From tartinerlabs
Creates and audits GitHub Actions CI/CD workflows for SHA pinning, permissions, concurrency, caching, node versions, and triggers in JS/TS, Python, Go, Rust, Ruby projects.
npx claudepluginhub tartinerlabs/skills --plugin tartinerlabsThis skill is limited to using the following tools:
Determine the mode based on context:
Mandates invoking relevant skills via tools before any response in coding sessions. Covers access, priorities, and adaptations for Claude Code, Copilot CLI, Gemini CLI.
Share bugs, ideas, or general feedback.
Determine the mode based on context:
.github/workflows/ directory exists, or user explicitly asks to create/add a workflow.github/workflows/*.yml files exist, or user explicitly asks to audit/review/fix workflowsScan for project indicators:
package.json → Node.js/JS/TSgo.mod → Gorequirements.txt / pyproject.toml / setup.py → PythonCargo.toml → RustGemfile → Rubypnpm-lock.yaml → pnpmbun.lock / bun.lockb → bunyarn.lock → yarnpackage-lock.json → npmApply all rules from the rules/ directory when generating workflows. Read each rule file for detailed requirements and examples.
Adapt this CI template to the detected project type and package manager (replace <pm> with the detected package manager):
name: CI
on:
push:
branches: [main]
pull_request:
branches: [main]
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
ci:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 'lts/*'
cache: '<pm>'
- run: <pm> install --frozen-lockfile
- run: <pm> check
- run: <pm> test
- run: <pm> build
Read all files in .github/workflows/*.yml and audit against every rule in the rules/ directory.
## GitHub Actions Audit Results
### HIGH Severity
- `.github/workflows/ci.yml:15` - `codecov/codecov-action@v4` → pin to commit SHA
### MEDIUM Severity
- `.github/workflows/ci.yml` - Missing concurrency group → add concurrency block
### Summary
- High: X
- Medium: Y
- Low: Z
- Files scanned: N
After reporting, apply fixes. Look up commit SHAs for pinning using gh api.
Read individual rule files for detailed checks and examples:
| Rule | Severity | File |
|---|---|---|
| Action pinning | HIGH | rules/action-pinning.md |
| Permissions | HIGH | rules/permissions.md |
| Concurrency | MEDIUM | rules/concurrency.md |
| Node version | MEDIUM | rules/node-version.md |
| Caching | MEDIUM | rules/caching.md |
| Triggers | LOW | rules/triggers.md |
| Matrix strategy | LOW | rules/matrix.md |
gh) is available for looking up action commit SHAs