From shipshitdev-library
Authors, reviews, and hardens GitHub Actions workflows with secure triggers, least-privilege permissions, and current action versions. Validates against official documentation.
How this skill is triggered — by the user, by Claude, or both
Slash command
/shipshitdev-library:github-actions-authorThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Inputs:
Inputs:
Outputs:
Creates/Modifies:
.github/workflows/*.ymlExternal Side Effects:
Confirmation Required:
Delegates To:
testing-cicd-init for first-pass TypeScript test infrastructuregh-fix-ci when a workflow is failing on a PRgit-safety when workflows touch credentials, tokens, or publish stepsDiscover existing CI shape:
find .github/workflows -maxdepth 1 -type f 2>/dev/null
gh workflow list
git status -sb
Read relevant local context:
package.json, lockfiles, workspace config, test scriptsGround version-sensitive choices in official GitHub docs:
GITHUB_TOKEN permissionspull_request vs pull_request_targetCheck action versions before adding or bumping common actions:
gh release view --repo actions/checkout --json tagName --jq '.tagName'
gh release view --repo actions/setup-node --json tagName --jq '.tagName'
gh release view --repo oven-sh/setup-bun --json tagName --jq '.tagName'
Author with safe defaults:
contents: read.pull_request for untrusted code. Use pull_request_target only for
metadata/comment workflows that do not check out or execute fork code.concurrency for expensive or deploy workflows.Validate locally when possible:
git diff -- .github/workflows
gh workflow view <workflow-name-or-id> --yaml
Run actionlint if already installed. Do not install new global tools unless
the user asks.
Final output:
npx claudepluginhub shipshitdev/skills --plugin writing-plansCreates, audits, and optimizes GitHub Actions workflows for CI/CD, matrix builds, reusable workflows, composite actions, caching, and security hardening like pinning and permissions.
Create, evaluate, and optimize GitHub Actions workflows and custom actions for CI/CD pipelines, troubleshooting, security analysis, performance tuning. Covers Ruby/Rails, TypeScript/Node.js, Heroku, Fly.io deployments.
Hardens GitHub Actions workflows against supply chain attacks, credential theft, and privilege escalation with SHA pinning, token minimization, script injection prevention, and required reviewers for changes.