Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

paulund/github-actions-claude

Name: github-actions-claude
Author: paulund

git-github-actions-claude/SKILL.md

npx skillsauth add paulund/skills github-actions-claude

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

GitHub Actions + Claude Code Skill

Build GitHub Actions workflows that run Claude Code skills or prompts automatically.

Key concepts

Claude Code scheduled tasks vs GitHub Actions

Claude Code scheduled tasks (CronCreate) run locally and require Claude Code to be running on your machine
GitHub Actions workflows run on GitHub's servers — no local machine needed
To run a Claude skill in CI, use anthropics/claude-code-action@v1 inside a workflow

Local skills are available automatically

Any skill in .claude/skills/ is picked up by Claude Code when it runs in the checked-out repo
No marketplace config needed for local skills
Marketplace plugins are only needed for external plugins not in the repo

gh CLI authentication

GITHUB_TOKEN is automatically injected into every GitHub Actions environment
The gh CLI picks it up natively — never pass it explicitly as GH_TOKEN unless you need elevated permissions beyond the default token

Authentication

Use claude_code_oauth_token (existing Claude subscription) instead of anthropic_api_key:

claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

The CLAUDE_CODE_OAUTH_TOKEN secret must be added to the GitHub repo settings. The token value comes from the user's local Claude Code config.

Workflow structure

Minimal workflow (no branch/PR)

name: My Claude Task

on:
  schedule:
    - cron: '0 14 * * 5'  # Friday 2pm GMT
  workflow_dispatch:

jobs:
  run-claude:
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Run Claude
        uses: anthropics/claude-code-action@v1
        with:
          prompt: "Your prompt or skill invocation here"
          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

Full workflow (branch + Claude does work + PR with reviewer)

Use this pattern when Claude should write files and you want the workflow to manage git and the PR:

name: My Claude Task

on:
  schedule:
    - cron: '0 14 * * 5'
  workflow_dispatch:

jobs:
  run-claude:
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Configure git
        run: |
          git config --global user.name "github-actions[bot]"
          git config --global user.email "github-actions[bot]@users.noreply.github.com"

      - name: Create branch
        id: create-branch
        run: |
          BRANCH="task/$(date +%Y-%m-%d)"
          git checkout -b "$BRANCH"
          git push -u origin "$BRANCH"
          echo "branch=$BRANCH" >> "$GITHUB_OUTPUT"

      - name: Run Claude
        uses: anthropics/claude-code-action@v1
        with:
          prompt: "Your prompt here. Write files only — do not create a git branch or open a PR, the workflow will handle that."
          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

      - name: Create pull request
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          BRANCH: ${{ steps.create-branch.outputs.branch }}
        run: |
          git add <path-to-files>
          git diff --cached --quiet && echo "No changes generated." && exit 0
          git commit -m "feat: describe what was generated"
          git push
          gh pr create \
            --title "PR title: $(date +%Y-%m-%d)" \
            --body "Auto-generated. Review before merging." \
            --base main \
            --head "$BRANCH" \
            --reviewer $REVIEWER_NAME

Why this split? The workflow owns the branch and PR lifecycle. The prompt tells Claude to write files only. This gives reliable reviewer assignment and clean commit messages without depending on Claude to run git commands correctly.

Plugins

Only add marketplace plugins when the prompt or skill references an external plugin:

- name: Run Claude
  uses: anthropics/claude-code-action@v1
  with:
    plugin_marketplaces: 'https://github.com/paulund/ai.git'
    plugins: 'plugin@marketplace'
    prompt: "..."
    claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

For multiple marketplaces or plugins, use YAML block style:

plugin_marketplaces: |
  https://github.com/paulund/ai.git
  https://github.com/anthropics/claude-code.git
plugins: |
  writing@paulund-ai
  code-review@claude-code-plugins

Cron schedule reference

Always add workflow_dispatch: alongside schedule: so the workflow can be triggered manually for testing.

Step-by-step: creating a new workflow

Identify the task — what skill or prompt should run, and when
Does it write files and need a PR? — use the full branch+PR pattern; otherwise use the minimal pattern
Does it use external plugins? — add plugin_marketplaces and plugins only if needed
Set the cron — use the reference above; always include workflow_dispatch
Tell Claude what NOT to do — if the workflow manages git/PR, instruct Claude in the prompt to write files only
Add reviewer — always add --reviewer $REVIEWER_NAME$ to gh pr create
Required secret — CLAUDE_CODE_OAUTH_TOKEN must exist in the repo's GitHub secrets

paulund/github-actions-claude

git-github-actions-claude/SKILL.md

Create GitHub Actions workflows that run Claude Code skills or prompts on a schedule or trigger. Use this skill when the user wants to automate a Claude Code task in CI, migrate a scheduled Claude task to GitHub Actions, or create a new workflow that uses claude-code-action.

1 stars

development

Updated Apr 20, 2026

$ install --global

skillsauth

npx skillsauth add paulund/skills github-actions-claude

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 20, 2026, 5:21 AM13.5s1 file scanned

SKILL.md

name:: github-actions-claude
description:: |

GitHub Actions + Claude Code Skill

Build GitHub Actions workflows that run Claude Code skills or prompts automatically.

