Skills
skills/hugorcd/skills/setup-for-oss

setup-for-oss

SKILL.md

Setup for OSS

Quick start

  1. Decide mode:
    • Audit mode: user asks to review/check OSS health.
    • Scaffold mode: user asks to set up/add OSS files or workflows.
  2. Collect context (minimal):
    • Repo name, package manager, monorepo vs single package, publishable npm packages.
    • Author/org details from package.json or git config.
    • Existing health files and workflows.
  3. Load references as needed:
    • Health files: references/health-files.md
    • GitHub templates: references/github-templates.md
    • CI workflows: references/ci-workflows.md
    • Publishing: references/publishing.md
    • Linting/formatting: references/linting-formatting.md
    • Dependency/versioning: references/dependency-versioning.md

Mode decision tree

  • If the request includes audit/review/check: run Audit mode and return a prioritized missing/incomplete list.
  • If the request includes setup/add/bootstrap/scaffold: run Scaffold mode and create/modify files.
  • If unclear, default to Audit mode and ask a single clarifying question only if blocking.

Context detection checklist

Use this before auditing or scaffolding:

  • Project name: from package.json:name or repo folder name.
  • Author/org: from package.json:author, repository, or git config.
  • Package manager:
    • pnpm-lock.yaml → pnpm
    • package-lock.json → npm
    • yarn.lock → yarn
    • bun.lockb → bun
  • Monorepo vs single:
    • workspaces in package.json, pnpm-workspace.yaml, or turbo.json → monorepo
  • Publishable packages:
    • package.json:private=false or packages with publishConfig
  • Has tests:
    • test script, vitest, jest, playwright, or __tests__ directories
  • Conventional commit scopes:
    • workspace package/app names for monorepo; otherwise top-level areas (src/docs/ci)

Audit mode

  1. Scan for required health files and templates:
    • README, CONTRIBUTING, CODE_OF_CONDUCT, LICENSE, SECURITY
    • .github issue templates, PR template, release config, funding
  2. Scan for CI/CD workflows:
    • autofix.yml, ci.yml, semantic-pull-request.yml, label-pr.yml
  3. If publishable npm packages exist, verify:
    • ci.yml includes publish job using pkg-pr-new (PR-only)
    • release.yml uses npm Trusted Publishing (OIDC) and pinned SHAs
  4. Scan for Renovate config, linting/formatting, versioning tooling:
    • renovate.json, eslint.config.js, .editorconfig, .changeset/config.json, .npmrc, .config/automd.ts
  5. Produce a report:
    • Missing files
    • Incomplete/misaligned content (e.g., wrong license or missing security reporting)
    • Optional vs required (explicit)
    • Minimal next steps

Scaffold mode

  1. Create any missing required files using templates in references.
  2. Adapt content:
    • Replace placeholders with project name, author/org, repo URLs, and package manager.
    • Include CI jobs only relevant to the repo (test job only if tests exist).
    • Include publishing and release workflows only if publishable packages exist.
  3. Ensure all outputs are in English.
  4. Summarize what was created/updated and any manual follow-ups (e.g., install GitHub Apps).

Required vs optional outputs

Required (always when scaffolding OSS setup):

  • README.md
  • CONTRIBUTING.md
  • CODE_OF_CONDUCT.md
  • LICENSE (Apache-2.0 default unless specified)
  • SECURITY.md
  • .github/funding.yml
  • .github/ISSUE_TEMPLATE/bug-report.yml
  • .github/ISSUE_TEMPLATE/enhancement-request.yml
  • .github/ISSUE_TEMPLATE/feature-request.yml
  • .github/ISSUE_TEMPLATE/question.yml
  • .github/pull_request_template.md
  • .github/release.yml
  • .github/workflows/autofix.yml
  • .github/workflows/ci.yml
  • .github/workflows/semantic-pull-request.yml
  • .github/workflows/label-pr.yml
  • renovate.json
  • eslint.config.js
  • .editorconfig
  • .changeset/config.json
  • .npmrc
  • .config/automd.ts

Conditional (only when publishable npm packages exist):

  • .github/workflows/release.yml with npm Trusted Publishing (OIDC)
  • ci.yml publish job with pkg-pr-new

Manual follow-ups to report

  • Install GitHub Apps: Renovate and pkg-pr-new (when needed).
  • Configure npm Trusted Publisher in npmjs.com settings for publishable packages.
  • Optionally enable npm 2FA and disallow tokens.

Reference map

  • Health files and README structure → references/health-files.md
  • GitHub templates and release categories → references/github-templates.md
  • CI workflows and jobs → references/ci-workflows.md
  • Publishing (pkg-pr-new + npm Trusted Publishing) → references/publishing.md
  • Linting/formatting → references/linting-formatting.md
  • Renovate, Changesets, .npmrc, automd → references/dependency-versioning.md
Weekly Installs
3
Repository
hugorcd/skills
GitHub Stars
3
First Seen
Feb 11, 2026
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykPass
Installed on
amp3
gemini-cli3
antigravity3
github-copilot3
codex3
kimi-cli3