pantheon-org/jenkinsfile-generator
skills/ci-cd/jenkinsfile/generator/SKILL.md
Generates Jenkinsfiles with stages, agents, parallel builds, post-build actions, and security scanning for Declarative and Scripted pipeline syntaxes. Use when creating a Jenkins pipeline script, Groovy pipeline, or build configuration; implementing CI/CD workflows, continuous integration, or build automation; adding Docker/Kubernetes deployments, matrix builds, parameterized pipelines, or DevSecOps security scanning to a Jenkins setup.
$ install --global
skillsauthnpx skillsauth add pantheon-org/tekhne jenkinsfile-generatorInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 16, 2026, 5:40 AM167.0s13 files scanned
SKILL.md
- name:
- jenkinsfile-generator
- description:
- Generates Jenkinsfiles with stages, agents, parallel builds, post-build actions, and security scanning for Declarative and Scripted pipeline syntaxes. Use when creating a Jenkins pipeline script, Groovy pipeline, or build configuration; implementing CI/CD workflows, continuous integration, or build automation; adding Docker/Kubernetes deployments, matrix builds, parameterized pipelines, or DevSecOps security scanning to a Jenkins setup.
Jenkinsfile Generator Skill
Generate production-ready Jenkinsfiles following best practices. All generated files are validated using devops-skills:jenkinsfile-validator skill.
Core Capabilities
1. Declarative Pipelines (RECOMMENDED)
Process:
- Consult
assets/templates/declarative/basic.Jenkinsfileandreferences/best_practices.md - Generate with required elements:
- Stages with descriptive names
- Environment block with credentials binding (never hardcode secrets)
- Options: timeout, buildDiscarder, timestamps, disableConcurrentBuilds
- Post conditions: always (cleanup), success (artifacts), failure (notifications)
- Always add
parallelsAlwaysFailFast()in options when using parallel blocks - Always include
fingerprint: truewhen usingarchiveArtifacts
- ALWAYS validate using devops-skills:jenkinsfile-validator skill
2. Scripted Pipelines
Use for complex conditional logic, dynamic generation, or full Groovy control.
Process:
- Consult
assets/templates/scripted/basic.Jenkinsfile - Implement try-catch-finally for error handling
- ALWAYS validate using devops-skills:jenkinsfile-validator skill
3. Parallel/Matrix Pipelines
Use parallel {} or matrix {} with axes {} for multi-dimensional builds. See Parallel & Matrix for failFast configuration.
4. Security Scanning (DevSecOps)
Add SonarQube, OWASP Dependency-Check, Trivy stages with fail thresholds.
5. Shared Library Scaffolding
python3 scripts/generate_shared_library.py --name my-library --package org.example
Declarative Syntax Reference
Agent Types
agent any // Any available agent
agent { label 'linux && docker' } // Label-based
agent { docker { image 'maven:3.9.11-eclipse-temurin-21' } }
agent { kubernetes { yaml '...' } } // K8s pod template
agent { kubernetes { yamlFile 'pod.yaml' } } // External YAML
Environment & Credentials
environment {
VERSION = '1.0.0'
AWS_KEY = credentials('aws-key-id') // Creates _USR and _PSW vars
}
Options
options {
buildDiscarder(logRotator(numToKeepStr: '10'))
timeout(time: 1, unit: 'HOURS')
disableConcurrentBuilds()
timestamps()
parallelsAlwaysFailFast()
durabilityHint('PERFORMANCE_OPTIMIZED') // 2-6x faster for simple pipelines
}
Parameters
parameters {
string(name: 'VERSION', defaultValue: '1.0.0')
choice(name: 'ENV', choices: ['dev', 'staging', 'prod'])
booleanParam(name: 'SKIP_TESTS', defaultValue: false)
}
When Conditions
| Condition | Example |
|-----------|---------|
| branch | branch 'main' or branch pattern: 'release/*', comparator: 'GLOB' |
| tag | tag pattern: 'v*', comparator: 'GLOB' |
| changeRequest | changeRequest target: 'main' |
| changeset | changeset 'src/**/*.java' |
| expression | expression { env.DEPLOY == 'true' } |
| allOf/anyOf/not | Combine conditions |
Add beforeAgent true to skip agent allocation if condition fails.
Error Handling
catchError(buildResult: 'UNSTABLE', stageResult: 'FAILURE') { sh '...' }
warnError('msg') { sh '...' } // Mark UNSTABLE but continue
unstable(message: 'Coverage low') // Explicit UNSTABLE
error('Config missing') // Fail without stack trace
Post Section
post {
always { junit '**/target/*.xml'; cleanWs() }
success { archiveArtifacts artifacts: '**/*.jar', fingerprint: true }
failure { slackSend color: 'danger', message: 'Build failed' }
fixed { echo 'Build fixed!' }
}
Order: always → changed → fixed → regression → failure → success → unstable → cleanup
Always use fingerprint: true with archiveArtifacts for build traceability.
Parallel & Matrix
Always add parallelsAlwaysFailFast() to pipeline options {} block — covers all parallel/matrix blocks automatically. Use per-block failFast true only when options-level is not set:
// Per-block alternative (when options-level not set)
stage('Tests') {
failFast true
parallel {
stage('Unit') { steps { sh 'npm test:unit' } }
stage('E2E') { steps { sh 'npm test:e2e' } }
}
}
stage('Matrix') {
matrix {
axes {
axis { name 'PLATFORM'; values 'linux', 'windows' }
axis { name 'BROWSER'; values 'chrome', 'firefox' }
}
excludes { exclude { axis { name 'PLATFORM'; values 'linux' }; axis { name 'BROWSER'; values 'safari' } } }
stages { stage('Test') { steps { echo "Testing ${PLATFORM}/${BROWSER}" } } }
}
}
Input (Manual Approval)
stage('Deploy') {
input { message 'Deploy?'; ok 'Deploy'; submitter 'admin,ops' }
steps { sh './deploy.sh' }
}
Place input outside steps to avoid holding agents.
Scripted Syntax Reference
node('agent-label') {
try {
stage('Build') { sh 'make build' }
stage('Test') { sh 'make test' }
} catch (Exception e) {
currentBuild.result = 'FAILURE'
throw e
} finally {
deleteDir()
}
}
// Parallel
parallel(
'Unit': { node { sh 'npm test:unit' } },
'E2E': { node { sh 'npm test:e2e' } }
)
// Environment
withEnv(['VERSION=1.0.0']) { sh 'echo $VERSION' }
withCredentials([string(credentialsId: 'key', variable: 'KEY')]) { sh 'curl -H "Auth: $KEY" ...' }
NonCPS Annotation
@NonCPS
def parseJson(String json) {
new groovy.json.JsonSlurper().parseText(json)
}
Required for non-serializable operations (JsonSlurper, iterators, regex Matchers). No pipeline steps inside.
Docker & Kubernetes
Docker Agent
agent { docker { image 'maven:3.9.11'; args '-v $HOME/.m2:/root/.m2'; reuseNode true } }
Build & Push
def img = docker.build("myapp:${BUILD_NUMBER}")
docker.withRegistry('https://registry.example.com', 'creds') { img.push(); img.push('latest') }
Kubernetes Pod
agent {
kubernetes {
yaml '''
apiVersion: v1
kind: Pod
spec:
containers:
- name: maven
image: maven:3.9.11-eclipse-temurin-21
command: [sleep, 99d]
'''
}
}
// Use: container('maven') { sh 'mvn package' }
Shared Libraries
@Library('my-shared-library') _
// or dynamically: library '[email protected]'
// vars/log.groovy
def info(msg) { echo "INFO: ${msg}" }
// Usage
log.info 'Starting build'
Validation Workflow
ALWAYS validate using devops-skills:jenkinsfile-validator skill:
- Generate Jenkinsfile
- Invoke
devops-skills:jenkinsfile-validatorskill - Handle validation results by severity:
- ERRORS: Must fix - these break the pipeline
- WARNINGS: Should fix - indicate potential issues
- INFO: Apply optimizations based on use case (failFast, build triggers, etc.)
- Re-validate after fixes
- Present validated Jenkinsfile to user
Validation commands:
# Full validation (syntax + security + best practices)
bash scripts/validate_jenkinsfile.sh Jenkinsfile
# Syntax only (fastest)
bash scripts/validate_jenkinsfile.sh --syntax-only Jenkinsfile
Generator Scripts
Use for simple, standard pipelines. Use manual generation for complex pipelines with custom logic or non-standard requirements.
# Declarative (simple pipelines)
python3 scripts/generate_declarative.py --output Jenkinsfile --stages build,test,deploy --agent docker
# Scripted (simple pipelines)
python3 scripts/generate_scripted.py --output Jenkinsfile --stages build,test --agent label:linux
# Shared Library (always use script for scaffolding)
python3 scripts/generate_shared_library.py --name my-library --package com.example
Plugin Documentation Lookup
Always consult external docs for:
- Plugins NOT in
references/common_plugins.md - Version-specific documentation
- Complex configurations or advanced options
Skip external lookup when:
- Using basic syntax from
references/common_plugins.md - Simple, well-documented steps (e.g.,
sh,checkout scm,junit)
Covered plugins: Git, Docker, Kubernetes, Credentials, JUnit, Slack, SonarQube, OWASP Dependency-Check, Email, AWS, Azure, HTTP Request, Microsoft Teams, Nexus, Artifactory, GitHub
Anti-Patterns
NEVER use Scripted Pipeline for new work
- WHY: Declarative Pipeline syntax is the current standard with better tooling, cleaner validation, and Blue Ocean compatibility; Scripted Pipeline should only be used to maintain existing files.
- BAD: New pipelines starting with
node { ... }. - GOOD: Start with
pipeline { agent any stages { ... } }Declarative syntax.
NEVER store credentials as plain text pipeline parameters
- WHY: Pipeline parameters are logged and visible in the Jenkins UI; credentials must go through the Jenkins Credentials Store.
- BAD:
parameters { string(name: 'API_KEY', ...) } - GOOD:
withCredentials([string(credentialsId: 'api-key-prod', variable: 'API_KEY')]) { ... }
NEVER run all stages on a heavyweight executor without parallelism
- WHY: Sequential stages on a single executor waste build time; extract independent stages into
parallel { }blocks. - BAD: Lint, unit-test, integration-test, and SAST in sequential stages.
- GOOD: Wrap independent stages in
parallel { stage('Lint') { ... } stage('Unit Test') { ... } }.
NEVER omit post { always { cleanWs() } }
- WHY: Without workspace cleanup, Jenkins agents fill disk with build artifacts from previous runs, causing disk-full build failures.
- BAD: No
postblock in the pipeline. - GOOD:
post { always { cleanWs() } }in every Declarative pipeline.
NEVER call sh with inline secret variable expansion
- WHY: Shell substitution expands secrets into the command string where they appear in build logs and process lists.
- BAD:
sh "curl -H 'Authorization: Bearer ${API_KEY}'" - GOOD:
withCredentials([...]) { sh 'curl -H "Authorization: Bearer $API_KEY"' }(single quotes prevent Groovy expansion; the credential is still available via the environment).
References
// Minimal Declarative Pipeline
pipeline {
agent any
stages {
stage('Build') { steps { sh 'make' } }
stage('Test') { steps { sh 'make test' } }
}
}
// Error-tolerant stage
stage('Flaky Tests') {
steps {
catchError(buildResult: 'SUCCESS', stageResult: 'UNSTABLE') {
sh 'run-flaky-tests.sh'
}
}
}
// Conditional deployment with approval
stage('Deploy') {
when { branch 'main'; beforeAgent true }
input { message 'Deploy to production?' }
steps { sh './deploy.sh' }
}
| Option | Purpose |
|--------|---------|
| timeout(time: 1, unit: 'HOURS') | Prevent hung builds |
| buildDiscarder(logRotator(numToKeepStr: '10')) | Manage disk space |
| disableConcurrentBuilds() | Prevent race conditions |
| catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE') | Continue on error |
references/best_practices.md- Performance, security, reliability patternsreferences/common_plugins.md- Git, Docker, K8s, credentials, notificationsassets/templates/- Declarative and scripted templatesdevops-skills:jenkinsfile-validatorskill - Syntax and best practices validation
Always prefer Declarative unless scripted flexibility is required.
Related Skills
pantheon-org/helm-validator
tools
VerifiedTrustedCommunity
Comprehensive toolkit for validating, linting, testing, and analyzing Helm charts and their rendered Kubernetes resources. Use this skill when working with Helm charts, validating templates, debugging chart issues, working with Custom Resource Definitions (CRDs) that require documentation lookup, or checking Helm best practices.
6SKILL.mdUpdated May 16, 2026
pantheon-org/helm-generator
tools
VerifiedTrustedCommunity
Comprehensive toolkit for generating best practice Helm charts and resources following current standards and conventions. Use this skill when creating new Helm charts, implementing Helm templates, scaffolding Chart.yaml and values.yaml, defining deployment templates, service definitions, ingress configurations, .tpl helpers, or building Helm projects from scratch. Trigger phrases include "create", "generate", "build", "scaffold" alongside terms like "kubernetes helm", "k8s charts", "helm package", "chart dependencies", "values.yaml", or "helm install".
6SKILL.mdUpdated May 16, 2026
pantheon-org/gitlab-ci-validator
development
VerifiedTrustedCommunity
Validates .gitlab-ci.yml syntax, detects security misconfigurations in job definitions, checks for deprecated keywords, ensures proper stage ordering, and audits pipeline configurations for best practices. Use when working with .gitlab-ci.yml files, validating GitLab CI/CD pipeline syntax, debugging configuration errors, checking for hardcoded secrets or credentials in pipeline jobs, optimizing pipeline performance with DAG or cache, or performing security audits on GitLab CI/CD configurations.
6SKILL.mdUpdated May 16, 2026
pantheon-org/gitlab-ci-generator
development
VerifiedTrustedCommunity
Creates .gitlab-ci.yml files, configures pipeline stages, defines CI jobs and runners, sets up deployment workflows, and generates reusable GitLab CI/CD templates following current best practices and security standards. Use when users ask to create or build a GitLab CI/CD pipeline, CI config, build pipeline, deploy pipeline, GitLab YAML, CI jobs, or any .gitlab-ci.yml configuration from scratch or for a new project.
6SKILL.mdUpdated May 16, 2026