Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

nijaru/github-actions-workflows

Name: github-actions-workflows
Author: nijaru

dot_claude/skills/github-actions-workflows/SKILL.md

npx skillsauth add nijaru/dotfiles github-actions-workflows

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

GitHub Actions Workflow Engineering

Core Mandates

Security: Never use ${{ inputs.* }} or ${{ github.event.* }} directly in run: blocks. Always map to env: variables.
Ordering: Follow the "Validation -> CI -> Build -> Verify -> Publish -> Tag" sequence. Tagging MUST be the final step.
Stability: Pin all action versions (@v4) and runtime versions. Never use @latest.
Efficiency: Enable native caching in setup actions (e.g., cache: true in setup-go).

Implementation Standards

1. Release Orchestration

Order matters for recoverability. Tag only after a successful publish.

Validate: Check version format and registry availability.
CI Suite: Run full tests/lints (superset of standard CI).
Build & Verify: Build artifact and run --version check.
Publish: Push to registry (npm, Cargo, PyPI).
Tag & Release: git tag and gh release create only after success.

2. Concurrency Control

# CI: Cancel redundant runs on same branch
concurrency:
  group: ci-${{ github.ref }}
  cancel-in-progress: true

# Release: NEVER cancel in-flight publishes
concurrency:
  group: release
  cancel-in-progress: false

3. Pre-flight Validations

Always verify state before side effects:

Version format (Regex check).
Tag non-existence (git ls-remote --tags).
Registry availability (e.g., npm view).

Security Injection Prevention

UNSAFE:

run: git tag "v${{ inputs.version }}"

SAFE:

jobs:
  release:
    env:
      VERSION: ${{ inputs.version }}
    steps:
      - run: git tag "v$VERSION"

Anti-Rationalization

Troubleshooting

Partial Failure: If publish fails, fix the cause and re-run. Pre-flight checks will pass as the registry remains clean.
Orphaned Tag: If a tag was pushed but publish failed, delete the remote tag before re-running.
Injection Risks: Audit all run: blocks for ${{ }} interpolation; replace with env: mapping immediately.

nijaru/github-actions-workflows

dot_claude/skills/github-actions-workflows/SKILL.md

Use when writing, auditing, or fixing GitHub Actions workflows for CI, release, or deployment. Trigger on new workflow creation, auditing existing ones, or debugging pipeline failures and incidents.

development

Updated Apr 22, 2026

$ install --global

skillsauth

npx skillsauth add nijaru/dotfiles github-actions-workflows

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 22, 2026, 5:09 PM110.4s1 file scanned

SKILL.md

name:: github-actions-workflows
description:: Use when writing, auditing, or fixing GitHub Actions workflows for CI, release, or deployment. Trigger on new workflow creation, auditing existing ones, or debugging pipeline failures and incidents.
allowed-tools:: Bash, Read, Grep, Glob, Edit

GitHub Actions Workflow Engineering

Core Mandates

Security: Never use ${{ inputs.* }} or ${{ github.event.* }} directly in run: blocks. Always map to env: variables.
Ordering: Follow the "Validation -> CI -> Build -> Verify -> Publish -> Tag" sequence. Tagging MUST be the final step.
Stability: Pin all action versions (@v4) and runtime versions. Never use @latest.
Efficiency: Enable native caching in setup actions (e.g., cache: true in setup-go).

Implementation Standards

1. Release Orchestration

Order matters for recoverability. Tag only after a successful publish.

Validate: Check version format and registry availability.
CI Suite: Run full tests/lints (superset of standard CI).
Build & Verify: Build artifact and run --version check.
Publish: Push to registry (npm, Cargo, PyPI).
Tag & Release: git tag and gh release create only after success.

2. Concurrency Control

# CI: Cancel redundant runs on same branch
concurrency:
  group: ci-${{ github.ref }}
  cancel-in-progress: true

# Release: NEVER cancel in-flight publishes
concurrency:
  group: release
  cancel-in-progress: false

3. Pre-flight Validations

Always verify state before side effects:

Version format (Regex check).
Tag non-existence (git ls-remote --tags).
Registry availability (e.g., npm view).

Security Injection Prevention

UNSAFE:

run: git tag "v${{ inputs.version }}"

SAFE:

jobs:
  release:
    env:
      VERSION: ${{ inputs.version }}
    steps:
      - run: git tag "v$VERSION"

Anti-Rationalization

Troubleshooting

Partial Failure: If publish fails, fix the cause and re-run. Pre-flight checks will pass as the registry remains clean.
Orphaned Tag: If a tag was pushed but publish failed, delete the remote tag before re-running.
Injection Risks: Audit all run: blocks for ${{ }} interpolation; replace with env: mapping immediately.

Related Skills

nijaru/second-pass

development

VerifiedTrustedCommunity

Use after completing a bug fix, feature, refactor, or tk task when the first implementation taught enough context to replace it with a simpler, cleaner, or more coherent version before finalizing.

SKILL.mdUpdated Apr 25, 2026

nijaru/zig-expert

development

VerifiedTrustedCommunity

Use when writing, migrating, or reviewing Zig code across recent stable versions (0.14-0.16), especially to correct stale syntax or stdlib, build.zig, allocator, formatting, or runtime API knowledge.

SKILL.mdUpdated Apr 22, 2026

nijaru/writer

documentation

VerifiedTrustedCommunity

Use when reviewing or revising text (prose, docs, commits) to remove AI patterns and improve voice/clarity.

SKILL.mdUpdated Apr 22, 2026

nijaru/twitter

content-media

VerifiedTrustedCommunity

Use when fetching X/Twitter post content by URL, or searching for recent X posts.

SKILL.mdUpdated Apr 22, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/nijaru/dotfiles.git

# Copy into Claude Code skills folder (global)
cp -r dotfiles/dot_claude/skills/github-actions-workflows ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

nijaru/dotfiles

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT