laurigates/github-workflow-auto-fix
github-actions-plugin/skills/github-workflow-auto-fix/SKILL.md
Set up automated CI fixing with Claude Code. Use when adding a workflow that analyzes failures, applies fixes, and files issues; pass --reusable for a multi-repo workflow_call template.
$ install --global
skillsauthnpx skillsauth add laurigates/claude-plugins github-workflow-auto-fixInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 30, 2026, 7:46 AM41.0s2 files scanned
SKILL.md
- name:
- github-workflow-auto-fix
- description:
- Set up automated CI fixing with Claude Code. Use when adding a workflow that analyzes failures, applies fixes, and files issues; pass --reusable for a multi-repo workflow_call template.
- allowed-tools:
- Bash(gh run *), Bash(gh pr *), Bash(gh issue *), Bash(git status *), Bash(git diff *), Bash(git log *), Read, Write, Edit, Grep, Glob, TodoWrite
- args:
- [--setup] [--reusable] [--caller] [--workflows <names>] [--dry-run]
- argument-hint:
- --setup for single-repo inline, --reusable for a workflow_call template
- disable-model-invocation:
- true
- created:
- 2026-02-18
- modified:
- 2026-05-29
- reviewed:
- 2026-05-29
GitHub Workflow Auto-Fix
Automated CI failure analysis and remediation using Claude Code Action.
Two shapes, selected by flag:
| Shape | Flag | Output | Use for |
|-------|------|--------|---------|
| Single-repo inline (default) | --setup | One self-contained github-workflow-auto-fix.yml | A single repo that owns its auto-fix logic |
| Reusable workflow_call | --reusable (+ --caller) | A reusable-ci-autofix.yml definition plus a thin auto-fix.yml caller | Multiple repos invoking one shared template |
When to Use This Skill
| Use this skill when... | Use something else when... |
|------------------------|---------------------------|
| Setting up auto-fix for a single repo (default) | Fixing a single PR's checks (/git:fix-pr) |
| Setting up a reusable template multiple repos invoke (--reusable) | Inspecting workflow runs manually (/workflow:inspect) |
| Customizing which workflows trigger auto-fix | Writing new workflows from scratch (/workflow:dev) |
Context
- Inline workflow exists: !
find .github/workflows -maxdepth 1 -name 'github-workflow-auto-fix.yml' - Reusable workflow exists: !
find .github/workflows -maxdepth 1 -name 'reusable-ci-autofix.yml' -type f - Caller workflow exists: !
find .github/workflows -maxdepth 1 -name 'auto-fix.yml' -type f - Current workflows: !
find .github/workflows -maxdepth 1 -name '*.yml' -type f - Claude secrets configured: !
gh secret list
Parameters
Parse from $ARGUMENTS:
--setup: Create or update the single-repo inline workflow in.github/workflows/github-workflow-auto-fix.yml--reusable: Create or update the reusableworkflow_calldefinition in.github/workflows/reusable-ci-autofix.yml(see Step 5)--caller: Create the thin caller workflow in.github/workflows/auto-fix.ymlthat invokes the reusable definition (see Step 5)--workflows <names>: Comma-separated workflow names to monitor (default: auto-detect CI workflows)--dry-run: Show what would be created without writing files
Default (no --reusable/--caller) generates the single-repo inline workflow described in Steps 1–4. --reusable/--caller switch to the reusable variant in Step 5.
Execution
Execute this workflow setup process:
Step 1: Assess current state
- Check if
.github/workflows/github-workflow-auto-fix.ymlalready exists - List all current workflow files and their
name:fields - Check if
CLAUDE_CODE_OAUTH_TOKENsecret is configured
Step 2: Select workflows to monitor
If --workflows provided, use those. Otherwise, auto-detect suitable workflows:
Good candidates for auto-fix monitoring:
- CI/test workflows (lint, test, build, type-check)
- Code quality checks (formatting, style)
- Config validation workflows
Skip these (not suitable for auto-fix):
- Release workflows (release-please, deploy)
- Claude-powered workflows (avoid recursive triggers)
- Scheduled audit workflows
- Reusable workflow definitions
Step 3: Generate workflow file
If --setup or workflow is missing, create .github/workflows/github-workflow-auto-fix.yml.
The workflow's display name follows <Domain>: <Action> (Auto-fix: is the canonical domain for workflow_run-triggered remediation; quote the value because YAML treats : as a key separator). The strings under workflows: must match the display names of the target workflows exactly — update both sides whenever a target's name: changes. See .claude/rules/workflow-naming.md.
name: "Auto-fix: CI failures"
on:
workflow_run:
workflows:
# List monitored workflows by display name (must match their `name:` exactly)
- "Test: Suite"
- "Plugin: Lint skills"
types: [completed]
concurrency:
group: auto-fix-${{ github.event.workflow_run.head_branch }}
cancel-in-progress: false
permissions:
contents: write
pull-requests: write
issues: write
actions: read
id-token: write
jobs:
auto-fix:
if: >-
github.event.workflow_run.conclusion == 'failure' &&
github.event.workflow_run.actor.type != 'Bot' &&
github.event.workflow_run.head_branch != 'main' &&
github.event.workflow_run.head_branch != 'master'
runs-on: ubuntu-latest
steps:
- name: Checkout failed branch
uses: actions/checkout@v4
with:
ref: ${{ github.event.workflow_run.head_branch }}
fetch-depth: 0
- name: Gather failure context
id: context
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
RUN_ID="${{ github.event.workflow_run.id }}"
gh run view "$RUN_ID" --log-failed 2>&1 | tail -500 > .auto-fix-failed-logs.txt
gh run view "$RUN_ID" --json conclusion,status,name,headBranch,headSha,jobs > .auto-fix-run-summary.json
PR_NUMBER=$(gh pr list --head "${{ github.event.workflow_run.head_branch }}" --json number --jq '.[0].number' 2>/dev/null || echo "")
echo "pr_number=$PR_NUMBER" >> "$GITHUB_OUTPUT"
echo "run_id=$RUN_ID" >> "$GITHUB_OUTPUT"
RECENT_FIX=$(git log --oneline -5 --format='%s' | grep -c 'fix:.*resolve CI failure' || true)
echo "recent_fix_count=$RECENT_FIX" >> "$GITHUB_OUTPUT"
- name: Skip if already attempted
if: steps.context.outputs.recent_fix_count != '0'
run: echo "::notice::Skipping - recent auto-fix commit exists"
- name: Analyze and fix with Claude
if: steps.context.outputs.recent_fix_count == '0'
uses: anthropics/claude-code-action@v1
with:
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
direct_prompt: |
<analysis-and-fix-prompt>
additional_permissions: |
Read
Write
Edit
Grep
Glob
Bash(git *)
Bash(gh *)
Step 4: Validate and report
- Verify the workflow YAML is valid
- List the monitored workflows
- Check that required secrets exist
- Report any missing prerequisites
Step 5: Reusable variant (--reusable / --caller)
When --reusable or --caller is passed, generate the workflow_call shape instead of the single-repo inline workflow. The full templates live in REFERENCE.md.
--reusable— create.github/workflows/reusable-ci-autofix.ymlfrom REFERENCE.md § Reusable Workflow. Customize:auto_fixable_criteria/not_auto_fixable_criteriadefaults to match the project's tech stackverification_commandsdefault to match the project's linter/formatter commandsmax_turns(default: 50)
--caller— create.github/workflows/auto-fix.ymlfrom REFERENCE.md § Caller Workflow. Customize:- The monitored workflow
name:strings in theworkflows:list (display names — must match each target'sname:exactly) auto_fixable_criteria/verification_commandsoverrides for the project's tools
- The monitored workflow
- Display-name convention — the caller's
name:follows<Domain>: <Action>(Auto-fix: CI failuresis canonical; the reusable definition itself usesReusable: CI auto-fix). Quote values containing colons. See.claude/rules/workflow-naming.md. - Validate both YAML files, list the monitored workflows, and confirm
CLAUDE_CODE_OAUTH_TOKENorANTHROPIC_API_KEYexists.
The reusable variant adds dedup (max 2 open auto-fix PRs), workflow_dispatch with a pr_number input, and fan-out — see the Architecture and Safety Guards below, and REFERENCE.md for the rationale.
Architecture
Single-repo inline (default):
workflow_run (failure)
|
v
Gather logs & context
|
v
Claude analyzes failure
|
+---+---+
| |
v v
Fixable Complex/External
| |
v v
Fix & Open issue
push with analysis
| |
v v
Comment Comment on PR
on PR linking issue
The reusable variant wraps the same analyze→fix/issue core in a workflow_call definition fronted by a thin caller (workflow_run + workflow_dispatch with fan-out and a dedup gate). See REFERENCE.md § Reusable Workflow and § Cross-Repository Usage for the full templates.
Safety Guards
| Guard | Variant | Purpose |
|-------|---------|---------|
| actor.type != 'Bot' | both | Prevent bot-triggered loops |
| head_branch != 'main' | both | Never auto-fix main branch directly |
| Recent fix check / !startsWith(commit, 'fix(auto):') | both | Skip if auto-fix already attempted; prevent recursive loops |
| Concurrency group per branch | both | One auto-fix per branch at a time |
| max-turns limit | both | Limit Claude's iteration count (inline 30, reusable 50 default) |
| Max 2 open auto-fix PRs | reusable | Prevent PR flooding across repos |
| timeout-minutes: 30 | reusable | Prevent runaway jobs |
Prerequisites
| Requirement | How to set up |
|-------------|---------------|
| CLAUDE_CODE_OAUTH_TOKEN | Repository secret with Claude Code OAuth token |
| contents: write permission | Included in workflow permissions |
| pull-requests: write permission | Included in workflow permissions |
| issues: write permission | For creating issues on complex failures |
Agentic Optimizations
| Context | Command |
|---------|---------|
| Check recent failures | gh run list --status failure --json name,headBranch,conclusion -L 10 |
| Get failed logs | gh run view <id> --log-failed \| tail -500 |
| Run summary | gh run view <id> --json conclusion,status,jobs |
| Find associated PR | gh pr list --head <branch> --json number --jq '.[0].number' |
| List workflow names | grep -h '^name:' .github/workflows/*.yml |
Related Skills
laurigates/comfyui-node-scaffold
tools
VerifiedTrustedCommunity
Scaffold a new ComfyUI custom-node repo (pyproject, CI, release-please, vitest+pytest, JS extension skeleton) in the picker/gesture vein. Use when bootstrapping or init-ing a comfyui node pack.
35SKILL.mdUpdated Jun 5, 2026
laurigates/comfy-node
tools
VerifiedTrustedCommunity
Orchestrate a ComfyUI node pack from idea to registry: scaffold, create + seed the repo, open the gitops adoption PR. Use when releasing or spinning up a new comfyui node pack.
35SKILL.mdUpdated Jun 5, 2026
laurigates/endpoint-security-cpu
testing
VerifiedTrustedCommunity
macOS EndpointSecurity/EDR high CPU & battery drain. Use when Kandji ESF / XProtect pegs a core; trace the exec storm via powermetrics + eslogger.
35SKILL.mdUpdated Jun 4, 2026
laurigates/odiff-image-diffing
development
VerifiedTrustedCommunity
odiff pixel-by-pixel image diffing. Use when comparing screenshots, detecting visual regressions, diffing before/after PNGs, asserting golden images.
35SKILL.mdUpdated May 30, 2026