Guides CI/CD pipeline architecture, security hardening, and deployment strategies for GitHub Actions. Use when designing workflows, securing supply chains, optimizing build performance, configuring deployments, managing infrastructure as code pipelines, or setting up pipeline observability.
Guides CI/CD pipeline design, security hardening, and deployment strategies for GitHub Actions workflows.
/plugin marketplace add rileyhilliard/claude-essentials/plugin install ce@claude-essentialsThis skill inherits all available tools. When active, it can use any tool Claude has access to.
references/deployment-strategies.mdreferences/infrastructure-pipelines.mdreferences/performance-optimization.mdreferences/pipeline-observability.mdreferences/security-hardening.mdreferences/workflow-architecture.mdDecision guidance for GitHub Actions CI/CD pipelines, deployment strategies, and infrastructure automation.
| Scenario | Reference | Why |
|---|---|---|
| Hardening against supply chain attacks | Security | SHA pinning, permissions, OIDC |
| Speeding up slow CI builds | Performance | Caching, matrix builds, concurrency |
| DRY-ing up duplicated workflow YAML | Workflow architecture | Reusable workflows vs composite actions |
| Setting up staging/production deploys | Deployment | Environment promotion, protection rules |
| Adding Terraform/OpenTofu to CI | Infrastructure | Plan-on-PR, apply-on-merge, drift detection |
| Tracking pipeline reliability | Observability | OTel, DORA metrics, SLOs |
| Reviewing a PR that modifies workflows | Security + Workflow | Permissions audit, secret exposure review |
| Debugging flaky pipelines | Observability + Performance | Metrics, cache hit rates, concurrency |
| Migrating from Jenkins/CircleCI | Workflow architecture | Action patterns, reusable workflow design |
| Setting up monorepo CI | Performance | Path filtering, selective job execution |
Use for: Preventing supply chain attacks, minimizing credential exposure, hardening runner environments.
Key decisions:
pull_request_target without understanding the security modelSee references/security-hardening.md for attack patterns and mitigations.
Use for: Reducing CI times, optimizing runner costs, parallelizing builds.
Key decisions:
node_modules)fail-fast: false for CI matrices, true for deploymentcancel-in-progress: true for CI, false for deploysSee references/performance-optimization.md for caching strategies and runner selection.
Use for: Structuring reusable CI/CD components, managing action dependencies.
Key decisions:
secrets: inheritSee references/workflow-architecture.md for patterns and versioning.
Use for: Environment promotion, deployment gates, progressive delivery.
Key decisions:
See references/deployment-strategies.md for promotion patterns and rollback strategies.
Use for: Terraform/OpenTofu pipelines, drift detection, policy enforcement.
Key decisions:
-out)See references/infrastructure-pipelines.md for IaC workflow patterns.
Use for: Pipeline reliability tracking, incident response, capacity planning.
Key decisions:
See references/pipeline-observability.md for instrumentation and metrics.
| Convention | Example | When |
|---|---|---|
| Trigger-based prefix | ci-test.yml, ci-lint.yml | CI workflows |
| Deploy prefix | deploy-staging.yml, deploy-prod.yml | Deployment workflows |
| Scheduled prefix | scheduled-drift.yml, scheduled-cleanup.yml | Cron jobs |
| Reusable prefix | _reusable-build.yml | Shared workflow templates |
| Principle | Pattern |
|---|---|
| Default to read-only | Set at org/repo level, override per-job |
| Scope per job, not workflow | Each job declares only what it needs |
| OIDC over stored secrets | Short-lived tokens scoped to repo+branch+env |
| Explicit secret passing | Name each secret, avoid secrets: inherit |
| Rule | CI workflows | Deploy workflows |
|---|---|---|
| Required status checks | Yes | Yes |
| Require PR reviews | Yes | Yes (production) |
| Dismiss stale reviews | Yes | Yes |
| Restrict pushes | Optional | Yes (main/release branches) |
pull_request_target usagecondition-based-waiting skill)Search, retrieve, and install Agent Skills from the prompts.chat registry using MCP tools. Use when the user asks to find skills, browse skill catalogs, install a skill for Claude, or extend Claude's capabilities with reusable AI agent components.
Activates when the user asks about AI prompts, needs prompt templates, wants to search for prompts, or mentions prompts.chat. Use for discovering, retrieving, and improving prompts.
Creating algorithmic art using p5.js with seeded randomness and interactive parameter exploration. Use this when users request creating art using code, generative art, algorithmic art, flow fields, or particle systems. Create original algorithmic art rather than copying existing artists' work to avoid copyright violations.