Key concepts

Claude Code scheduled tasks vs GitHub Actions

Claude Code scheduled tasks (CronCreate) run locally and require Claude Code to be running on your machine
GitHub Actions workflows run on GitHub's servers — no local machine needed
To run a Claude skill in CI, use anthropics/claude-code-action@v1 inside a workflow

Local skills are available automatically

Any skill in .claude/skills/ is picked up by Claude Code when it runs in the checked-out repo
No marketplace config needed for local skills
Marketplace plugins are only needed for external plugins not in the repo

gh CLI authentication

GITHUB_TOKEN is automatically injected into every GitHub Actions environment
The gh CLI picks it up natively — never pass it explicitly as GH_TOKEN unless you need elevated permissions beyond the default token

Authentication

Use claude_code_oauth_token (existing Claude subscription) instead of anthropic_api_key:

claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

The CLAUDE_CODE_OAUTH_TOKEN secret must be added to the GitHub repo settings. The token value comes from the user's local Claude Code config.

Workflow structure

Minimal workflow (no branch/PR)

name: My Claude Task

on:
  schedule:
    - cron: '0 14 * * 5'  # Friday 2pm GMT
  workflow_dispatch:

jobs:
  run-claude:
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Run Claude
        uses: anthropics/claude-code-action@v1
        with:
          prompt: "Your prompt or skill invocation here"
          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

Full workflow (branch + Claude does work + PR with reviewer)

Use this pattern when Claude should write files and you want the workflow to manage git and the PR:

name: My Claude Task

on:
  schedule:
    - cron: '0 14 * * 5'
  workflow_dispatch:

jobs:
  run-claude:
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Configure git
        run: |
          git config --global user.name "github-actions[bot]"
          git config --global user.email "github-actions[bot]@users.noreply.github.com"

      - name: Create branch
        id: create-branch
        run: |
          BRANCH="task/$(date +%Y-%m-%d)"
          git checkout -b "$BRANCH"
          git push -u origin "$BRANCH"
          echo "branch=$BRANCH" >> "$GITHUB_OUTPUT"

      - name: Run Claude
        uses: anthropics/claude-code-action@v1
        with:
          prompt: "Your prompt here. Write files only — do not create a git branch or open a PR, the workflow will handle that."
          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

      - name: Create pull request
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          BRANCH: ${{ steps.create-branch.outputs.branch }}
        run: |
          git add <path-to-files>
          git diff --cached --quiet && echo "No changes generated." && exit 0
          git commit -m "feat: describe what was generated"
          git push
          gh pr create \
            --title "PR title: $(date +%Y-%m-%d)" \
            --body "Auto-generated. Review before merging." \
            --base main \
            --head "$BRANCH" \
            --reviewer $REVIEWER_NAME

Plugins

Only add marketplace plugins when the prompt or skill references an external plugin:

- name: Run Claude
  uses: anthropics/claude-code-action@v1
  with:
    plugin_marketplaces: 'https://github.com/paulund/ai.git'
    plugins: 'plugin@marketplace'
    prompt: "..."
    claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

For multiple marketplaces or plugins, use YAML block style:

plugin_marketplaces: |
  https://github.com/paulund/ai.git
  https://github.com/anthropics/claude-code.git
plugins: |
  writing@paulund-ai
  code-review@claude-code-plugins

Cron schedule reference

Always add workflow_dispatch: alongside schedule: so the workflow can be triggered manually for testing.

Step-by-step: creating a new workflow

Identify the task — what skill or prompt should run, and when
Does it write files and need a PR? — use the full branch+PR pattern; otherwise use the minimal pattern
Does it use external plugins? — add plugin_marketplaces and plugins only if needed
Set the cron — use the reference above; always include workflow_dispatch
Tell Claude what NOT to do — if the workflow manages git/PR, instruct Claude in the prompt to write files only
Add reviewer — always add --reviewer $REVIEWER_NAME$ to gh pr create
Required secret — CLAUDE_CODE_OAUTH_TOKEN must exist in the repo's GitHub secrets

Related Skills

paulund/quality-gate

development

VerifiedTrustedCommunity

Use when the user wants to run the project's lint + types + build sequence as a gate before pushing, opening a PR, or merging. Invoked by chained dev skills between phases. Trigger phrases - "/quality-gate", "run the quality gate", "check it builds".

2SKILL.mdUpdated May 10, 2026

paulund/pr-verify

tools

VerifiedTrustedCommunity

Use when the user wants to verify a PR's feature works at runtime by booting the dev server, exercising the affected UI via Chrome DevTools MCP, and posting a screenshot summary back to the PR. Idempotent — skips if `verified` or `verify-failed` is already on the PR. Trigger phrases - "/pr-verify", "verify this PR", "runtime check the pr".

2SKILL.mdUpdated May 10, 2026

paulund/pr-security-review

testing

VerifiedTrustedCommunity

Use when the user wants a security-focused review pass on a PR with findings actioned as commits on the same branch. Trigger phrases - "/pr-security-review", "security review and fix".

2SKILL.mdUpdated May 10, 2026

paulund/pr-security-review

paulund/pr-open

testing

VerifiedTrustedCommunity

Use when the user wants to open a pull request for an already-pushed branch that implements a specific issue. Idempotent — returns the existing PR if one is already open for the branch. Trigger phrases - "/pr-open", "open the pr", "create pr for this branch".

2SKILL.mdUpdated May 10, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/paulund/skills.git

# Copy into Claude Code skills folder (global)
cp -r skills/git-github-actions-claude ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

paulund/skills

1 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT