kjanat/github-script
skills/github-script/SKILL.md
Writes secure actions/github-script workflow steps. Use when GitHub Actions needs inline JavaScript with GitHub API/context.
development
Updated Apr 18, 2026
$ install --global
skillsauthnpx skillsauth add kjanat/skills github-scriptInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 18, 2026, 7:22 AM38.1s14 files scanned
SKILL.md
- name:
- github-script
- description:
- Writes secure actions/github-script workflow steps. Use when GitHub Actions needs inline JavaScript with GitHub API/context.
- license:
- MIT
- author:
- kjanat
- version:
- 1.0
github-script
Use for authoring or reviewing uses: actions/github-script@v8 workflow steps.
with.script runs as an async function body; use await import(...) for module imports.
Defaults
- Pin
actions/github-script@v8 - Runtime is Node 24
- Self-hosted runner minimum is
v2.327.1 - Prefer
github.rest.*endpoint methods; usegithub.request(...)for raw requests. - Prefer ESM modules (
.mjsor.jswith// @ts-check); avoid CommonJS (require,module.exports). - If authoring helpers in TypeScript, compile to
.mjs/.jsand import the built file in workflow steps.
Fast workflow
- Define step
idif downstream steps need outputs. - Prefer
contextandcontext.payloadfor event data already provided. - Pass only missing values through
env. - Keep inline script tiny; delegate logic to external ESM file.
- Read env values via
process.envinside module only when needed. - Use
github.rest.*,github.graphql, orgithub.request. - Return value only when output needed.
- Configure retries for flaky API calls.
ESM-first architecture
- Inline
scriptshould usually do one thing:import+ call exported function. - Put reusable logic in
scripts/*.mjsmodules. - Share logic across workflows via one core module + small entry modules.
- Typecheck modules locally (enable
checkJsintsconfig.jsonor add// @ts-checkfor JS). - For
.tssource files, keep runtime imports pointed at compiled JS outputs.
See references/external-files.md for patterns.
Reading order
| Task | Read |
| -------------------- | ---------------------------------------------------------------------------------------------- |
| Write new step | SKILL.md, references/external-files.md, references/examples.md, references/security.md |
| Review existing step | SKILL.md, references/security.md, references/inputs-outputs-retries.md |
| Migrate old workflow | SKILL.md, references/runtime-and-migrations.md |
Security rules
- Never inline
${{ ... }}expressions directly insidescript. - Expressions are evaluated before script; direct interpolation can cause injection or invalid JavaScript.
- If value exists in
context, use it there; do not mirror intoenv. - Use
envboundary and parse/validate in script.
See references/security.md for patterns.
Script arguments available in script body
github: authenticated Octokit client with pagination pluginsoctokit: alias forgithubcontext: workflow run contextcore,glob,io,exec- wrapped
requireplus escape hatch__original_require__(legacy; prefer ESMimport)
If you need source-level API details, inspect the action repo: https://github.com/actions/github-script (for example action.yml, types/async-function.d.ts, src/main.ts).
This action (upstream model)
with.script is the body of an async function. These values are pre-defined (no import needed):
github: pre-authenticated octokit/rest.js clientcontext: workflow run contextcore: @actions/coreglob: @actions/globio: @actions/ioexec: @actions/execrequire: wrapped Node require (cwd-relative + local npm packages); use__original_require__for unwrapped require
Output model
- Function return value becomes
steps.<id>.outputs.result - Default result encoding is JSON
- Use
result-encoding: stringfor raw string output
Retry model
- Enable retries with
retries: <n> - Default retry-exempt status codes:
400,401,403,404,422 - Override with
retry-exempt-status-codes
See references/inputs-outputs-retries.md for details.
Token model
- Default token is the action's
github-tokeninput default (typically workflow token, repo-scoped) - Use
github-tokenwith PAT secret for cross-repo or broader scopes
In this reference
| File | Purpose |
| -------------------------------------- | --------------------------------------------- |
| references/security.md | injection avoidance and env-boundary patterns |
| references/inputs-outputs-retries.md | inputs, outputs, retry semantics |
| references/runtime-and-migrations.md | v5-v8 changes and upgrade checks |
| references/external-files.md | external ESM architecture, reuse, typecheck |
| references/examples.md | minimal templates for common tasks |
Scope note
Upstream repository currently does not accept general contributions.
Security fixes and major breakage fixes still maintained.
Related Skills
kjanat/statute-proxy
development
VerifiedTrustedCommunity
Use this skill whenever the user is designing, building, scaffolding, reviewing, or debugging Go-based reverse proxy or HTTP edge infrastructure, especially when they mention statute, config-as-code proxies, building an nginx replacement in Go, networking topology, TLS termination, load balancing, HTTP/2, HTTP/3, QUIC, ACME, upstream pools, middleware chains, or graceful shutdown. Trigger this skill even when the user does not explicitly name statute but is clearly working on a Go HTTP server, edge proxy, or networking infrastructure problem where the resulting artefact will be a compiled binary rather than a runtime-configured server. Also trigger when the user asks for explanations of networking protocols (HTTP/1.1, HTTP/2, HTTP/3, WebSockets, gRPC, TLS) in the context of building or operating a proxy, or when they ask about Go net/http pitfalls, transport tuning, or production-grade server defaults.
SKILL.mdUpdated May 8, 2026
kjanat/threlte
development
VerifiedTrustedCommunity
Routes Threlte questions to exact, commit-pinned docs paths and practical workflows. Use when helping with setup, debugging, or architecture across @threlte/core, @threlte/extras, @threlte/gltf, @threlte/rapier, @threlte/theatre, @threlte/xr, @threlte/flex, and @threlte/studio.
SKILL.mdUpdated Apr 18, 2026
kjanat/lightning
testing
VerifiedTrustedCommunity
Comprehensive lightning physics knowledge base derived from Rakov & Uman (2003) "Lightning: Physics and Effects". Covers discharge types, current parameters, leader/return-stroke physics, cloud electrification, protection, detection systems, atmospheric effects, and quantitative reference data. Use when answering questions about lightning physics, electromagnetic fields, thunderstorm electricity, lightning protection, or atmospheric electrical phenomena.
SKILL.mdUpdated Apr 18, 2026
kjanat/index-knowledge
development
VerifiedTrustedCommunity
Generate hierarchical AGENTS.md knowledge base for a codebase. Creates root + complexity-scored subdirectory documentation.
SKILL.mdUpdated Apr 18, 2026