davila7/github-actions-creator
cli-tool/components/skills/development/github-actions-creator/SKILL.md
Use when the user wants to create, generate, or set up a GitHub Actions workflow. Handles CI/CD pipelines, testing, deployment, linting, security scanning, release automation, Docker builds, scheduled tasks, and any custom workflow for any language or framework.
$ install --global
skillsauthnpx skillsauth add davila7/claude-code-templates github-actions-creatorInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 15, 2026, 4:27 PM93.8s2 files scanned
SKILL.md
- name:
- github-actions-creator
- description:
- Use when the user wants to create, generate, or set up a GitHub Actions workflow. Handles CI/CD pipelines, testing, deployment, linting, security scanning, release automation, Docker builds, scheduled tasks, and any custom workflow for any language or framework.
GitHub Actions Creator
You are an expert at creating GitHub Actions workflows. When the user asks you to create a GitHub Action, follow this structured process to deliver a production-ready workflow file.
Workflow Creation Process
Step 1: Analyze the Project
Before writing any YAML, scan the project to understand the stack:
-
Check for language/framework indicators:
package.json→ Node.js (check for React, Next.js, Vue, Angular, Svelte, etc.)requirements.txt/pyproject.toml/setup.py→ Pythongo.mod→ GoCargo.toml→ Rustpom.xml/build.gradle→ Java/KotlinGemfile→ Rubycomposer.json→ PHPpubspec.yaml→ Dart/FlutterPackage.swift→ Swift*.csproj/*.sln→ .NET
-
Check for existing CI/CD:
.github/workflows/→ existing workflows (avoid conflicts)Dockerfile→ container builds availabledocker-compose.yml→ multi-service setupvercel.json/netlify.toml→ deployment targetsterraform//pulumi/→ infrastructure as code
-
Check for tooling:
.eslintrc*/eslint.config.*→ ESLint configuredprettier*→ Prettier configuredjest.config*/vitest.config*/pytest.ini→ test framework.env.example→ environment variables neededMakefile→ build commands available
Step 2: Ask Clarifying Questions (if needed)
If the user's request is ambiguous, ask ONE focused question. Common clarifications:
- "Create a CI pipeline" → "Should it run tests only, or also lint and type-check?"
- "Add deployment" → "Where does this deploy? (Vercel, AWS, GCP, Docker Hub, etc.)"
- "Set up tests" → "Should tests run on PR only, or also on push to main?"
If the intent is clear, skip this step and proceed.
Step 3: Generate the Workflow
Create the .github/workflows/{name}.yml file following these rules:
File Naming
- Use descriptive kebab-case names:
ci.yml,deploy-production.yml,release.yml - For simple CI:
ci.yml - For deployment:
deploy.ymlordeploy-{target}.yml - For scheduled tasks:
scheduled-{task}.yml
YAML Structure Rules
name: Human-readable name # Always include
on: # Use the most specific triggers
push:
branches: [main] # Specify branches explicitly
paths-ignore: # Skip docs-only changes when appropriate
- '**.md'
- 'docs/**'
pull_request:
branches: [main]
permissions: # Always set minimal permissions
contents: read
concurrency: # Prevent duplicate runs on PRs
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
job-name:
runs-on: ubuntu-latest # Default to ubuntu-latest
timeout-minutes: 15 # Always set a timeout
steps:
- uses: actions/checkout@v4 # Always pin to major version
Core Patterns by Use Case
CI (Test + Lint)
Trigger: pull_request + push to main
Jobs: lint, test (parallel when possible)
Key features: dependency caching, matrix testing for multiple versions
Deployment
Trigger: push to main (or release tags)
Jobs: test → build → deploy (sequential with needs)
Key features: environment protection, secrets for credentials, status checks
Release / Publish
Trigger: push tags matching v* or workflow_dispatch
Jobs: test → build → publish → create GitHub Release
Key features: changelog generation, artifact upload, npm/PyPI/Docker publish
Scheduled Tasks
Trigger: schedule with cron expression
Jobs: single job with the task
Key features: workflow_dispatch for manual trigger too, failure notifications
Security Scanning
Trigger: pull_request + schedule (weekly)
Jobs: dependency audit, SAST, secret scanning
Key features: SARIF upload to GitHub Security tab, fail on critical
Docker Build & Push
Trigger: push to main + tags
Jobs: build → push to registry
Key features: multi-platform builds, layer caching, image tagging strategy
Essential Actions Reference
Setup Actions (always pin to major version)
| Action | Purpose |
|--------|---------|
| actions/checkout@v4 | Clone repository |
| actions/setup-node@v4 | Node.js with caching |
| actions/setup-python@v5 | Python with caching |
| actions/setup-go@v5 | Go with caching |
| actions/setup-java@v4 | Java/Kotlin |
| dtolnay/rust-toolchain@stable | Rust toolchain |
| ruby/setup-ruby@v1 | Ruby with bundler cache |
| actions/setup-dotnet@v4 | .NET SDK |
Build & Deploy Actions
| Action | Purpose |
|--------|---------|
| docker/build-push-action@v6 | Docker multi-platform builds |
| docker/login-action@v3 | Docker registry authentication |
| aws-actions/configure-aws-credentials@v4 | AWS authentication |
| google-github-actions/auth@v2 | GCP authentication |
| azure/login@v2 | Azure authentication |
| cloudflare/wrangler-action@v3 | Cloudflare Workers deploy |
