em-jones/.agents/skills/github-actions-patterns
.agents/skills/github-actions-patterns/SKILL.md
# Skill: GitHub Actions Patterns **Description**: Guidance for agents implementing GitHub Actions workflow patterns, designing reusable workflows, vetting actions, and managing secrets securely. **When to use**: When implementing GitHub Actions workflows, creating reusable workflow components, selecting actions for CI/CD pipelines, or designing secrets management strategies. --- ## Quick Start ### I'm designing a new workflow 1. Read `.opencode/rules/patterns/workflows/design.md` for the 8
$ install --global
skillsauthnpx skillsauth add em-jones/staccato-toolkit .agents/skills/github-actions-patternsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 17, 2026, 1:48 AM12.2s1 file scanned
SKILL.md
Skill: GitHub Actions Patterns
Description: Guidance for agents implementing GitHub Actions workflow patterns, designing reusable workflows, vetting actions, and managing secrets securely.
When to use: When implementing GitHub Actions workflows, creating reusable workflow components, selecting actions for CI/CD pipelines, or designing secrets management strategies.
Quick Start
I'm designing a new workflow
-
Read
.opencode/rules/patterns/workflows/design.mdfor the 8 core patterns:- Workflow structure and naming conventions
- Job organization and orchestration
- Step-level structure and naming
- Conditional execution patterns
- Environment variable and input management
- Error handling and failure strategies
- Workflow performance and efficiency
- Workflow documentation and comments
-
Reference the example:
.github/workflows-examples/standard-pipeline.yml -
Verify your workflow against the pattern checklist
I need to select an action
- Check
.opencode/rules/patterns/actions/approved-actions-catalog.md - If not found, follow the "Request New Action" process
- Use the recommended version pin (typically major version)
I'm handling secrets
-
Read
.opencode/rules/patterns/actions/secrets.mdfor the 8 patterns:- Secret definition and organization
- Secret access control and scoping
- Secret masking in logs
- Credential rotation and lifecycle management
- Secrets not stored in code
- Safe secret passing between steps
- Token and permission management
- External secret integration
-
Never hardcode secrets; always use
${{ secrets.NAME }}
I'm creating reusable workflows
-
Read
.opencode/rules/patterns/workflows/reusable.mdfor the 8 patterns:- Reusable workflow structure and composition
- Reusable workflow documentation and examples
- Input and output parameter validation
- Secrets passing to reusable workflows
- Reusable workflow versioning and stability
- Workflow reuse patterns and conventions
- Matrix strategies for reusable workflows
- Error handling and status reporting
-
Reference reusable example:
.github/workflows-examples/reusable-*.yml
I'm vetting actions
-
Read
.opencode/rules/patterns/actions/curation.mdfor the 8 patterns:- Action vetting criteria
- Action source and trust assessment
- Security scanning for actions
- Action documentation and clarity
- Action maintenance status
- Curated action catalog
- Action version pinning strategies
- Deprecated action handling
-
Use the vetting checklist in pattern #1
Pattern Reference
Workflow Design Patterns (4 categories)
Structural Patterns
- Naming conventions: Use kebab-case, prefix with action type
- Example:
ci.yml,deploy-staging.yml,nightly-audit.yml
- Example:
- Job organization: Separate concerns into logical jobs; use
needs:for dependencies- Parallel jobs for independence; sequential gates for critical paths
- Step naming: Descriptive, imperative verb + object
- Example: "Install dependencies", "Run tests", "Deploy application"
Behavioral Patterns
- Conditional execution: Use
if:to control when jobs/steps run- Gate production deployments:
if: github.ref == 'refs/heads/main' - Optional non-blocking steps:
continue-on-error: true
- Gate production deployments:
- Environment variables: Define at workflow level; override at job/step level
- Use for configuration; never for secrets
- Error handling: Fail fast for critical steps; continue-on-error for optional
- Use
always()for cleanup/notification steps
- Use
Performance Patterns
- Caching: Leverage action cache support (npm, pip, maven, etc.)
- Enable with
cache: npmin setup-node
- Enable with
- Parallelization: Run independent jobs concurrently
- Use matrix strategies for multiple configurations
- Artifact reuse: Upload once, download multiple times
- Avoid redundant builds and downloads
Documentation Patterns
- Comments: Explain non-obvious logic and design decisions
- Comment complex conditionals with reasoning
- Annotate security-sensitive steps
- Step names: Double as documentation
- "Install dependencies", not "Step 1"
- Workflow headers: Include purpose, affected teams, related docs
Action Curation Patterns (3 tiers + process)
Trust Tiers
- Tier 1: Official GitHub, first-party ecosystem maintainers
- Trust level: Use without additional review
- Examples:
actions/checkout,docker/build-push-action
- Tier 2: Recognized open-source, high adoption, active maintenance
- Trust level: Require security review before first use
- Examples:
codecov/codecov-action,golangci/golangci-lint-action
- Tier 3: Specialized niche tools, verified maintainers, smaller adoption
- Trust level: Require full security audit before use
- Examples:
aquasecurity/trivy-action(security-focused organization)
- Tier 4: Unknown, inactive, security issues
- Trust level: Prohibited — must request approval before use
Vetting Checklist
- [ ] Source verification (official, recognized, or public source code)
- [ ] Security assessment (no critical CVEs or unpatched issues)
- [ ] Maintenance status (updates within last 6 months)
- [ ] Documentation quality (clear README, inputs, outputs, examples)
- [ ] Community adoption (stars/watchers, issue resolution)
Version Pinning Strategy
- Major version:
@v4— Gets bug fixes, prevents major breaks (recommended) - Specific version:
@v4.0.0— Most stable, requires manual updates - Release branches:
@masteror@main— Never use in production
Secrets Management Patterns (3 scopes + rotation)
Storage & Access
- Repository secrets: Specific to one repo, in repo settings
- Organization secrets: Shared across repos, in org settings
- Environment secrets: Environment-specific (staging, prod), per-environment
- Never: Store in code, git history, logs, or outputs
Scoping Rules
- Public workflows (PRs): No access to secrets
- Internal workflows (pushes): Access to repo and org secrets
- Production deployments: Access to environment secrets + approval required
Masking Requirements
- Automatic: GitHub masks secrets injected via
${{ secrets.NAME }} - Manual: Explicitly mask computed/derived secrets with
echo "::add-mask::value" - Verification: Check logs to confirm secrets are masked (should show
***)
Rotation Timeline
- API tokens: 90 days
- Database passwords: 6 months
- Deployment keys: 1 year
- Certificates: Before expiration (30-day warning)
Reusable Workflow Patterns (composition + versioning)
Structure
- Define inputs with descriptions, types, and defaults
- Define outputs for caller consumption
- Explicit
on: workflow_calltrigger - Document each input/output clearly
Composition
- Caller orchestrates multiple reusable workflows
- Use
needs:to control dependency order - Each reusable workflow handles one concern
- Example: build.yml, test.yml, deploy.yml, notify.yml
Versioning
- Use semantic versioning: MAJOR.MINOR.PATCH
- Pin to major version:
@v1(gets v1.0, v1.1, v1.2) - Document breaking changes prominently
- Provide migration guide for major versions
Validation
- Validate all inputs early (type, format, range)
- Handle missing optional inputs gracefully
- Explicitly check for required secrets
- Output validation errors immediately
Common Tasks
Task: Design a new CI/CD pipeline
- Structure: Build → Test → Deploy (sequential gates)
- Naming: Use standard-*.yml pattern
- Jobs: Lint (parallel), Build (critical), Test (needs build), Security (parallel)
- Deployments: Gate on branch (
github.ref == 'refs/heads/main') - Environment approval: Add production environment with approval required
- Notifications: Always-run job for Slack/email
- Reference: Copy
.github/workflows-examples/standard-pipeline.ymland customize
Task: Create a reusable workflow
- Define: Inputs, secrets, outputs clearly with descriptions
- Validation: Validate inputs early in the workflow
- Documentation: Comments explaining purpose and usage
- Testing: Test with sample caller workflow
- Versioning: Tag with
v1.0.0when ready - Examples: Include usage example in comments
- Reference:
.opencode/rules/patterns/workflows/reusable.mdpatterns 1-8
Task: Select an action for a workflow
- Check catalog: Look in
.opencode/rules/patterns/actions/approved-actions-catalog.md - If found: Use recommended version, refer to usage example
- If not found: Check trust tier (Tier 1/2/3 may be auto-approved; Tier 4 needs review)
- Request approval: Follow "Request New Action" process in catalog
- Reference: Actions that use
@v4or@v3(not@masteror@main)
Task: Handle secrets in a workflow
- Storage: Store in GitHub secrets (repo, org, or environment)
- Usage: Access via
${{ secrets.NAME }}—automatically masked - Rotation: Plan rotation schedule based on type
- Verification: Confirm secrets are masked in logs (show
***) - No commits: Never hardcode; use pre-commit hooks if needed
- Reference:
.opencode/rules/patterns/actions/secrets.mdpatterns 1-8
Task: Debug a failing workflow
- Check logs: Look for clear step names and error messages
- Identify phase: Which phase failed? (build, test, deploy, etc.)
