acc-analyze-ci-config
Installation
SKILL.md
CI Configuration Analyzer
Analyzes CI/CD configurations for issues, optimizations, and best practices.
Analysis Categories
1. Structure Analysis
┌─────────────────────────────────────────────────────────────────┐
│ CI CONFIG ANALYSIS │
├─────────────────────────────────────────────────────────────────┤
│ │
│ ✓ Stages defined: install → lint → test → build → deploy │
│ ✓ Jobs properly ordered │
│ ✗ Missing concurrency control │
│ ✗ No timeout configuration │
│ │
└─────────────────────────────────────────────────────────────────┘
2. Caching Analysis
| Issue | Severity | Location | Recommendation |
|---|---|---|---|
| No Composer cache | 🟠 Major | lint job |
Add actions/cache for ~/.composer/cache |
| Invalid cache key | 🟡 Minor | Line 23 | Use hashFiles('composer.lock') |
| Missing vendor cache | 🟠 Major | All jobs | Share vendor between jobs with artifacts |
3. Security Analysis
| Issue | Severity | Location | Risk |
|---|---|---|---|
pull_request_target misuse |
🔴 Critical | Line 5 | Code injection from forks |
| Secrets in logs | 🔴 Critical | Line 45 | echo ${{ secrets.API_KEY }} exposed |
| Outdated actions | 🟠 Major | Lines 12, 18 | Using @v1 instead of @v4 |
| No permissions defined | 🟡 Minor | - | Uses default (write-all) |
GitHub Actions Analysis
Checklist
## GitHub Actions Analysis Report
### Configuration: `.github/workflows/ci.yml`
#### Structure ✓
- [x] Valid YAML syntax
- [x] Proper job dependencies (needs)
- [ ] Concurrency configuration
- [ ] Timeout defined for jobs
- [x] Workflow triggers appropriate
#### Caching ⚠️
- [ ] Composer dependencies cached
- [ ] Node modules cached (if applicable)
- [x] Docker layer caching
- [ ] Cache keys use file hashes
#### Security 🔴
- [ ] Permissions explicitly defined
- [ ] No secrets echoed
- [x] Actions pinned to SHA
- [ ] pull_request_target safe usage
#### Performance ⚠️
- [ ] Jobs run in parallel where possible
- [x] Matrix strategy for PHP versions
- [ ] Fail-fast disabled for matrix
- [ ] Artifacts shared between jobs
#### Best Practices ✓
- [x] Uses specific action versions
- [x] Environment variables centralized
- [ ] Reusable workflows
- [x] Clear job names
Common Issues
1. Missing Concurrency
# ❌ BAD: No concurrency control
name: CI
on: [push, pull_request]
# ✅ GOOD: Cancel redundant runs
name: CI
on: [push, pull_request]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
2. Inefficient Caching
# ❌ BAD: Cache key doesn't include lock file
- uses: actions/cache@v4
with:
path: vendor
key: vendor-${{ github.sha }}
# ✅ GOOD: Cache key based on lock file
- uses: actions/cache@v4
with:
path: |
~/.composer/cache
vendor
key: composer-${{ hashFiles('composer.lock') }}
restore-keys: composer-
3. Security Issues
# ❌ BAD: Dangerous with forks
on:
pull_request_target:
types: [opened]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }} # Runs untrusted code
# ✅ GOOD: Separate trusted/untrusted
on:
pull_request: # Safe: runs in context of base
GitLab CI Analysis
Checklist
## GitLab CI Analysis Report
### Configuration: `.gitlab-ci.yml`
#### Structure ✓
- [x] Valid YAML syntax
- [x] Stages defined
- [x] Jobs assigned to stages
- [ ] Global variables defined
- [x] Default image set
#### Caching ⚠️
- [ ] Cache key uses files hash
- [ ] Cache policy appropriate (pull/push)
- [x] Cache paths correct
- [ ] Artifacts used for job sharing
#### Security ⚠️
- [x] Secrets in CI/CD variables (not code)
- [ ] Protected branches configured
- [ ] No sensitive data in artifacts
- [x] Image from trusted registry
#### Performance ⚠️
- [ ] Jobs run in parallel
- [x] Needs keyword for dependencies
- [ ] Rules/only properly configured
- [ ] DAG mode enabled
#### Best Practices ✓
- [x] Uses extends for reuse
- [x] Clear job names
- [ ] Include for modular config
- [x] Appropriate timeouts
Common Issues
1. Cache Key Without Hash
# ❌ BAD: Cache never invalidates properly
cache:
key: composer-cache
paths:
- vendor/
# ✅ GOOD: Cache invalidates on lock change
cache:
key:
files:
- composer.lock
paths:
- vendor/
2. Missing Needs
# ❌ BAD: Sequential stages, no parallelism
stages:
- lint
- test
phpstan:
stage: lint
script: vendor/bin/phpstan
phpunit:
stage: test # Waits for ALL lint jobs
# ✅ GOOD: DAG with needs
phpunit:
stage: test
needs: [composer-install] # Only waits for install
Analysis Output Format
# CI/CD Configuration Analysis
**File:** `.github/workflows/ci.yml`
**Platform:** GitHub Actions
**Date:** 2024-01-15
## Summary
| Category | Status | Issues |
|----------|--------|--------|
| Structure | ✅ Good | 0 |
| Caching | ⚠️ Warning | 3 |
| Security | 🔴 Critical | 2 |
| Performance | ⚠️ Warning | 4 |
| Best Practices | ✅ Good | 1 |
**Total Issues:** 10 (2 Critical, 4 Major, 4 Minor)
## Critical Issues
### SEC-001: Exposed Secret in Logs
**Location:** Line 45
**Code:**
```yaml
- run: echo "Deploying with ${{ secrets.DEPLOY_KEY }}"
Risk: Secret visible in workflow logs Fix:
- run: echo "Deploying..."