| amondnet/vercel-action@v25 | Vercel deployment |
Quality & Security Actions
| Action | Purpose |
|--------|---------|
| github/codeql-action/analyze@v3 | CodeQL SAST scanning |
| aquasecurity/trivy-action@master | Container vulnerability scan |
| codecov/codecov-action@v4 | Coverage upload |
| actions/dependency-review-action@v4 | Dependency audit on PRs |
Utility Actions
| Action | Purpose |
|--------|---------|
| actions/cache@v4 | Generic caching |
| actions/upload-artifact@v4 | Store build artifacts |
| actions/download-artifact@v4 | Retrieve artifacts between jobs |
| softprops/action-gh-release@v2 | Create GitHub Releases |
| slackapi/slack-github-action@v2 | Slack notifications |
| peter-evans/create-pull-request@v7 | Automated PR creation |
Security Best Practices (ALWAYS follow)
- Minimal permissions: Always declare
permissionsat workflow or job level - Pin actions to major version: Use
@v4not@mainor full SHA for readability - Never echo secrets: Secrets are masked but avoid
echo ${{ secrets.X }} - Use environments: For production deploys, use GitHub Environments with protection rules
- Validate inputs: For
workflow_dispatch, validate input values - Avoid script injection: Never use
${{ github.event.*.body }}directly inrun:— pass via environment variables - Use GITHUB_TOKEN: Prefer
${{ secrets.GITHUB_TOKEN }}over PATs when possible - Concurrency controls: Use
concurrencyto prevent parallel deploys
# WRONG - script injection vulnerability
- run: echo "${{ github.event.issue.title }}"
# CORRECT - pass through environment variable
- run: echo "$ISSUE_TITLE"
env:
ISSUE_TITLE: ${{ github.event.issue.title }}
Caching Strategies
Node.js
- uses: actions/setup-node@v4
with:
node-version: 20
cache: 'npm' # or 'yarn' or 'pnpm'
Python
- uses: actions/setup-python@v5
with:
python-version: '3.12'
cache: 'pip' # or 'poetry' or 'pipenv'
Go
- uses: actions/setup-go@v5
with:
go-version: '1.22'
cache: true
Rust
- uses: actions/cache@v4
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
target/
key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
Docker
- uses: docker/build-push-action@v6
with:
cache-from: type=gha
cache-to: type=gha,mode=max
Matrix Testing Patterns
Multiple Node.js versions
strategy:
matrix:
node-version: [18, 20, 22]
fail-fast: false
Multiple OS
strategy:
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
runs-on: ${{ matrix.os }}
Complex matrix with exclusions
strategy:
matrix:
os: [ubuntu-latest, windows-latest]
node-version: [18, 20]
exclude:
- os: windows-latest
node-version: 18
Cron Syntax Quick Reference
| Schedule | Cron |
|----------|------|
| Every hour | 0 * * * * |
| Daily at midnight UTC | 0 0 * * * |
| Weekdays at 9am UTC | 0 9 * * 1-5 |
| Weekly on Sunday | 0 0 * * 0 |
| Monthly 1st | 0 0 1 * * |
Output Format
After creating the workflow file, provide:
- What the workflow does — one-paragraph summary
- Required secrets — list any secrets the user needs to configure in Settings > Secrets
- Required permissions — if the workflow needs non-default repository permissions
- How to test — how to trigger the workflow (push, create PR, manual dispatch)
Common Patterns to Combine
When the user asks for something generic like "set up CI/CD", create a single workflow with multiple jobs:
jobs:
lint: # Fast feedback
test: # Core validation
build: # Ensure it compiles/bundles
needs: [lint, test]
deploy: # Only after everything passes
needs: build
if: github.ref == 'refs/heads/main'
Keep workflows focused. Prefer one workflow per concern over one massive workflow, unless the jobs are tightly coupled.
Related Skills
davila7/zapier-make-patterns
tools
VerifiedTrustedCommunity
No-code automation democratizes workflow building. Zapier and Make (formerly Integromat) let non-developers automate business processes without writing code. But no-code doesn't mean no-complexity - these platforms have their own patterns, pitfalls, and breaking points. This skill covers when to use which platform, how to build reliable automations, and when to graduate to code-based solutions. Key insight: Zapier optimizes for simplicity and integrations (7000+ apps), Make optimizes for power
24,615SKILL.mdUpdated Apr 15, 2026
davila7/yeet
tools
VerifiedTrustedCommunity
Use only when the user explicitly asks to stage, commit, push, and open a GitHub pull request in one flow using the GitHub CLI (`gh`).
24,615SKILL.mdUpdated Apr 15, 2026
davila7/workflow-automation
tools
VerifiedTrustedCommunity
Workflow automation is the infrastructure that makes AI agents reliable. Without durable execution, a network hiccup during a 10-step payment flow means lost money and angry customers. With it, workflows resume exactly where they left off. This skill covers the platforms (n8n, Temporal, Inngest) and patterns (sequential, parallel, orchestrator-worker) that turn brittle scripts into production-grade automation. Key insight: The platforms make different tradeoffs. n8n optimizes for accessibility
24,615SKILL.mdUpdated Apr 15, 2026
davila7/trigger-dev
development
VerifiedTrustedCommunity
Trigger.dev expert for background jobs, AI workflows, and reliable async execution with excellent developer experience and TypeScript-first design. Use when: trigger.dev, trigger dev, background task, ai background job, long running task.
24,615SKILL.mdUpdated Apr 15, 2026