popoffvg/writing-github-actions
harness/plugins/ci-github/claude/skills/writing-github-actions/SKILL.md
Write GitHub Actions workflows with proper syntax, reusable workflows, composite actions, matrix builds, caching, and security best practices. Use when creating CI/CD workflows for GitHub-hosted projects or automating GitHub repository tasks.
$ install --global
skillsauthnpx skillsauth add popoffvg/dotfiles writing-github-actionsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 20, 2026, 4:40 AM133.9s16 files scanned
SKILL.md
- name:
- writing-github-actions
- description:
- Write GitHub Actions workflows with proper syntax, reusable workflows, composite actions, matrix builds, caching, and security best practices. Use when creating CI/CD workflows for GitHub-hosted projects or automating GitHub repository tasks.
Writing GitHub Actions
Create GitHub Actions workflows for CI/CD pipelines, automated testing, deployments, and repository automation using YAML-based configuration with native GitHub integration.
Purpose
GitHub Actions is the native CI/CD platform for GitHub repositories. This skill covers workflow syntax, triggers, job orchestration, reusable patterns, optimization techniques, and security practices specific to GitHub Actions.
Core Focus:
- Workflow YAML syntax and structure
- Reusable workflows and composite actions
- Matrix builds and parallel execution
- Caching and optimization strategies
- Secrets management and OIDC authentication
- Concurrency control and artifact management
Not Covered:
- CI/CD pipeline design strategy → See
building-ci-pipelines - GitOps deployment patterns → See
gitops-workflows - Infrastructure as code → See
infrastructure-as-code - Testing frameworks → See
testing-strategies
When to Use This Skill
Trigger this skill when:
- Creating CI/CD workflows for GitHub repositories
- Automating tests, builds, and deployments via GitHub Actions
- Setting up reusable workflows across multiple repositories
- Optimizing workflow performance with caching and parallelization
- Implementing security best practices for GitHub Actions
- Troubleshooting GitHub Actions YAML syntax or behavior
Workflow Fundamentals
Basic Workflow Structure
name: CI
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/setup-node@v4
with:
node-version: '20'
cache: 'npm'
- run: npm ci
- run: npm test
Key Components:
name: Workflow display nameon: Trigger events (push, pull_request, schedule, workflow_dispatch)jobs: Job definitions (run in parallel by default)runs-on: Runner type (ubuntu-latest, windows-latest, macos-latest)steps: Sequential operations (uses actions or run commands)
Common Triggers
# Code events
on:
push:
branches: [main, develop]
paths: ['src/**']
pull_request:
types: [opened, synchronize, reopened]
# Manual trigger
on:
workflow_dispatch:
inputs:
environment:
type: choice
options: [dev, staging, production]
# Scheduled
on:
schedule:
- cron: '0 2 * * *' # Daily at 2 AM UTC
For complete trigger reference, see references/triggers-events.md.
Decision Frameworks
Reusable Workflow vs Composite Action
Use Reusable Workflow when:
- Standardizing entire CI/CD jobs across repositories
- Need complete job replacement with inputs/outputs
- Want secrets to inherit by default
- Orchestrating multiple steps with job-level configuration
Use Composite Action when:
- Packaging 5-20 step sequences for reuse
- Need step-level abstraction within jobs
- Want to distribute via marketplace or private repos
- Require local file access without artifacts
| Feature | Reusable Workflow | Composite Action |
|---------|------------------|------------------|
| Scope | Complete job | Step sequence |
| Trigger | workflow_call | uses: in step |
| Secrets | Inherit by default | Must pass explicitly |
| File Sharing | Requires artifacts | Same runner/workspace |
For detailed patterns, see references/reusable-workflows.md and references/composite-actions.md.
Caching Strategy
Use Built-in Setup Action Caching (Recommended):
- uses: actions/setup-node@v4
with:
node-version: '20'
cache: 'npm' # or 'yarn', 'pnpm'
Available for: Node.js, Python (pip), Java (maven/gradle), .NET, Go
Use Manual Caching when:
- Need custom cache keys
- Caching build outputs or non-standard paths
- Implementing multi-layer cache strategies
- uses: actions/cache@v4
with:
path: ~/.npm
key: ${{ runner.os }}-deps-${{ hashFiles('**/package-lock.json') }}
restore-keys: ${{ runner.os }}-deps-
For optimization techniques, see references/caching-strategies.md.
Self-Hosted vs GitHub-Hosted Runners
Use GitHub-Hosted Runners when:
- Standard build environments sufficient
- No private network access required
- Within budget or free tier limits
Use Self-Hosted Runners when:
- Need specific hardware (GPU, ARM, high memory)
- Require private network/VPN access
- High usage volume (cost optimization)
- Custom software must be pre-installed
Common Patterns
Multi-Job Workflow with Dependencies
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- run: npm run build
- uses: actions/upload-artifact@v4
with:
name: dist
path: dist/
test:
needs: build
runs-on: ubuntu-latest
steps:
- uses: actions/download-artifact@v5
with:
name: dist
- run: npm test
deploy:
needs: [build, test]
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
environment: production
steps:
- uses: actions/download-artifact@v5
- run: ./deploy.sh
Key Elements:
needs:creates job dependencies (sequential execution)- Artifacts pass data between jobs
if:enables conditional executionenvironment:enables protection rules and environment secrets
Matrix Builds
jobs:
test:
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, windows-latest, macos-latest]
node: [18, 20, 22]
steps:
- uses: actions/checkout@v5
- uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node }}
- run: npm test
Result: 9 jobs (3 OS × 3 Node versions)
For advanced matrix patterns, see examples/matrix-build.yml.
Concurrency Control
# Cancel in-progress runs on new push
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# Single deployment per environment
jobs:
deploy:
concurrency:
group: production-deployment
cancel-in-progress: false
steps: [...]
Reusable Workflows
Defining a Reusable Workflow
File: .github/workflows/reusable-build.yml
name: Reusable Build
on:
workflow_call:
inputs:
node-version:
type: string
default: '20'
secrets:
NPM_TOKEN:
required: false
outputs:
artifact-name:
value: ${{ jobs.build.outputs.artifact }}
jobs:
build:
runs-on: ubuntu-latest
outputs:
artifact: build-output
steps:
- uses: actions/checkout@v5
- uses: actions/setup-node@v4
with:
node-version: ${{ inputs.node-version }}
- run: npm ci && npm run build
- uses: actions/upload-artifact@v4
with:
name: build-output
path: dist/
Calling a Reusable Workflow
jobs:
build:
uses: ./.github/workflows/reusable-build.yml
with:
node-version: '20'
secrets: inherit # Same org only
For complete reusable workflow guide, see references/reusable-workflows.md.
Composite Actions
Defining a Composite Action
File: .github/actions/setup-project/action.yml
name: 'Setup Project'
description: 'Install dependencies and setup environment'
inputs:
node-version:
description: 'Node.js version'
default: '20'
outputs:
cache-hit:
value: ${{ steps.cache.outputs.cache-hit }}
runs:
using: "composite"
steps:
- uses: actions/setup-node@v4
with:
node-version: ${{ inputs.node-version }}
cache: 'npm'
- id: cache
uses: actions/cache@v4
with:
path: node_modules
key: ${{ runner.os }}-deps-${{ hashFiles('**/package-lock.json') }}
- if: steps.cache.outputs.cache-hit != 'true'
shell: bash
run: npm ci
Key Requirements:
runs.using: "composite"marks action typeshell:required for allrunsteps- Access inputs via
${{ inputs.name }}
Using a Composite Action
steps:
- uses: actions/checkout@v5
- uses: ./.github/actions/setup-project
with:
node-version: '20'
- run: npm run build
For detailed composite action patterns, see references/composite-actions.md.
Security Best Practices
Secrets Management
jobs:
deploy:
runs-on: ubuntu-latest
environment: production # Uses environment secrets
steps:
- env:
API_KEY: ${{ secrets.API_KEY }}
run: ./deploy.sh
OIDC Authentication (No Long-Lived Credentials)
jobs:
deploy:
runs-on: ubuntu-latest
permissions:
id-token: write # Required for OIDC
contents: read
steps:
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::123456789012:role/GitHubActionsRole
aws-region: us-east-1
- run: aws s3 sync ./dist s3://my-bucket
Minimal Permissions
# Workflow-level
permissions:
contents: read
pull-requests: write
# Job-level
jobs:
deploy:
permissions:
contents: write
deployments: write
steps: [...]
Action Pinning
# Pin to commit SHA (not tags)
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v5.0.0
Enable Dependabot:
File: .github/dependabot.yml
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
For comprehensive security guide, see references/security-practices.md.
Optimization Techniques
Use built-in caching in setup actions (cache: 'npm'), run independent jobs in parallel, add conditional execution with if:, and minimize checkout depth (fetch-depth: 1).
For detailed optimization strategies, see references/caching-strategies.md.
Context Variables
Common contexts: github.*, secrets.*, inputs.*, matrix.*, runner.*
- run: echo "Branch: ${{ github.ref }}, Event: ${{ github.event_name }}"
For complete syntax reference, see references/workflow-syntax.md.
Progressive Disclosure
Detailed References
For comprehensive coverage of specific topics:
- references/workflow-syntax.md - Complete YAML syntax reference
- references/reusable-workflows.md - Advanced reusable workflow patterns
- references/composite-actions.md - Composite action deep dive
- references/caching-strategies.md - Optimization and caching techniques
- references/security-practices.md - Comprehensive security guide
- references/triggers-events.md - All trigger types and event filters
- references/marketplace-actions.md - Recommended actions catalog
Working Examples
Complete workflow templates ready to use:
- examples/basic-ci.yml - Simple CI workflow
- examples/matrix-build.yml - Matrix strategy examples
- examples/reusable-deploy.yml - Reusable deployment workflow
- examples/composite-setup/ - Composite action template
- examples/monorepo-workflow.yml - Monorepo with path filters
- examples/security-scan.yml - Security scanning workflow
Validation Scripts
- scripts/validate-workflow.sh - Validate YAML syntax
Related Skills
building-ci-pipelines- CI/CD pipeline design strategygitops-workflows- GitOps deployment patternsinfrastructure-as-code- Terraform/Pulumi integrationtesting-strategies- Test frameworks and coveragesecurity-hardening- SAST/DAST toolsgit-workflows- Understanding branches and PRs
Related Skills
popoffvg/test-set-write
testing
VerifiedTrustedCommunity
Use when the user asks to create test sets, enumerate scenarios, generate edge cases, or draft a coverage matrix before implementation.
2SKILL.mdUpdated Jun 2, 2026
popoffvg/test-set-verify
testing
VerifiedTrustedCommunity
Use when the user asks to review, audit, score, or validate test sets for missed cases before execution or merge.
2SKILL.mdUpdated Jun 2, 2026
popoffvg/test-harness-plugin
tools
VerifiedTrustedCommunity
Test harness plugins in isolation using tmux panes. Runs MCP servers, unit tests, typecheck, and Claude plugin loading. Use when user says "test plugin", "check plugin", "run plugin tests", "validate plugin", or names a specific plugin to test.
2SKILL.mdUpdated Jun 2, 2026
popoffvg/test-bdd
development
VerifiedTrustedCommunity
Guide for designing integration and e2e tests using BDD (Behavior-Driven Development) methodology with Cucumber-style Given/When/Then scenarios. Use when writing or reviewing tests for any service, API, or component. Language-agnostic — covers scenario structure, step notation, assertion principles, async patterns, and common anti-patterns.
2SKILL.mdUpdated Jun 2, 2026