for caching, parallelization, reusability, and security. Two modes: scaffold (generate) and review (audit).
How this skill is triggered — by the user, by Claude, or both
Slash command
/mthines-agent-skills:github-actions-author [scaffold|review] [<workflow-file>][scaffold|review] [<workflow-file>]The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Generate or audit GitHub Actions workflow YAML against 2026 best
references/decision-tree.mdrules/caching.mdrules/observability.mdrules/parallelization.mdrules/reusability.mdrules/security.mdrules/triggers-and-concurrency.mdrules/workflow-anatomy.mdtemplates/composite-action.yml.mdtemplates/deploy-oidc.yml.mdtemplates/node-ci.yml.mdtemplates/python-ci.yml.mdtemplates/reusable-workflow.yml.mdGenerate or audit GitHub Actions workflow YAML against 2026 best practices for speed, cost, reusability, and security.
This
SKILL.mdis a thin index. Detailed rules live inrules/*.mdand load on demand. Drop-in starters live intemplates/*.md. The decision tree for picking a shape lives inreferences/decision-tree.md.
Parse $ARGUMENTS (first token):
| Mode | Default | Trigger |
|---|---|---|
scaffold | yes | Default. "create", "scaffold", "new workflow", or no token. |
review | "review", "audit", path to an existing .github/workflows/*. |
State the detected mode and target in one line before continuing:
Mode: scaffold
Target: .github/workflows/ci.yml
Five phases. Each has a gate; do not proceed until it passes.
| Phase | Name | Rule file | Gate |
|---|---|---|---|
| 0 | Intent + shape | references/decision-tree.md | Trigger, stack, and shape (single / matrix / reusable) confirmed. |
| 1 | Anatomy + triggers | rules/workflow-anatomy.md, rules/triggers-and-concurrency.md | on: block scoped (branches + paths), concurrency set. |
| 2 | Speed (cache + parallel) | rules/caching.md, rules/parallelization.md | Cache key is hashFiles-based with restore-keys; independent jobs run in parallel. |
| 3 | Reusability | rules/reusability.md | Any block used > 1 place is extracted to a composite action or reusable workflow. |
| 4 | Security + errors | rules/security.md, rules/observability.md | Third-party actions SHA-pinned, permissions: minimal, every step named, failures surface a stack-trace path. |
Ask in one batched message:
rules/reusability.md.Repeat the answers back before generating.
Walk each phase using the linked rule file. Each rule is self-contained and includes a decision table plus a good/bad example.
Run the Definition of Done checklist below.
Read the target .yml and produce a structured report — do not mutate
unless asked.
Parse the workflow: triggers, jobs, steps, permissions, concurrency.
Measure the run metrics — report each metric when computable; print
n/a (<reason>) otherwise (no runs yet, logs expired, no cache steps).
Average run duration over the last 10 completed runs:
gh run list --workflow <file>.yml --status completed --limit 10 \
--json startedAt,updatedAt \
--jq 'map((.updatedAt | fromdate) - (.startedAt | fromdate))
| add / length | round
| "\(. / 60 | floor)m\(. % 60)s"'
Cache hit rate over the last 10 completed runs — count cache-restore
outcomes in the logs (hit rate = Cache restored ÷ total restore
attempts; logs older than the retention window return nothing, so
report n/a rather than guessing):
gh run list --workflow <file>.yml --status completed --limit 10 \
--json databaseId --jq '.[].databaseId' \
| while read -r id; do
gh run view "$id" --log 2>/dev/null \
| grep -hoE 'Cache restored from key|Cache not found'
done | sort | uniq -c
For each rule file in rules/, mark PASS / WARN /
FAIL with one line of evidence (line N: <quote>).
End with a prioritised "Top 3 fixes" list — biggest speed / cost / security wins first.
Offer to apply the fixes if the user wants — switch to scaffold
mode for that section.
Format:
Workflow: .github/workflows/ci.yml
Lines: 142
Jobs: 4
Average run (last 10): 7m12s # or: n/a (no completed runs)
Cache hit rate (last 10): 30% # or: n/a (logs expired / no cache steps)
Anatomy: PASS
Triggers + concurrency: WARN — no `cancel-in-progress` on PR (line 8)
Caching: FAIL — primary key uses `github.sha`, no `restore-keys` (line 34)
Parallelization: PASS
Reusability: WARN — install-deps duplicated across 3 jobs (lines 28, 71, 94)
Security: FAIL — `actions/checkout@v4` tag-pinned, no SHA (line 22)
Observability: WARN — 4 unnamed steps (lines 31, 45, 68, 102)
Top 3 fixes:
1. Replace `github.sha` cache key with `${{ hashFiles('package-lock.json') }}` + restore-keys (line 34) — expected 60-80% faster on cache hits.
2. SHA-pin every third-party action, comment with the version (line 22, 38, 51).
3. Extract install-deps into `.github/actions/setup-node-deps/action.yml` (composite) — removes 2x 40 LOC duplication.
Load on demand — do not preload.
Drop-in starters in templates/:
node-ci.yml.md — Node.js CI with cache, matrix, parallel jobs.python-ci.yml.md — Python CI with pip cache.reusable-workflow.yml.md — workflow_call callee + caller.composite-action.yml.md — .github/actions/<name>/action.yml.deploy-oidc.yml.md — deploy with OIDC, no long-lived secrets.node_modules.
Use actions/setup-node@<sha> { cache: 'npm' } or actions/cache@<sha> keyed by hashFiles('lockfile') with restore-keys fallback.ci.yml, deploy.yml,
release.yml, scheduled.yml. Resist the mega-workflow.actions/checkout@<40-hex> # v4.2.0.GITHUB_TOKEN. Start with permissions: {} at
the workflow level; grant per-job. Read-only by default in
2023+ repos — keep it that way.concurrency is mandatory. PRs use cancel-in-progress: true;
deploys use cancel-in-progress: false. No exceptions.run: blocks are unsearchable in logs
and unsourceable in failure annotations.@main / @latest / unpinned third-party action.${{ github.sha }}.permissions: write-all (or the default, unset, on a pre-2023 repo).jobs: (it can't — that's a workflow).cancel-in-progress: true on a deploy workflow.on: push: triggering on every branch and every path.run: blocks with no name:.secrets: map.A scaffold run is done when:
on: block is scoped to the relevant branches and paths.concurrency is set with the correct cancel-in-progress value
for the workflow type.permissions: is set at the workflow level (or every job) and
lists only what each job actually needs.# vX.Y.Z comment.hashFiles(<lockfile>) and includes runner.os
(plus matrix axes); restore-keys is present.needs:.name: that reads as a sentence ("Install
dependencies", not npm-ci).$GITHUB_STEP_SUMMARY.id-token: write is set at the job level only.A review run is done when:
Creates bite-sized, testable implementation plans from specs or requirements, with file structure and task decomposition. Activates before coding multi-step tasks.
npx claudepluginhub mthines/agent-skills