faysilalshareef/github-actions
skills/devops/github-actions/SKILL.md
Use when creating GitHub Actions CI/CD workflows for .NET build, test, and deployment.
$ install --global
skillsauthnpx skillsauth add faysilalshareef/dotnet-ai-kit github-actionsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 18, 2026, 3:08 AM175.3s1 file scanned
SKILL.md
- name:
- github-actions
- description:
- Use when creating GitHub Actions CI/CD workflows for .NET build, test, and deployment.
- category:
- devops
- agent:
- devops-engineer
- when_to_use:
- When creating or modifying GitHub Actions CI/CD workflows for .NET projects
GitHub Actions — CI/CD Pipelines
Core Principles
- Two-job pipeline:
build-and-push+deploy - Azure OIDC authentication (no stored credentials)
- Build Docker image and push to Azure Container Registry (ACR)
- Token replacement in K8s manifests during deploy
- Environment secrets for connection strings and credentials
- PR triggers run build + test only; push to main triggers full deploy
Key Patterns
Build, Test, Deploy Workflow
name: Build and Deploy
on:
push:
branches: [main]
pull_request:
branches: [main]
permissions:
id-token: write
contents: read
env:
ACR_NAME: {company}acr
IMAGE_NAME: {domain}-command
jobs:
build-and-test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup .NET
uses: actions/setup-dotnet@v4
with:
dotnet-version: '{version}.0.x'
- name: Restore
run: dotnet restore
- name: Build
run: dotnet build --no-restore -c Release
- name: Test
run: dotnet test --no-build -c Release --logger trx
build-and-push:
needs: build-and-test
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
environment: production
steps:
- uses: actions/checkout@v4
- name: Azure Login (OIDC)
uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Build and Push to ACR
run: |
az acr build \
--registry ${{ env.ACR_NAME }} \
--image ${{ env.IMAGE_NAME }}:${{ github.sha }} \
--image ${{ env.IMAGE_NAME }}:latest \
.
deploy:
needs: build-and-push
runs-on: ubuntu-latest
environment: production
steps:
- uses: actions/checkout@v4
- name: Azure Login (OIDC)
uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Get AKS Credentials
run: |
az aks get-credentials \
--resource-group ${{ secrets.AKS_RESOURCE_GROUP }} \
--name ${{ secrets.AKS_CLUSTER_NAME }}
- name: Replace Tokens in Manifest
run: |
sed -i 's|#{IMAGE_TAG}#|${{ github.sha }}|g' deploy/prod-manifest.yaml
sed -i 's|#{ACR_NAME}#|${{ env.ACR_NAME }}|g' deploy/prod-manifest.yaml
sed -i 's|#{REPLICAS}#|2|g' deploy/prod-manifest.yaml
sed -i 's|#{DB_CONNECTION_STRING}#|${{ secrets.DB_CONNECTION }}|g' deploy/prod-manifest.yaml
- name: Deploy to AKS
uses: azure/k8s-deploy@v5
with:
manifests: deploy/prod-manifest.yaml
namespace: {company}-prod
PR-Only Workflow (Build + Test)
name: PR Checks
on:
pull_request:
branches: [main]
jobs:
build-and-test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-dotnet@v4
with:
dotnet-version: '{version}.0.x'
- run: dotnet restore
- run: dotnet build --no-restore -c Release
- run: dotnet test --no-build -c Release
Anti-Patterns
| Anti-Pattern | Correct Approach |
|---|---|
| Stored Azure credentials | Use OIDC with id-token: write permission |
| Deploy on PR | Only deploy on push to main |
| Secrets in workflow file | Use GitHub environment secrets |
| Missing test step | Always test before deploying |
| No token replacement | Use sed or dedicated token replacement action |
Detect Existing Patterns
# Find GitHub Actions workflows
find .github/workflows -name "*.yml" -o -name "*.yaml"
# Find Azure login patterns
grep -r "azure/login" --include="*.yml" .github/
# Find ACR build
grep -r "az acr build" --include="*.yml" .github/
Adding to Existing Project
- Follow existing workflow structure — two-job vs single-job pattern
- Use existing Azure OIDC credentials (same app registration)
- Match ACR name and AKS cluster from existing workflows
- Add environment secrets for new service connection strings
- Token replacement must match placeholders in K8s manifests
Related Skills
faysilalshareef/verification-gate
data-ai
VerifiedTrustedCommunity
Use when about to claim work is complete, fixed, passing, or ready — before committing, creating PRs, or moving to the next task. Requires running verification commands and confirming output before making any success claims.
2SKILL.mdUpdated Jun 1, 2026
faysilalshareef/systematic-debugging
development
VerifiedTrustedCommunity
Use when encountering any bug, test failure, build error, or unexpected behavior — before proposing fixes or making changes.
2SKILL.mdUpdated Jun 1, 2026
faysilalshareef/session-management
development
VerifiedTrustedCommunity
Use when checkpointing, wrapping up, or handing off an AI-assisted development session.
2SKILL.mdUpdated Jun 1, 2026
faysilalshareef/sdd-lifecycle
development
VerifiedTrustedCommunity
Use when following the Specification-Driven Development lifecycle from plan through ship.
2SKILL.mdUpdated Jun 1, 2026