This skill should be used when the user asks to "set up CI", "configure GitHub Actions", "create a workflow", "pin actions", "use ratchet", "set up Claude code review", "configure AWS OIDC", "deploy with tickforge", or mentions GitHub Actions, CI/CD pipelines, or workflow security. Provides Uptick's security-first GitHub Actions patterns.
Provides Uptick's security-first GitHub Actions patterns for CI/CD. Triggers when users request to "set up CI", "configure GitHub Actions", or mention workflow security, offering reusable workflows and action pinning with Ratchet.
/plugin marketplace add uptick/claude-marketplace/plugin install uptick-gha-patterns@uptick-claude-code-pluginsThis skill inherits all available tools. When active, it can use any tool Claude has access to.
examples/ci-docker-tickforge.yamlexamples/ci-python-uv.yamlreferences/ratchet-guide.mdreferences/uptick-workflows.mdThis skill provides guidance for GitHub Actions following Uptick's security-first patterns from uptick/actions.
Avoid external action dependencies where possible. External actions are security risks that can steal credentials. Implement functionality through Python and bash scripts using built-in libraries only.
Use reusable workflows to ensure consistency across the organization. Make it easy to do the right thing and easy to update all pipelines.
Pin all actions to SHA for immutability using Ratchet:
# Install ratchet
go install github.com/sethvargo/ratchet@latest
# Pin all actions in workflows
ratchet pin .github/workflows/*.yaml
# Update pinned versions to latest
ratchet update .github/workflows/*.yaml
Pinned format:
uses: 'actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683' # ratchet:actions/checkout@v4
Excluding reusable workflows: Use # ratchet:exclude to exclude Uptick reusable workflows from pinning (they are maintained centrally):
uses: uptick/actions/.github/workflows/ci.yaml@main # ratchet:exclude
ci.yaml)The "God CI Pipeline" supporting 90% of standard use cases:
name: CI
on: [push, pull_request]
jobs:
ci:
uses: uptick/actions/.github/workflows/ci.yaml@main # ratchet:exclude
with:
python: true
uv: true
mise: true
aws: true
command: "mise run ci"
secrets: inherit
Key features:
See references/uptick-workflows.md for complete input options.
claude_review.yaml)Automated code review on pull requests:
name: Claude Review
on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
jobs:
review:
uses: uptick/actions/.github/workflows/claude_review.yaml@main # ratchet:exclude
secrets:
CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
Reviews focus on: code quality, security vulnerabilities, performance, test coverage.
claude_mention.yaml)Interactive AI assistant triggered by @claude mentions:
name: Claude Mention
on:
issue_comment:
types: [created]
pull_request_review_comment:
types: [created]
jobs:
mention:
uses: uptick/actions/.github/workflows/claude_mention.yaml@main # ratchet:exclude
secrets:
CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
Never use long-lived AWS credentials. Configure OIDC:
with:
aws: true
aws-region: ap-southeast-2
aws-iam-role-arn: arn:aws:iam::ACCOUNT:role/github-actions-role
Use mise for consistent task execution:
with:
mise: true
command: "mise run test"
Common mise tasks in mise.toml:
[tasks.ci]
run = "mise run lint && mise run test"
[tasks.test]
run = "uv run pytest"
[tasks.lint]
run = "uv run ruff check ."
Build and push Docker images, then trigger Tickforge deployment:
with:
docker-enabled: true
docker-repository: ACCOUNT.dkr.ecr.ap-southeast-2.amazonaws.com/my-app
docker-image-platforms: "linux/amd64,linux/arm64"
bump-app: my-app # Triggers Tickforge deployment
The bump-app input triggers a deployment bump in Tickforge after the Docker image is pushed.
The CI workflow automatically caches:
When setting up CI for a repository:
ratchet pin .github/workflows/*.yaml# ratchet:exclude to uptick/actions referencesuptick/actions over custom workflowsclaude_review.yaml for automated PR feedbackFor detailed configuration options:
references/uptick-workflows.md - Complete CI workflow inputs and secretsreferences/ratchet-guide.md - Ratchet commands and patternsWorking examples in examples/:
ci-python-uv.yaml - Python project with uv and miseci-docker-tickforge.yaml - Docker build with Tickforge deploymentCreating algorithmic art using p5.js with seeded randomness and interactive parameter exploration. Use this when users request creating art using code, generative art, algorithmic art, flow fields, or particle systems. Create original algorithmic art rather than copying existing artists' work to avoid copyright violations.
Applies Anthropic's official brand colors and typography to any sort of artifact that may benefit from having Anthropic's look-and-feel. Use it when brand colors or style guidelines, visual formatting, or company design standards apply.
Create beautiful visual art in .png and .pdf documents using design philosophy. You should use this skill when the user asks to create a poster, piece of art, design, or other static piece. Create original visual designs, never copying existing artists' work to avoid copyright violations.