- Home
- Skills
- Yldgio
- Codereview Skills
- Github Actions
github-actions_skill
- Python
0
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill yldgio/codereview-skills --skill github-actions- SKILL.md3.3 KB
Overview
This skill provides actionable guidance to secure, optimize, and maintain GitHub Actions workflows. It focuses on concrete rules for secrets, permissions, performance, triggers, and maintainability. Use it to harden CI/CD pipelines, reduce runtime costs, and enforce reliable workflow design.
How this skill works
The skill inspects workflow definitions and provides recommendations based on best practices: pinning action SHAs, least-privilege permissions, secrets handling, caching, and job structuring. It highlights risky patterns like unpinned actions, exposed secrets, excessive permissions, and inefficient job layouts, and suggests concrete fixes and configuration options. It also recommends tools and processes for testing, linting, and ongoing maintenance.
When to use it
- When creating new GitHub Actions workflows for CI or CD
- When auditing workflow security or responding to a supply-chain advisory
- When optimizing build times and runner costs
- When standardizing workflows across teams or repositories
- When introducing reusable workflows or composite actions
Best practices
- Pin third-party actions to full commit SHAs and document reasons for pins
- Define minimal permissions in the permissions block; expand only when necessary
- Store secrets in repo/org secrets and avoid printing or writing them to files
- Use caching and parallel jobs; set concurrency and timeout-minutes to control runs
- Separate CI, CD, and PR checks into distinct workflows and use environments for promotion
Example use cases
- Lockdown a release workflow by switching from PATs to secrets.GITHUB_TOKEN and tightening permissions
- Improve pipeline speed by adding actions/cache and splitting independent jobs for parallel execution
- Protect production deploys with environment approvals and avoid passing secrets via CLI args
- Audit an existing repo to replace floating action refs like @v1 with pinned SHAs and subscribe to advisories
- Adopt reusable workflows and composite actions to enforce consistency across org repos
FAQ
Full SHAs ensure immutability and prevent unexpected behavior or supply-chain changes when an action maintainer updates a tag. Document the reason for each pin to balance security and maintenance.
Can I ever expose secrets in logs or artifacts?
Never. Secrets must not be printed, written to files, or stored in artifacts. Use add-mask and avoid passing secrets as plain CLI args or unmasked env vars; prefer in-process use where possible.