- Review patterns: Did workflow follow the design patterns?
- Check conditionals: Did
if:conditions work as expected? - Validate inputs: For reusable workflows, were inputs valid?
- Verify secrets: Were secrets masked properly in logs?
- Reference: Relevant pattern in design.md or reusable.md
Examples in Code
Example 1: Standard workflow structure
name: CI/CD Pipeline # Descriptive name
on: [push, pull_request]
env:
NODE_VERSION: "18" # Avoid secrets in env
jobs:
lint: # Parallel phase
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
cache: "npm" # Performance
- run: npm ci
- run: npm run lint
continue-on-error: true # Optional
build: # Critical phase
runs-on: ubuntu-latest
needs: lint # Sequential gate (if lint fails, build is skipped)
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
cache: "npm"
- run: npm ci
- run: npm run build
deploy: # Only on main
runs-on: ubuntu-latest
needs: build
if: github.ref == 'refs/heads/main' # Conditional gate
environment: production # Requires approval
steps:
- uses: actions/checkout@v4
- run: |
./deploy.sh
env:
DEPLOY_TOKEN: ${{ secrets.DEPLOY_TOKEN }} # Secrets are masked
Example 2: Reusable workflow with validation
name: Reusable Build
on:
workflow_call:
inputs:
node-version:
type: string
required: false
default: "18"
jobs:
build:
runs-on: ubuntu-latest
steps:
# Validate input
- name: Validate node version
run: |
if [[ ! "${{ inputs.node-version }}" =~ ^[0-9]+$ ]]; then
echo "::error::Invalid node version"
exit 1
fi
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: ${{ inputs.node-version }}
cache: "npm"
- run: npm ci
- run: npm run build
Example 3: Safe secret usage
jobs:
deploy:
steps:
# ✓ Correct: Secret injected via ${{ secrets.NAME }}
- run: deploy.sh
env:
DEPLOY_TOKEN: ${{ secrets.DEPLOY_TOKEN }} # Automatically masked
# ✗ Wrong: Hardcoded secret
# - run: deploy.sh --token="abc123"
# ✗ Wrong: Secret in output
# - run: echo "${{ secrets.DEPLOY_TOKEN }}" # Masked but visible
# ✓ Correct: If you must output, mask it
- run: |
DERIVED=$(echo -n "${{ secrets.DEPLOY_TOKEN }}" | sha256sum)
echo "::add-mask::${DERIVED}"
echo "Hash: ${DERIVED}"
Quick Links
- Workflow Design:
.opencode/rules/patterns/workflows/design.md - Reusable Workflows:
.opencode/rules/patterns/workflows/reusable.md - Actions Curation:
.opencode/rules/patterns/actions/curation.md - Secrets Management:
.opencode/rules/patterns/actions/secrets.md - Example Workflows:
.github/workflows-examples/ - Approved Actions:
.opencode/rules/patterns/actions/approved-actions-catalog.md
When Patterns Change
These patterns are reviewed quarterly. If a pattern becomes outdated:
- File an issue on the main repository
- Document the problem and proposed change
- Discuss with architecture/platform team
- Update patterns once consensus is reached
- Announce change with migration timeline
Support
- Questions? Check the relevant pattern file (links above)
- Found a bug? File an issue with details and your workflow
- Want to propose a change? Discuss in team meeting or open issue
- New action request? Follow "Request New Action" in approved-actions-catalog.md
Last Updated: 2024-02-25
Maintainers: Platform/DevOps Team
Review Schedule: Quarterly (January, April, July, October)
Related Skills
em-jones/.agents/skills/vite-plus
tools
VerifiedTrustedCommunity
<!--VITE PLUS START--> # Using Vite+, the Unified Toolchain for the Web This project is using Vite+, a unified toolchain built on top of Vite, Rolldown, Vitest, tsdown, Oxlint, Oxfmt, and Vite Task. Vite+ wraps runtime management, package management, and frontend tooling in a single global CLI called `vp`. Vite+ is distinct from Vite, but it invokes Vite through `vp dev` and `vp build`. ## Vite+ Workflow `vp` is a global binary that handles the full development lifecycle. Run `vp help` to pr
1SKILL.mdUpdated Apr 17, 2026
em-jones/ui-data-tables
development
VerifiedTrustedCommunity
Guide for building performant data tables. Uses tanstack-table for table logic (sorting, filtering, pagination) and tanstack-virtual for rendering large datasets efficiently.
