🇺🇸English
Language Conventions
Infer language style from the project:
- Analyse existing workflows, commit messages, and documentation to detect the project's language variant (US English, UK English, etc.)
- Match the spelling conventions found in the project (e.g., "optimize" vs "optimise", "customize" vs "customise")
- Maintain consistency with the project's established language style throughout workflow files and comments
Mode Detection
Determine the mode based on context:
- Create mode : No
.github/workflows/ directory exists, or user explicitly asks to create/add a workflow
- Audit mode :
.github/workflows/*.yml files exist, or user explicitly asks to audit/review/fix workflows
Create Mode
1. Detect Project Type
Scan for project indicators:
package.json → Node.js/JS/TSgo.mod → Gorequirements.txt / pyproject.toml / setup.py → PythonCargo.toml → RustGemfile → Ruby
2. Detect Package Manager (JS/TS projects)
pnpm-lock.yaml → pnpmbun.lock / bun.lockb → bunyarn.lock → yarnpackage-lock.json → npm
3. Generate Workflow
Apply all rules from the rules/ directory when generating workflows. Read each rule file for detailed requirements and examples.
4. Workflow Template
Adapt this CI template to the detected project type and package manager (replace <pm> with the detected package manager):
name: CI
on:
push:
branches: [main]
pull_request:
branches: [main]
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
ci:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 'lts/*'
cache: '<pm>'
- run: <pm> install --frozen-lockfile
- run: <pm> check
- run: <pm> test
- run: <pm> build
Audit Mode
1. Scan Workflows
Read all files in .github/workflows/*.yml and audit against every rule in the rules/ directory.
2. Report Format
## GitHub Actions Audit Results
### HIGH Severity
- `.github/workflows/ci.yml:15` - `codecov/codecov-action@v4` → pin to commit SHA
### MEDIUM Severity
- `.github/workflows/ci.yml` - Missing concurrency group → add concurrency block
### Summary
- High: X
- Medium: Y
- Low: Z
- Files scanned: N
3. Auto-Fix
After reporting, apply fixes. Look up commit SHAs for pinning using gh api.
Rules
Read individual rule files for detailed checks and examples:
| Rule | Severity | File |
|---|
| Action pinning | HIGH | rules/action-pinning.md |
| Permissions | HIGH | rules/permissions.md |
| Concurrency | MEDIUM | rules/concurrency.md |
| Node version | MEDIUM | rules/node-version.md |
| Caching | MEDIUM | rules/caching.md |
Assumptions
- GitHub CLI (
gh) is available for looking up action commit SHAs
- The project is hosted on GitHub
Weekly Installs
69
Repository
tartinerlabs/skills
GitHub Stars
5
First Seen
Feb 15, 2026
Security Audits
Gen Agent Trust HubPassSocketPassSnykWarn
Installed on
github-copilot69
opencode61
amp61
codex61
kimi-cli61
gemini-cli61
