ci-cd_skill

This skill helps you design and enforce secure CI/CD pipelines with secret management, code signing, SBOMs, and supply chain protections.
  • Shell

25

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill martinholovsky/claude-skills-generator --skill ci-cd

  • SKILL.md16.0 KB

Overview

This skill is a CI/CD Pipeline Security Expert focused on desktop application builds. It provides practical patterns for secret management, code signing, artifact protection, and supply chain defenses to reduce risk across multi-platform release pipelines. The guidance emphasizes least-privilege, reproducibility, and test-driven pipeline changes.

How this skill works

I inspect and harden GitHub Actions workflows, enforcing explicit permissions, SHA-pinned actions, environment protections, and OIDC where possible. I prescribe concrete steps for secure secret handling, Windows/macOS code signing, SBOM generation, dependency scanning, and workflow testing to prevent supply chain and credential exposure. I also recommend performance patterns like caching and parallelization while preserving security gates.

When to use it

  • Setting up or auditing CI/CD for desktop apps (Windows, macOS, Linux)
  • Implementing code signing and notarization in automated builds
  • Hardening pipelines against supply chain and dependency attacks
  • Introducing secrets, OIDC, or environment-protected deploys
  • Creating or validating workflow tests and security gates

Best practices

  • Always set explicit permissions for GITHUB_TOKEN and avoid write-all scopes
  • Pin third-party actions and tools by SHA to prevent supply chain drift
  • Use environment-level secrets and approvals for production deploys
  • Adopt OIDC for keyless cloud auth; rotate and scope secrets narrowly
  • Generate SBOMs and sign artifacts to provide verifiable provenance
  • Write failing pipeline tests first and validate workflows in PRs

Example use cases

  • Build, sign, and notarize a Tauri desktop app for Windows and macOS using environment-scoped secrets
  • Add dependency and SAST scanning to PRs, failing merges on high-severity findings
  • Replace long-lived cloud keys with OIDC-based short-lived role assumption for deployments
  • Implement SHA-pinned actions and automated SBOM generation before artifact publication
  • Create workflow tests that reject unpinned actions, missing permissions, or echoed secrets

FAQ

Never echo secrets; inject them via environment variables and use tools that redact output. Validate workflows in PRs to catch accidental exposures.

When should I use OIDC instead of stored cloud credentials?

Use OIDC when your cloud provider and role model support it to eliminate long-lived secrets and reduce risk from leaked repository secrets.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
ci-cd skill by martinholovsky/claude-skills-generator | VeilStrat