1SKILL.mdUpdated Apr 17, 2026
em-jones/typescript-effect-library
development
VerifiedTrustedCommunity
Expert guidance for building observable, expressive, and fault-tolerant TypeScript applications using the effect-ts/effect ecosystem. Covers Effect<A, E, R> type, error management, dependency injection via Layers, observability (logging, metrics, tracing), concurrency with Fibers, retry/scheduling, Schema validation, Streams, and Sinks.
1SKILL.mdUpdated Apr 17, 2026
em-jones/typescript-e2e-testing
tools
VerifiedTrustedCommunity
Complete E2E (end-to-end) and integration testing skill for TypeScript/NestJS projects using Jest, real infrastructure via Docker, and GWT pattern. ALWAYS use this skill when user needs to: **SETUP** - Initialize or configure E2E testing infrastructure: - Set up E2E testing for a new project - Configure docker-compose for testing (Kafka, PostgreSQL, MongoDB, Redis) - Create jest-e2e.config.ts or E2E Jest configuration - Set up test helpers for database, Kafka, or Redis - Configure .env.e2e environment variables - Create test/e2e directory structure **WRITE** - Create or add E2E/integration tests: - Write, create, add, or generate e2e tests or integration tests - Test API endpoints, workflows, or complete features end-to-end - Test with real databases, message brokers, or external services - Test Kafka consumers/producers, event-driven workflows - Working on any file ending in .e2e-spec.ts or in test/e2e/ directory - Use GWT (Given-When-Then) pattern for tests **REVIEW** - Audit or evaluate E2E tests: - Review existing E2E tests for quality - Check test isolation and cleanup patterns - Audit GWT pattern compliance - Evaluate assertion quality and specificity - Check for anti-patterns (multiple WHEN actions, conditional assertions) **RUN** - Execute or analyze E2E test results: - Run E2E tests - Start/stop Docker infrastructure for testing - Analyze E2E test results - Verify Docker services are healthy - Interpret test output and failures **DEBUG** - Fix failing or flaky E2E tests: - Fix failing E2E tests - Debug flaky tests or test isolation issues - Troubleshoot connection errors (database, Kafka, Redis) - Fix timeout issues or async operation failures - Diagnose race conditions or state leakage - Debug Kafka message consumption issues **OPTIMIZE** - Improve E2E test performance: - Speed up slow E2E tests - Optimize Docker infrastructure startup - Replace fixed waits with smart polling - Reduce beforeEach cleanup time - Improve test parallelization where safe Keywords: e2e, end-to-end, integration test, e2e-spec.ts, test/e2e, Jest, supertest, NestJS, Kafka, Redpanda, PostgreSQL, MongoDB, Redis, docker-compose, GWT pattern, Given-When-Then, real infrastructure, test isolation, flaky test, MSW, nock, waitForMessages, fix e2e, debug e2e, run e2e, review e2e, optimize e2e, setup e2e
1SKILL.mdUpdated Apr 17, 2026