env:
DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}
SEC-002: pull_request_target with Checkout
Location: Lines 3, 15
Risk: Arbitrary code execution from forks
Fix: Use pull_request event instead, or don't checkout PR code
Major Issues
CACHE-001: Missing Composer Cache
Location: lint job
Impact: +2-3 minutes per run
Fix:
- uses: actions/cache@v4
with:
path: ~/.composer/cache
key: composer-${{ hashFiles('composer.lock') }}
PERF-001: Sequential Jobs Could Run Parallel
Location: test-unit, test-integration
Impact: +5 minutes total
Fix: Remove needs dependency between test jobs
Minor Issues
BP-001: Using Outdated Action Version
Location: Line 12
Current: actions/checkout@v2
Recommended: actions/checkout@v4
Recommendations
- Immediate: Fix security issues SEC-001 and SEC-002
- Short-term: Implement caching improvements
- Long-term: Restructure for parallel execution
Optimized Configuration
See Appendix A for complete optimized configuration.
## Analysis Instructions
1. **Parse configuration:**
- Validate YAML syntax
- Identify platform (GitHub/GitLab)
- Extract jobs, stages, triggers
2. **Check structure:**
- Proper job ordering
- Dependencies (needs/stages)
- Concurrency settings
- Timeouts
3. **Analyze caching:**
- Cache keys use file hashes
- Appropriate cache paths
- Cache policy (pull/push)
- Artifacts for job sharing
4. **Security review:**
- Secret exposure
- Permissions
- Unsafe triggers
- Action versions
5. **Performance audit:**
- Parallel execution opportunities
- Unnecessary sequential jobs
- Matrix optimization
- Fail-fast settings
## Usage
Provide:
- Path to CI configuration file(s)
- Specific areas to focus on (optional)
The analyzer will:
1. Parse and validate configuration
2. Check against best practices
3. Identify issues by severity
4. Provide specific fixes
5. Generate optimized configuration
Related skills
More from dykyi-roman/awesome-claude-code
psr-overview-knowledge
PHP Standards Recommendations (PSR) overview knowledge base. Provides comprehensive reference for all accepted PSRs including PSR-1,3,4,6,7,11,12,13,14,15,16,17,18,20. Use for PSR selection decisions and compliance audits.
22detect-code-smells
Detects code smells in PHP codebases. Identifies God Class, Feature Envy, Data Clumps, Long Parameter List, Long Method, Primitive Obsession, Message Chains, Inappropriate Intimacy. Generates actionable reports with refactoring recommendations.
15clean-arch-knowledge
Clean Architecture knowledge base. Provides patterns, antipatterns, and PHP-specific guidelines for Clean Architecture and Hexagonal Architecture audits.
15ddd-knowledge
DDD architecture knowledge base. Provides patterns, antipatterns, and PHP-specific guidelines for Domain-Driven Design audits.
14testing-knowledge
Testing knowledge base for PHP 8.4 projects. Provides testing pyramid, AAA pattern, naming conventions, isolation principles, DDD testing guidelines, and PHPUnit patterns.
12bug-root-cause-finder
Root cause analysis methods for PHP bugs. Provides 5 Whys technique, fault tree analysis, git bisect guidance, and stack trace parsing.
12