laurigates/configure-workflows
configure-plugin/skills/configure-workflows/SKILL.md
GitHub Actions CI/CD workflows for container builds, tests, releases. Use when updating outdated action versions, adding multi-platform builds, or auditing workflows.
$ install --global
skillsauthnpx skillsauth add laurigates/claude-plugins configure-workflowsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 4, 2026, 9:18 AM221.6s2 files scanned
SKILL.md
- created:
- 2025-12-16
- modified:
- 2026-06-03
- reviewed:
- 2026-06-03
- description:
- GitHub Actions CI/CD workflows for container builds, tests, releases. Use when updating outdated action versions, adding multi-platform builds, or auditing workflows.
- allowed-tools:
- Glob, Grep, Read, Write, Edit, AskUserQuestion, TodoWrite, WebSearch, WebFetch
- args:
- [--check-only] [--fix]
- argument-hint:
- [--check-only] [--fix]
- name:
- configure-workflows
/configure:workflows
Check and configure GitHub Actions CI/CD workflows against project standards.
When to Use This Skill
| Use this skill when... | Use another approach when... |
|------------------------|------------------------------|
| Checking GitHub Actions workflows for compliance with project standards | Debugging a failing CI run (use github-actions-inspection skill) |
| Setting up container build, test, or release-please workflows | Installing Claude-powered reusable workflows (use /configure:reusable-workflows) |
| Updating outdated action versions (checkout, build-push, etc.) | Writing a custom workflow from scratch (use ci-workflows skill) |
| Adding multi-platform builds or GHA caching to existing workflows | Configuring security-specific workflows (use /configure:security) |
| Auditing which required workflows are missing from a project | Managing GitHub repository settings or branch protection rules |
Context
- Workflows dir: !
find . -maxdepth 1 -type d -name \'.github/workflows\' - Workflow files: !
find .github/workflows -maxdepth 1 \( -name '*.yml' -o -name '*.yaml' \) - Package files: !
find . -maxdepth 1 \( -name 'package.json' -o -name 'pyproject.toml' -o -name 'Cargo.toml' -o -name 'go.mod' \) - Dockerfile: !
find . -maxdepth 1 -name 'Dockerfile*' - Release-please config: !
find . -maxdepth 1 -name \'release-please-config.json\'
Skills referenced: ci-workflows, github-actions-auth-security
Display name convention: Every generated or repaired workflow's name: follows <Domain>: <Action> [<target>] (quoted, since YAML treats : as a key separator). See .claude/rules/workflow-naming.md for the full rule and active domains.
Parameters
Parse from command arguments:
--check-only: Report status without offering fixes--fix: Apply fixes automatically
Execution
Execute this GitHub Actions workflow configuration check:
Step 1: Fetch latest action versions
Verify latest versions before reporting outdated actions:
actions/checkout- releasesactions/setup-node- releasesactions/cache- releasesdocker/setup-buildx-action- releasesdocker/build-push-action- releasesdocker/login-action- releasesdocker/metadata-action- releasesreproducible-containers/buildkit-cache-dance- releasesgoogle-github-actions/release-please-action- releases
Use WebSearch or WebFetch to verify current versions.
Step 2: Detect project type and list workflows
- Check for
.github/workflows/directory - List all workflow files (*.yml, *.yaml)
- Categorize workflows by purpose (container build, test, release)
Determine required workflows based on project type:
| Project Type | Required Workflows | |--------------|-------------------| | Frontend | container-build, release-please, renovate (optional: claude-auto-fix) | | Python | container-build, release-please, test, renovate (optional: claude-auto-fix) | | Infrastructure | release-please, renovate (optional: docs, claude-auto-fix) |
Step 3: Analyze workflow compliance
Container Build Workflow Checks:
| Check | Standard | Severity |
|-------|----------|----------|
| checkout action | v6 | WARN if older |
| build-push action | v7 | WARN if older |
| Multi-platform | amd64 + arm64 | WARN if missing |
| Registry | GHCR (ghcr.io) | INFO |
| Caching | GHA cache enabled | WARN if missing |
| Permissions | Explicit | WARN if missing |
| id-token: write | Required when provenance/SBOM enabled | WARN if missing |
| Cache scope | Explicit scope= when multiple build jobs | WARN if missing |
| Dead metadata tags | No type=schedule without schedule trigger | INFO |
| Semver regex escaping | Dots escaped in type=match patterns (\d+\.\d+) | WARN if unescaped |
| Hardcoded image names | Derive from ${{ github.repository }} | INFO if hardcoded |
| Digest output | Capture build-push digest via id: for traceability | INFO if missing |
| Job summary | Write image/digest/tags to $GITHUB_STEP_SUMMARY | INFO if missing |
| Duplicated job conditions | Identical if: on sibling jobs; suggest gate job | INFO |
Release Please Workflow Checks:
| Check | Standard | Severity | |-------|----------|----------| | Action version | v4 | WARN if older | | Token | MY_RELEASE_PLEASE_TOKEN | WARN if GITHUB_TOKEN | | Permissions | contents: write, pull-requests: write | FAIL if missing |
Test Workflow Checks:
| Check | Standard | Severity | |-------|----------|----------| | Node version | 22 | WARN if older | | Linting | npm run lint | WARN if missing | | Type check | npm run typecheck | WARN if missing | | Coverage | Coverage upload | INFO |
Renovate Workflow Checks:
| Check | Standard | Severity |
|-------|----------|----------|
| RENOVATE_REPOSITORIES env var | Must be set (${{ github.repository }}) | FAIL if missing |
| checkout action | v6 | WARN if older |
| renovatebot/github-action | Minor-pinned (e.g., v46.1.0), not major tag | WARN if major-only |
| Uses reusable workflow | Preferred (except infrastructure) | INFO if standalone |
Claude Auto-Fix Workflow Checks (if present):
| Check | Standard | Severity | |-------|----------|----------| | workflow_run trigger | Monitors at least one workflow | WARN if misconfigured | | Loop prevention | Skips fix(auto): commits | FAIL if missing | | Deduplication | Caps open auto-fix PRs | WARN if missing | | Claude Code Action | anthropics/claude-code-action@v1 | WARN if older | | OAuth token | CLAUDE_CODE_OAUTH_TOKEN secret | FAIL if missing | | Permissions | Minimal required set | WARN if excessive |
Step 4: Generate compliance report
Print a formatted compliance report showing workflow status, per-workflow check results, and missing workflows.
If --check-only is set, stop here.
For the report format, see REFERENCE.md.
Step 5: Apply configuration (if --fix or user confirms)
- Missing workflows: Create from standard templates
- Outdated actions: Update version numbers
- Missing multi-platform: Add platforms to build-push
- Missing caching: Add GHA cache configuration
For standard templates (container build, test workflow), see REFERENCE.md.
Step 6: Update standards tracking
Update .project-standards.yaml:
components:
workflows: "2025.1"
Agentic Optimizations
| Context | Command |
|---------|---------|
| Quick compliance check | /configure:workflows --check-only |
| Auto-fix all issues | /configure:workflows --fix |
| List workflow files | find .github/workflows -name '*.yml' -o -name '*.yaml' |
| Check action versions | rg 'uses:' .github/workflows/ --no-heading |
| Verify release-please config | test -f release-please-config.json && echo "EXISTS" |
Flags
| Flag | Description |
|------|-------------|
| --check-only | Report status without offering fixes |
| --fix | Apply fixes automatically |
See Also
/configure:container- Comprehensive container infrastructure (builds, registry, scanning)/configure:dockerfile- Dockerfile configuration and security/configure:release-please- Release automation specifics/configure:all- Run all compliance checksci-workflowsskill - Workflow patternsgithub-actions-inspectionskill - Workflow debugging
Related Skills
laurigates/workflow-verify-before-filing
testing
VerifiedTrustedCommunity
Verify accumulated bug claims at upstream HEAD and dedup against trackers before filing issues. Use when filing upstream reports from backlogs, audit docs, or git-history findings.
38SKILL.mdUpdated Jun 12, 2026
laurigates/cold-read-gate
documentation
VerifiedTrustedCommunity
Gate outward-bound text (upstream issues, docs, PR bodies) through isolated haiku fresh-reader critique before publishing. Use when an artifact must survive a reader with zero project context.
38SKILL.mdUpdated Jun 12, 2026
laurigates/evaluate-improve
tools
VerifiedTrustedCommunity
Suggest improvements to SKILL.md content, descriptions, or tool config from eval results. Use when raising pass rates, fixing triggering, or iterating on a skill after evaluation.
38SKILL.mdUpdated Apr 16, 2026
laurigates/deadbranch
tools
VerifiedTrustedCommunity
deadbranch CLI for stale-branch cleanup — dry-run preview, TUI or non-interactive delete, protects main/develop/WIP. Use when asked to clean up branches, prune branches, or remove stale branches.
37SKILL.mdUpdated Jun 11, 2026