jacobpevans/shared-workflow-org-refs
github-workflows/skills/shared-workflow-org-refs/SKILL.md
Use when creating or editing GitHub Actions workflows that call reusable workflows (uses: OWNER/repo/.github/workflows/...) — org owner references must be the literal current org, and shared-CI homes are under dryvist.
$ install --global
skillsauthnpx skillsauth add jacobpevans/claude-code-plugins shared-workflow-org-refsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 11, 2026, 8:35 AM165.8s1 file scanned
SKILL.md
- name:
- shared-workflow-org-refs
- description:
- Use when creating or editing GitHub Actions workflows that call reusable workflows (uses: OWNER/repo/.github/workflows/...) — org owner references must be the literal current org, and shared-CI homes are under dryvist.
Shared Workflow Org References
GitHub Actions reusable-workflow and action uses: clauses are the one place the
"don't rewrite JacobPEvans/* on sight — the redirect holds" rule does NOT apply.
Two hard GitHub constraints:
uses:cannot contain expressions or variables — the owner is always a literal.uses: ${{ vars.X }}/repo/...@refis rejected. No org variable can centralize it.uses:does NOT follow repository transfer/rename redirects (by design). API, git, and the browser DO follow them; Actions does not.
Consequence: when a shared-CI repo changes orgs, every consumer's uses: fails at parse time
(the run shows zero jobs and "workflow was not found"). There is no runtime variable that prevents this.
Canonical home: dryvist
dryvist is the canonical home for everything dryvist uses. Anything a dryvist
repo consumes — reusable workflows, presets, policies — belongs under dryvist/*.
JacobPEvans-personal/* may depend on dryvist/*; dryvist/* must never depend
on JacobPEvans-personal/*. When a shared workflow is used by dryvist, its home is
dryvist/.github (or the relevant dryvist/* repo), not the personal account.
Because uses: does not follow redirects, reference each workflow by its literal
current owner from the table below until a pending relocation actually lands.
| Shared-CI workflow set | Current home | Status |
| --- | --- | --- |
| ai-workflows reusable workflows | dryvist/ai-workflows | canonical |
| Nix reusable workflows (_nix-validate.yml, _nix-build.yml) | dryvist/.github | canonical |
| Release-please (_release-please.yml) | dryvist/.github | canonical — org-native (dryvist release App, major-bump block, auto-merge) |
| _markdown-lint, _file-size, _osv-scan, _ci-gate, … | JacobPEvans-personal/.github | pending relocation to dryvist/.github |
Nix and release-please were deliberately relocated to dryvist/.github (the org owns
its own CI). The remaining non-Nix .github workflows are still in
JacobPEvans-personal/.github only until they are moved the same way — that is a
transitional home, not a permanent one. Repoint consumers via the sweep below as each
moves; do not move any back to the personal account.
Rules
- In
uses:, always reference the literal current owner above. - Do NOT replace a reusable-workflow call with a
gh workflow run/ checkoutvars.*dispatcher just to gain a variable: that loses required-check status, inputs/outputs, andsecrets: inherit. - gh-aw
{{#import ...}}references and compiled*.lock.ymlfiles resolve at compile time via the redirect — leave them to the don't-rewrite rule and gh-aw recompilation.
If a shared-CI repo must move anyway (sweep)
gh search code 'OLD_OWNER/REPO' --owner dryvist(and--owner JacobPEvans-personal), filtered to.github/workflows/*.yml.- Per consumer repo: swap only the
uses:owner segment, preserving path and@ref; one PR per repo. - Skip
*.lock.yml,{{#import}}, and docs. - Token tiers: dryvist repos → DRYVIST; JacobPEvans-personal repos → PRIVATE.
Related Skills
jacobpevans/nix-tool-policy
tools
VerifiedTrustedCommunity
Use when installing or choosing CLI tools in a Nix flake repo, editing flake.nix or home-manager config, or when tempted to pip/pipx/uv/brew/npm install anything. Tools come from the dev shell or nix shell — never ad-hoc package managers.
3SKILL.mdUpdated Jun 11, 2026
jacobpevans/pre-commit-architecture
development
VerifiedTrustedCommunity
Use when adding or editing .pre-commit-config.yaml, wiring pre-commit hooks into a repo, scaffolding a new repo's lint/hook setup, or deciding where a hook or shared lint config should live. Covers the canonical nix-devenv/dryvist-.github architecture, profiles, and consumer patterns.
3SKILL.mdUpdated Jun 11, 2026
jacobpevans/refresh-repo
testing
VerifiedTrustedCommunity
Check PR merge readiness, sync local repo, cleanup stale worktrees; optional cross-repo sweep and stale-branch prune modes
3SKILL.mdUpdated Apr 28, 2026
jacobpevans/rebase-pr
tools
VerifiedTrustedCommunity
Local rebase-merge workflow for pull requests with signed commits
3SKILL.mdUpdated Apr 28, 2026