mikeparcewski/github-actions
skills/platform/github-actions/SKILL.md
Write secure, optimized GitHub Actions workflows. Security-first approach with performance optimization. Use when: "GitHub Actions", "CI/CD pipeline", "workflow YAML", "deploy pipeline", "automate deployment", "debug workflow", "Actions security"
$ install --global
skillsauthnpx skillsauth add mikeparcewski/wicked-garden github-actionsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 8, 2026, 5:50 AM177.3s5 files scanned
SKILL.md
- name:
- github-actions
- description:
- |
- Use when:
- GitHub Actions", "CI/CD pipeline", "workflow YAML", "deploy pipeline",
- portability:
- portable
- # TODO #339:
- When Claude Code supports 'paths' in skill frontmatter for
- # paths:
- [".github/workflows/**/*.yml", ".github/workflows/**/*.yaml", ".github/actions/**"]
- phase_relevance:
- ["build", "review", "operate"]
- archetype_relevance:
- ["*"]
GitHub Actions Workflow Writing
Write production-ready GitHub Actions workflows with security and performance built in.
When to Use
- Creating new CI/CD workflows
- Optimizing slow or expensive workflows
- Adding deployment pipelines
- Security scanning and compliance
- Debugging workflow issues
Security-First Principles
Every workflow should follow these rules:
1. Explicit Permissions
# ALWAYS declare permissions explicitly
permissions:
contents: read # Minimum needed
# NEVER use write-all or leave permissions implicit
2. Pin Action Versions
# Good - pinned to SHA
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
# Acceptable - pinned to major version
uses: actions/checkout@v4
# Bad - unpinned
uses: actions/checkout@main
3. Sanitize Inputs
# NEVER interpolate untrusted input directly
run: echo "${{ github.event.issue.title }}" # DANGEROUS
# Use environment variables instead
env:
TITLE: ${{ github.event.issue.title }}
run: echo "$TITLE" # Safe
Core Patterns
Full copy-paste templates live in refs/templates.md. Quick reference:
| Template | Key shape | See |
|----------|-----------|-----|
| Minimal CI | permissions: contents: read + concurrency + actions/setup-node@v4 cache | refs/templates.md § Node.js CI |
| Multi-Environment Deploy | Deploy job with environment: approval gates + OIDC-based AWS auth | refs/templates.md § Deploy to AWS (OIDC) |
| OIDC for Cloud (No Secrets) | permissions: id-token: write + aws-actions/configure-aws-credentials@v4 | refs/templates.md § Deploy to AWS (OIDC) |
| Docker build/push | docker/setup-buildx-action + docker/build-push-action with GHA cache | refs/templates.md § Docker Build and Push |
| Security scanning | CodeQL on schedule + push, security-events: write permission | refs/templates.md § Security Scanning |
Performance Optimization
1. Caching
# Node.js (built into setup-node)
- uses: actions/setup-node@v4
with:
cache: 'npm'
# Python
- uses: actions/setup-python@v5
with:
cache: 'pip'
# Custom cache
- uses: actions/cache@v4
with:
path: ~/.cache/my-tool
key: ${{ runner.os }}-my-tool-${{ hashFiles('**/lockfile') }}
2. Concurrency Control
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true # Cancel stale runs
3. Path Filtering
on:
push:
paths:
- 'src/**'
- 'package.json'
paths-ignore:
- '**.md'
- 'docs/**'
4. Matrix Strategy
strategy:
matrix:
node: [18, 20, 22]
os: [ubuntu-latest, windows-latest]
fail-fast: false # Don't cancel others on failure
Common Mistakes
| Mistake | Fix |
|---------|-----|
| No timeout | Add timeout-minutes: 15 |
| No concurrency | Add concurrency group |
| Implicit permissions | Declare explicitly |
| pull_request_target misuse | Use pull_request unless you need write access |
| Unpinned actions | Pin to SHA or major version |
| Direct input interpolation | Use env vars |
Workflow Generation
When generating workflows, follow this checklist:
- Detect stack - Check for package.json, requirements.txt, Cargo.toml, etc.
- Set permissions - Start with
contents: read, add only what's needed - Add caching - Use built-in cache options when available
- Set timeout - Default 10-15 min for CI, 30 for deploys
- Add concurrency - Cancel stale runs
- Document secrets - Comment required secrets at top
References
refs/security.md- Detailed security practicesrefs/templates.md- Copy-paste templatesrefs/troubleshooting.md- Common errors and fixes
Related Skills
mikeparcewski/skills/engineering/large-scale-migration
development
VerifiedTrustedCommunity
--- name: large-scale-migration description: How to execute a LARGE MECHANICAL change across any codebase with LEVERAGE instead of an agent-grind or hand-edits — a cross-cutting migration, refactor, rename, dialect/framework/DB port, library adoption, or bulk transform. The map→transform→gate pattern: a deterministic transform driven by a source-of-truth map, proven by a differential-equivalence gate. Use when the work is "migrate all X to Y", "rename Z everywhere", "port to a new DB/dialect/fra
8SKILL.mdUpdated Jun 3, 2026
mikeparcewski/wicked-garden:classify
testing
VerifiedTrustedCommunity
v11 LLM-based work-shape classifier. Replaces the regex archetype detector with the model's own reasoning. Reads the user's prompt, picks the right archetype(s) from the catalog, identifies signals (blast_radius, novelty, reversibility, etc.), and persists to SessionState so subsequent turns steer correctly. Use when: the prompt_submit hook emitted a `<wg classify-due />` directive, OR explicitly invoked at session start, OR when re-classifying after the user changes scope mid-session.
8SKILL.mdUpdated May 26, 2026
mikeparcewski/wicked-garden:archetype
tools
VerifiedTrustedCommunity
v11 work-shape archetype runner. When a prompt has been routed to one of the 9 archetypes (triage, explore, specify, decide, ship, review, incident, build, migrate), this skill is the entry point. It picks the right per-archetype playbook from refs/ and executes the phase shape declared in `.claude-plugin/archetypes.json`. Use when: a `<wg archetype="X">` or `<wg archetypes>` system-reminder tag appears, an explicit "let's run the X archetype" request, or when one of the per-archetype slash commands resolves to this skill.
8SKILL.mdUpdated May 8, 2026
mikeparcewski/intent
development
VerifiedTrustedCommunity
Show or set the session intent variable. Intent gates how loud the framework is — simple-edit (silent), feature/research (synthesis directive), rigor (full crew context). Auto-detected on turn 1; this skill overrides explicitly. Sticky for the session. Use when: "set intent", "intent override", "/wicked-garden:intent", "make the framework quiet", "force rigor", "what's my intent".
8SKILL.mdUpdated May 6, 2026