Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

thesammykins/github-actions-expert

Name: github-actions-expert
Author: thesammykins

.agents/skills/github-actions-expert/SKILL.md

npx skillsauth add thesammykins/dotfiles github-actions-expert

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

What I do

Author complete GitHub Actions workflows (.github/workflows/*.yml).
Audit existing workflows for security vulnerabilities (injection, excessive permissions).
Optimize CI/CD pipelines for speed (caching) and maintainability (reusable workflows).
Implement secure secret management patterns.

When to use me

When creating CI/CD pipelines (test, build, deploy).
When automating repository tasks (labeling, releasing).
When asked to "fix github actions" or "secure the pipeline".
Triggers: "create workflow", "github action", "ci pipeline".

Instructions

1. Security First (Non-Negotiable)

Permissions: ALWAYS define permissions: {} at the top level and grant specific permissions at the job level.
```
permissions:
  contents: read # Default to read-only
```
Script Injection: NEVER interpolate untrusted input directly into shell scripts.
- BAD: run: echo "Title: ${{ github.event.issue.title }}"
- GOOD:
```
env:
  TITLE: ${{ github.event.issue.title }}
run: echo "Title: $TITLE"
```
Secrets: NEVER hardcode secrets. Use ${{ secrets.MY_SECRET }}.
Pinning: Recommend pinning actions to a specific commit SHA, not a tag, for high-security environments.
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6

2. Operational Excellence

Concurrency: Use concurrency groups to cancel outdated runs on PRs.

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

Timeouts: ALWAYS set a timeout-minutes for jobs to prevent stuck runners costing money/time.
Caching: Use actions/cache or language-specific setup actions (e.g., setup-node with cache: 'npm') to speed up builds.

3. Architecture Patterns

Reusable Workflows: Extract common logic (setup, linting) into common.yml to adhere to DRY (Don't Repeat Yourself).
Matrix Builds: Use strategy matrices for testing multiple versions/OSs efficiently.
Fail Fast: Default fail-fast: true in matrices, but consider false if you want full coverage reports despite failures.

4. Anti-Patterns to Avoid

pull_request_target Abuse: Be extremely careful. Never checkout and run code from a fork with write permissions.
Inline Scripts: For scripts > 5 lines, create a separate .sh or .py file in the repo and call it. This makes it testable and lintable.
Blind Updates: Don't use @latest or @master. It breaks builds unexpectedly.

5. Example "Senior" Workflow Snippet

name: CI
on:
  pull_request:
    branches: [main]

permissions:
  contents: read

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  test:
    runs-on: ubuntu-latest
    timeout-minutes: 10
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 20
          cache: 'npm'
      - run: npm ci
      - run: npm test

thesammykins/github-actions-expert

.agents/skills/github-actions-expert/SKILL.md

Expert guidance for creating secure, scalable, and efficient GitHub Actions workflows. Enforces security best practices and enterprise-grade patterns.

testing

Updated Apr 17, 2026

$ install --global

skillsauth

npx skillsauth add thesammykins/dotfiles github-actions-expert

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 17, 2026, 5:35 AM4.4s1 file scanned

SKILL.md

name:: github-actions-expert
description:: Expert guidance for creating secure, scalable, and efficient GitHub Actions workflows. Enforces security best practices and enterprise-grade patterns.
license:: MIT

What I do

Author complete GitHub Actions workflows (.github/workflows/*.yml).
Audit existing workflows for security vulnerabilities (injection, excessive permissions).
Optimize CI/CD pipelines for speed (caching) and maintainability (reusable workflows).
Implement secure secret management patterns.

When to use me

When creating CI/CD pipelines (test, build, deploy).
When automating repository tasks (labeling, releasing).
When asked to "fix github actions" or "secure the pipeline".
Triggers: "create workflow", "github action", "ci pipeline".

Instructions

1. Security First (Non-Negotiable)

Permissions: ALWAYS define permissions: {} at the top level and grant specific permissions at the job level.
```
permissions:
  contents: read # Default to read-only
```
Script Injection: NEVER interpolate untrusted input directly into shell scripts.
- BAD: run: echo "Title: ${{ github.event.issue.title }}"
- GOOD:
```
env:
  TITLE: ${{ github.event.issue.title }}
run: echo "Title: $TITLE"
```
Secrets: NEVER hardcode secrets. Use ${{ secrets.MY_SECRET }}.
Pinning: Recommend pinning actions to a specific commit SHA, not a tag, for high-security environments.
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6

2. Operational Excellence

Concurrency: Use concurrency groups to cancel outdated runs on PRs.

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

Timeouts: ALWAYS set a timeout-minutes for jobs to prevent stuck runners costing money/time.
Caching: Use actions/cache or language-specific setup actions (e.g., setup-node with cache: 'npm') to speed up builds.

3. Architecture Patterns

Reusable Workflows: Extract common logic (setup, linting) into common.yml to adhere to DRY (Don't Repeat Yourself).
Matrix Builds: Use strategy matrices for testing multiple versions/OSs efficiently.
Fail Fast: Default fail-fast: true in matrices, but consider false if you want full coverage reports despite failures.

4. Anti-Patterns to Avoid

pull_request_target Abuse: Be extremely careful. Never checkout and run code from a fork with write permissions.
Inline Scripts: For scripts > 5 lines, create a separate .sh or .py file in the repo and call it. This makes it testable and lintable.
Blind Updates: Don't use @latest or @master. It breaks builds unexpectedly.

5. Example "Senior" Workflow Snippet

name: CI
on:
  pull_request:
    branches: [main]

permissions:
  contents: read

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  test:
    runs-on: ubuntu-latest
    timeout-minutes: 10
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 20
          cache: 'npm'
      - run: npm ci
      - run: npm test

Related Skills

thesammykins/vercel-react-best-practices

development

VerifiedTrustedCommunity

React and Next.js performance optimization guidelines from Vercel Engineering. This skill should be used when writing, reviewing, or refactoring React/Next.js code to ensure optimal performance patterns. Triggers on tasks involving React components, Next.js pages, data fetching, bundle optimization, or performance improvements.

SKILL.mdUpdated Apr 17, 2026

thesammykins/vercel-react-best-practices

thesammykins/ralph

development

VerifiedTrustedCommunity

Autonomous feature development - setup and execution. Triggers on: ralph, set up ralph, run ralph, run the loop, implement tasks. Two phases: (1) Setup - chat through feature, create tasks with dependencies (2) Loop - pick ready tasks, implement, commit, repeat until done.

SKILL.mdUpdated Apr 17, 2026

thesammykins/python-modern-standards

tools

VerifiedTrustedCommunity

Enforces the 2025 Python stack. Replaces legacy tools (pip, flake8, isort) with modern, fast equivalents (uv, ruff). Mandates strict type hints.

SKILL.mdUpdated Apr 17, 2026

thesammykins/python-modern-standards

thesammykins/prd

documentation

VerifiedTrustedCommunity

Generate a Product Requirements Document (PRD) for a new feature. Use when planning a feature, starting a new project, or when asked to create a PRD. Triggers on: create a prd, write prd for, plan this feature, requirements for, spec out.

SKILL.mdUpdated Apr 17, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/thesammykins/dotfiles.git

# Copy into Claude Code skills folder (global)
cp -r dotfiles/.agents/skills/github-actions-expert ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

thesammykins/dotfiles

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT