Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

dtsong/cicd-generation

Name: cicd-generation
Author: dtsong

skills/cicd-generation/SKILL.md

npx skillsauth add dtsong/my-claude-setup cicd-generation

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

CI/CD Generation Skill

Generate production-ready GitHub Actions workflows.

Input Sanitization

Workflow file names: alphanumeric, hyphens, and underscores only — reject .., shell metacharacters, or null bytes
Action references: owner/action@ref format — reject shell metacharacters and null bytes
Secret names: uppercase alphanumeric and underscores only

Core Principles

Fail-fast: Quick checks (lint, type) before slow ops (build, test)
Security hardening: OIDC auth, minimal permissions, pinned action versions
Caching: Based on detected package manager
Matrix testing: When multiple versions/platforms needed
Verification-first: Examine repo before generating workflow

Process

Step 1: Analyze Repository

Before generating ANY workflow, verify:

[ ] Language/framework detected
[ ] Package manager identified (npm, yarn, pnpm, pip, poetry, go mod)
[ ] Test command exists and verified
[ ] Lint/format commands exist
[ ] Build output/artifacts identified
[ ] Deployment target identified (if applicable)

Step 2: Workflow Structure

Standard CI workflow (.github/workflows/ci.yml):

name: CI

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

permissions:
  contents: read

jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Setup
        # Language-specific setup
      - name: Lint
        run: <lint-command>

  test:
    runs-on: ubuntu-latest
    needs: lint  # Fail-fast: lint before test
    steps:
      - uses: actions/checkout@v4
      - name: Setup
        # Language-specific setup with caching
      - name: Test
        run: <test-command>

  build:
    runs-on: ubuntu-latest
    needs: test  # Fail-fast: test before build
    steps:
      - uses: actions/checkout@v4
      - name: Setup
        # Language-specific setup
      - name: Build
        run: <build-command>

Step 3: Language-Specific Patterns

Node.js:

- uses: actions/setup-node@v4
  with:
    node-version: '20'
    cache: 'npm'  # or yarn, pnpm
- run: npm ci

Python:

- uses: actions/setup-python@v5
  with:
    python-version: '3.12'
    cache: 'pip'
- run: pip install -r requirements.txt

Go:

- uses: actions/setup-go@v5
  with:
    go-version: '1.22'
    cache: true

Step 4: Security Hardening

Required practices:

Pin action versions to SHA: actions/checkout@<sha>
Minimal permissions block at workflow and job level
Use OIDC for cloud deployments (no long-lived secrets)
Never echo secrets

OIDC example (AWS):

permissions:
  id-token: write
  contents: read

steps:
  - uses: aws-actions/configure-aws-credentials@v4
    with:
      role-to-assume: arn:aws:iam::ACCOUNT:role/ROLE
      aws-region: us-east-1

Step 5: Matrix Testing

When multiple versions/platforms needed:

strategy:
  fail-fast: false
  matrix:
    os: [ubuntu-latest, macos-latest]
    node: [18, 20, 22]

Gotchas

@v4 action references are mutable tags — a compromised action repo can push new code to the same tag. Pin to full SHA for security-critical workflows
permissions: write-all grants the workflow token access to everything — always use minimal, explicit permissions per job
continue-on-error: true hides real failures in CI — only use for explicitly optional steps with a comment explaining why
actions/checkout with default fetch-depth: 1 breaks git log, git diff, and changelog generation — use fetch-depth: 0 for full history
Caching node_modules instead of the npm/yarn cache leads to stale dependencies — cache the package manager cache, not installed packages
GITHUB_TOKEN permissions differ between pull_request and pull_request_target events — the latter runs with base branch permissions (security risk for fork PRs)

Anti-patterns to Avoid

@latest or @v4 without SHA pinning for security-critical workflows
permissions: write-all
Storing secrets in workflow files
Running all jobs in parallel when dependencies exist
Missing caching for package managers
continue-on-error: true hiding real failures

Output Format

When generating a workflow, output:

Analysis summary: What was detected in repo
Workflow file(s): Full YAML content
File path: Where to save (.github/workflows/<name>.yml)
Setup notes: Any required secrets or configuration
Verification: Command to test workflow locally (act, etc.)

dtsong/cicd-generation

skills/cicd-generation/SKILL.md

Use when creating GitHub Actions workflows, adding CI/CD to a project, or reviewing pipeline security. Produces fail-fast, security-hardened workflows with OIDC auth and SHA-pinned actions. Triggers on 'add CI', 'create workflow', 'github actions'.

4 stars

testing

Updated Apr 26, 2026

$ install --global

skillsauth

npx skillsauth add dtsong/my-claude-setup cicd-generation

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 26, 2026, 3:59 AM69.2s6 files scanned

SKILL.md

name:: cicd-generation
description:: Use when creating GitHub Actions workflows, adding CI/CD to a project, or reviewing pipeline security. Produces fail-fast, security-hardened workflows with OIDC auth and SHA-pinned actions. Triggers on 'add CI', 'create workflow', 'github actions'.

CI/CD Generation Skill

Generate production-ready GitHub Actions workflows.

Input Sanitization

Workflow file names: alphanumeric, hyphens, and underscores only — reject .., shell metacharacters, or null bytes
Action references: owner/action@ref format — reject shell metacharacters and null bytes
Secret names: uppercase alphanumeric and underscores only

Core Principles

Fail-fast: Quick checks (lint, type) before slow ops (build, test)
Security hardening: OIDC auth, minimal permissions, pinned action versions
Caching: Based on detected package manager
Matrix testing: When multiple versions/platforms needed
Verification-first: Examine repo before generating workflow

Process

Step 1: Analyze Repository

Before generating ANY workflow, verify:

[ ] Language/framework detected
[ ] Package manager identified (npm, yarn, pnpm, pip, poetry, go mod)
[ ] Test command exists and verified
[ ] Lint/format commands exist
[ ] Build output/artifacts identified
[ ] Deployment target identified (if applicable)

Step 2: Workflow Structure

Standard CI workflow (.github/workflows/ci.yml):

name: CI

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

permissions:
  contents: read

jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Setup
        # Language-specific setup
      - name: Lint
        run: <lint-command>

  test:
    runs-on: ubuntu-latest
    needs: lint  # Fail-fast: lint before test
    steps:
      - uses: actions/checkout@v4
      - name: Setup
        # Language-specific setup with caching
      - name: Test
        run: <test-command>

  build:
    runs-on: ubuntu-latest
    needs: test  # Fail-fast: test before build
    steps:
      - uses: actions/checkout@v4
      - name: Setup
        # Language-specific setup
      - name: Build
        run: <build-command>

Step 3: Language-Specific Patterns

Node.js:

- uses: actions/setup-node@v4
  with:
    node-version: '20'
    cache: 'npm'  # or yarn, pnpm
- run: npm ci

Python:

- uses: actions/setup-python@v5
  with:
    python-version: '3.12'
    cache: 'pip'
- run: pip install -r requirements.txt

Go:

- uses: actions/setup-go@v5
  with:
    go-version: '1.22'
    cache: true

Step 4: Security Hardening

Required practices:

Pin action versions to SHA: actions/checkout@<sha>
Minimal permissions block at workflow and job level
Use OIDC for cloud deployments (no long-lived secrets)
Never echo secrets

OIDC example (AWS):

permissions:
  id-token: write
  contents: read

steps:
  - uses: aws-actions/configure-aws-credentials@v4
    with:
      role-to-assume: arn:aws:iam::ACCOUNT:role/ROLE
      aws-region: us-east-1

Step 5: Matrix Testing

When multiple versions/platforms needed:

strategy:
  fail-fast: false
  matrix:
    os: [ubuntu-latest, macos-latest]
    node: [18, 20, 22]

Gotchas

@v4 action references are mutable tags — a compromised action repo can push new code to the same tag. Pin to full SHA for security-critical workflows
permissions: write-all grants the workflow token access to everything — always use minimal, explicit permissions per job
continue-on-error: true hides real failures in CI — only use for explicitly optional steps with a comment explaining why
actions/checkout with default fetch-depth: 1 breaks git log, git diff, and changelog generation — use fetch-depth: 0 for full history
Caching node_modules instead of the npm/yarn cache leads to stale dependencies — cache the package manager cache, not installed packages
GITHUB_TOKEN permissions differ between pull_request and pull_request_target events — the latter runs with base branch permissions (security risk for fork PRs)

Anti-patterns to Avoid

@latest or @v4 without SHA pinning for security-critical workflows
permissions: write-all
Storing secrets in workflow files
Running all jobs in parallel when dependencies exist
Missing caching for package managers
continue-on-error: true hiding real failures

Output Format

When generating a workflow, output:

Analysis summary: What was detected in repo
Workflow file(s): Full YAML content
File path: Where to save (.github/workflows/<name>.yml)
Setup notes: Any required secrets or configuration
Verification: Command to test workflow locally (act, etc.)

Related Skills

dtsong/workflow

development

VerifiedTrustedCommunity

Use when planning implementation steps, deciding commit format, or structuring development approach. Provides brainstorm-plan-implement flow with conventional commits. Triggers on 'how should I approach this', 'commit format'.

4SKILL.mdUpdated Apr 28, 2026

dtsong/web-security-hardening

development

VerifiedTrustedCommunity

Security audit checklist for web applications. Use when reviewing, auditing, or hardening a web app's security posture. Covers rate limiting, auth headers, IP blocking, CORS, security middleware, input validation, file upload limits, ORM usage, and password hashing. Triggers on requests like "review security", "harden this app", "security audit", "check for vulnerabilities", or when building/reviewing API endpoints.

4SKILL.mdUpdated Apr 28, 2026

dtsong/web-security-hardening

dtsong/web-design-guidelines

development

VerifiedTrustedCommunity

Review UI code for Web Interface Guidelines compliance. Use when asked to "review my UI", "check accessibility", "audit design", "review UX", or "check my site against best practices".

4SKILL.mdUpdated Apr 28, 2026

dtsong/web-design-guidelines

dtsong/vercel-react-best-practices

development

VerifiedTrustedCommunity

React and Next.js performance optimization guidelines from Vercel Engineering. This skill should be used when writing, reviewing, or refactoring React/Next.js code to ensure optimal performance patterns. Triggers on tasks involving React components, Next.js pages, data fetching, bundle optimization, or performance improvements.

4SKILL.mdUpdated Apr 28, 2026

dtsong/vercel-react-best-practices

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/dtsong/my-claude-setup.git

# Copy into Claude Code skills folder (global)
cp -r my-claude-setup/skills/cicd-generation ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

dtsong/my-claude-setup

4 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT