Skills
skills/akin-ozer/cc-devops-skills/github-actions-generator

github-actions-generator

SKILL.md

GitHub Actions Generator

Generate production-ready GitHub Actions workflows and custom actions following current best practices, security standards, and naming conventions. All generated resources are automatically validated using the devops-skills:github-actions-validator skill.

Quick Reference

Capability When to Use Reference
Workflows CI/CD, automation, testing references/best-practices.md
Composite Actions Reusable step combinations references/custom-actions.md
Docker Actions Custom environments/tools references/custom-actions.md
JavaScript Actions API interactions, complex logic references/custom-actions.md
Reusable Workflows Shared patterns across repos references/advanced-triggers.md
Security Scanning Dependency review, SBOM references/best-practices.md
Modern Features Summaries, environments references/modern-features.md

Trigger Decision Tree

Route every request through this decision tree before reading references or generating files:

  1. If the user asks for .github/workflows/*.yml CI/CD automation, choose Workflow Generation.
  2. If the user asks for action.yml or a reusable step package, choose Custom Action Generation.
  3. If the user asks for workflow_call or shared pipelines across repositories, choose Reusable Workflow Generation.
  4. If the request includes security-only scanning (dependency review, SBOM, CodeQL), stay on Workflow Generation with the security pattern.
  5. If intent is ambiguous, ask one disambiguation question: "Do you want a workflow, a custom action, or a reusable workflow?"

Progressive Disclosure Route

Load only what is needed for the selected route, in this order:

Route Load First (required) Load Next (only if needed) Primary Template
Workflow Generation references/best-practices.md references/common-actions.md, references/expressions-and-contexts.md, references/modern-features.md assets/templates/workflow/basic_workflow.yml
Custom Action Generation references/custom-actions.md references/best-practices.md assets/templates/action/composite/action.yml, assets/templates/action/docker/, assets/templates/action/javascript/
Reusable Workflow Generation references/advanced-triggers.md references/best-practices.md, references/common-actions.md assets/templates/workflow/reusable_workflow.yml

If a required reference/template is unavailable, continue with the closest available reference and report the fallback explicitly in output.

Core Capabilities

1. Generate Workflows

Triggers: "Create a workflow for...", "Build a CI/CD pipeline..."

Process:

  1. Understand requirements (triggers, runners, dependencies)
  2. Define trust boundaries (internal branches vs fork PRs vs external triggers)
  3. Set default permissions to read-only, then elevate only per job when required
  4. Reference references/best-practices.md for patterns
  5. Reference references/common-actions.md for action versions
  6. Generate workflow with:
    • Semantic names, pinned actions (SHA), explicit permissions
    • Concurrency controls, caching, matrix strategies
    • Fork-safe PR handling (no secrets in untrusted contexts)
  7. Validate with devops-skills:github-actions-validator skill
  8. Fix issues and re-validate if needed

Minimal Example:

name: CI Pipeline

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

permissions:
  contents: read

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
        with:
          node-version: '24'
          cache: 'npm'
      - run: npm ci
      - run: npm test

Untrusted PR Guardrail (required for secret-using jobs):

jobs:
  deploy:
    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository

2. Generate Custom Actions

Triggers: "Create a composite action...", "Build a Docker action...", "Create a JavaScript action..."

Types:

  • Composite: Combine multiple steps → Fast startup
  • Docker: Custom environment/tools → Isolated
  • JavaScript: API access, complex logic → Fastest

Process:

  1. Use templates from assets/templates/action/
  2. Follow structure in references/custom-actions.md
  3. Include branding, inputs/outputs, documentation
  4. Validate with devops-skills:github-actions-validator skill

See references/custom-actions.md for:

  • Action metadata and branding
  • Directory structure patterns
  • Versioning and release workflows

3. Generate Reusable Workflows

Triggers: "Create a reusable workflow...", "Make this workflow callable..."

Key Elements:

  • workflow_call trigger with typed inputs
  • Explicit secrets (avoid secrets: inherit)
  • Explicit trusted-caller expectations (document org/repo boundaries)
  • Outputs mapped from job outputs
  • Minimal permissions
on:
  workflow_call:
    inputs:
      environment:
        required: true
        type: string
    secrets:
      deploy-token:
        required: false
    outputs:
      result:
        value: ${{ jobs.build.outputs.result }}

When secrets are required, pass only the exact secret names needed and prefer environment protection rules for deployment stages.

See references/advanced-triggers.md for complete patterns.

4. Generate Security Workflows

Triggers: "Add security scanning...", "Add dependency review...", "Generate SBOM..."

Components:

  • Dependency Review: actions/dependency-review-action@v4
  • SBOM Attestations: actions/attest-sbom@v2
  • CodeQL Analysis: github/codeql-action

Permission Model: Use a read-only workflow-level baseline, then elevate only in the security job that requires write scopes.

permissions:
  contents: read

jobs:
  security-scan:
    permissions:
      contents: read
      security-events: write  # For CodeQL
      id-token: write         # For attestations
      attestations: write     # For attestations

See references/best-practices.md section on security.

5. Modern Features

Triggers: "Add job summaries...", "Use environments...", "Run in container..."

See references/modern-features.md for:

  • Job summaries ($GITHUB_STEP_SUMMARY)
  • Deployment environments with approvals
  • Container jobs with services
  • Workflow annotations

6. Third-Party Action Documentation and Citation

When using third-party actions (any uses: entry not in the same repository):

  1. Search for documentation:

    "[owner/repo] [version] github action documentation"

  2. Or use Context7 MCP:

    • mcp__context7__resolve-library-id to find action
    • mcp__context7__query-docs for documentation

  3. Pin to SHA with version comment:

    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

  4. Cite source and version in the response:

    • Action source (repository URL)
    • Version source (release/tag/changelog URL)
    • Selected commit SHA and human-readable version
    • Access date for the source used

See references/common-actions.md for pre-verified action versions.

Validation Workflow

CRITICAL: Every generated resource MUST be validated.

  1. Generate workflow/action file
  2. Invoke devops-skills:github-actions-validator skill
  3. If errors: fix and re-validate
  4. If success: present with usage instructions

Skip validation only for:

  • Partial code snippets
  • Documentation examples
  • User explicitly requests skip

Fallback Behavior (Tooling and Environment Constraints)

If required tooling or network access is unavailable, use this deterministic fallback order:

  1. If devops-skills:github-actions-validator is unavailable, run local fallback checks:
    • actionlint (if installed)
    • yamllint (if installed)
    • manual YAML/schema review with a clear "not tool-validated" note
  2. If Context7 or internet access is unavailable:
    • use references/common-actions.md for known action versions
    • state that external version verification could not be completed
  3. If a template path is missing:
    • generate from the closest template pattern in assets/templates/
    • document which template was substituted

Fallback usage must always be reported in the final output.

Mandatory Standards

All generated resources must follow:

Standard Implementation
Security Pin to SHA, minimal permissions, mask secrets
Performance Caching, concurrency, shallow checkout
Naming Descriptive names, lowercase-hyphen files
Error Handling Timeouts, cleanup with if: always()

See references/best-practices.md for complete guidelines.

Resources

Reference Documents

Document Content When to Use
references/best-practices.md Security, performance, patterns Every workflow
references/common-actions.md Action versions, inputs, outputs Public action usage
references/expressions-and-contexts.md ${{ }} syntax, contexts, functions Complex conditionals
references/advanced-triggers.md workflow_run, dispatch, ChatOps Workflow orchestration
references/custom-actions.md Metadata, structure, versioning Custom action creation
references/modern-features.md Summaries, environments, containers Enhanced workflows

Templates

Template Location
Basic Workflow assets/templates/workflow/basic_workflow.yml
Reusable Workflow assets/templates/workflow/reusable_workflow.yml
Composite Action assets/templates/action/composite/action.yml
Docker Action assets/templates/action/docker/
JavaScript Action assets/templates/action/javascript/

Common Patterns

Matrix Testing

strategy:
  matrix:
    os: [ubuntu-latest, windows-latest]
    node: [18, 20, 22]
  fail-fast: false

Conditional Deployment

deploy:
  if: github.event_name == 'push' && github.ref == 'refs/heads/main'

Artifact Sharing

# Upload
- uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
  with:
    name: build-${{ github.sha }}
    path: dist/

# Download (in dependent job)
- uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
  with:
    name: build-${{ github.sha }}

Third-Party Action Citation Block

Third-party action citations:
- actions/checkout: https://github.com/actions/checkout (version: v6.0.2, sha: de0fac2e4500dabe0009e67214ff5f5447ce83dd, accessed: 2026-02-28)

Done Criteria

The task is complete only when all checks below pass:

  1. The request route was selected using the trigger decision tree.
  2. Only the minimum required references/templates were loaded first.
  3. Every third-party action is pinned to a commit SHA and has source/version citation.
  4. Validation was run, or a skip exception/fallback path was explicitly documented.
  5. Output includes assumptions, security-sensitive decisions (permissions/secrets), and generated file paths.

Workflow Summary

  1. Route the request using the trigger decision tree
  2. Load the minimum references/templates for that route
  3. Generate using mandatory security and naming standards
  4. Cite and pin third-party actions (source, version, SHA)
  5. Validate with devops-skills:github-actions-validator (or documented fallback)
  6. Fix and re-validate until clean
  7. Present validated output with citations, assumptions, and file paths
Weekly Installs
29
Repository
akin-ozer/cc-de…s-skills
GitHub Stars
112
First Seen
Jan 31, 2026
Security Audits
Gen Agent Trust HubPass
SocketFail
SnykWarn
Installed on
opencode24
github-copilot24
codex23
claude-code22
gemini-cli22
cursor21