/configure:workflows

Check and configure GitHub Actions CI/CD workflows against project standards.

When to Use This Skill

Use this skill when...	Use another approach when...
Checking GitHub Actions workflows for compliance with project standards	Debugging a failing CI run (use github-actions-inspection skill)
Setting up container build, test, or release-please workflows	Installing Claude-powered reusable workflows (use `/configure:reusable-workflows`)
Updating outdated action versions (checkout, build-push, etc.)	Writing a custom workflow from scratch (use ci-workflows skill)
Adding multi-platform builds or GHA caching to existing workflows	Configuring security-specific workflows (use `/configure:security`)
Auditing which required workflows are missing from a project	Managing GitHub repository settings or branch protection rules

Context

Workflows dir: !find . -maxdepth 1 -type d -name \'.github/workflows\'
Workflow files: !find .github/workflows -maxdepth 1 $ -name '*.yml' -o -name '*.yaml' $
Package files: !find . -maxdepth 1 $ -name 'package.json' -o -name 'pyproject.toml' -o -name 'Cargo.toml' -o -name 'go.mod' $
Dockerfile: !find . -maxdepth 1 -name 'Dockerfile*'
Release-please config: !find . -maxdepth 1 -name \'release-please-config.json\'

Skills referenced: ci-workflows, github-actions-auth-security

Parameters

Parse from command arguments:

--check-only: Report status without offering fixes
--fix: Apply fixes automatically

Execution

Execute this GitHub Actions workflow configuration check:

Step 1: Fetch latest action versions

Verify latest versions before reporting outdated actions:

actions/checkout - releases
actions/setup-node - releases
actions/cache - releases
docker/setup-buildx-action - releases
docker/build-push-action - releases
docker/login-action - releases
docker/metadata-action - releases
reproducible-containers/buildkit-cache-dance - releases
google-github-actions/release-please-action - releases

Use WebSearch or WebFetch to verify current versions.

Step 2: Detect project type and list workflows

Check for .github/workflows/ directory
List all workflow files (*.yml, *.yaml)
Categorize workflows by purpose (container build, test, release)

Determine required workflows based on project type:

Project Type	Required Workflows
Frontend	container-build, release-please, renovate (optional: claude-auto-fix)
Python	container-build, release-please, test, renovate (optional: claude-auto-fix)
Infrastructure	release-please, renovate (optional: docs, claude-auto-fix)

Step 3: Analyze workflow compliance

Container Build Workflow Checks:

Check	Standard	Severity
checkout action	v4	WARN if older
build-push action	v6	WARN if older
Multi-platform	amd64 + arm64	WARN if missing
Registry	GHCR (ghcr.io)	INFO
Caching	GHA cache enabled	WARN if missing
Permissions	Explicit	WARN if missing
`id-token: write`	Required when provenance/SBOM enabled	WARN if missing
Cache scope	Explicit `scope=` when multiple build jobs	WARN if missing
Dead metadata tags	No `type=schedule` without schedule trigger	INFO
Semver regex escaping	Dots escaped in `type=match` patterns (`\d+\.\d+`)	WARN if unescaped
Hardcoded image names	Derive from `${{ github.repository }}`	INFO if hardcoded
Digest output	Capture `build-push` digest via `id:` for traceability	INFO if missing
Job summary	Write image/digest/tags to `$GITHUB_STEP_SUMMARY`	INFO if missing
Duplicated job conditions	Identical `if:` on sibling jobs; suggest gate job	INFO

Release Please Workflow Checks:

Check	Standard	Severity
Action version	v4	WARN if older
Token	MY_RELEASE_PLEASE_TOKEN	WARN if GITHUB_TOKEN
Permissions	contents: write, pull-requests: write	FAIL if missing

Test Workflow Checks:

Check	Standard	Severity
Node version	22	WARN if older
Linting	npm run lint	WARN if missing
Type check	npm run typecheck	WARN if missing
Coverage	Coverage upload	INFO

Renovate Workflow Checks:

Check	Standard	Severity
RENOVATE_REPOSITORIES env var	Must be set (`${{ github.repository }}`)	FAIL if missing
checkout action	v6	WARN if older
renovatebot/github-action	Minor-pinned (e.g., v46.1.0), not major tag	WARN if major-only
Uses reusable workflow	Preferred (except infrastructure)	INFO if standalone

Claude Auto-Fix Workflow Checks (if present):

Check	Standard	Severity
workflow_run trigger	Monitors at least one workflow	WARN if misconfigured
Loop prevention	Skips fix(auto): commits	FAIL if missing
Deduplication	Caps open auto-fix PRs	WARN if missing
Claude Code Action	anthropics/claude-code-action@v1	WARN if older
OAuth token	CLAUDE_CODE_OAUTH_TOKEN secret	FAIL if missing
Permissions	Minimal required set	WARN if excessive

Step 4: Generate compliance report

Print a formatted compliance report showing workflow status, per-workflow check results, and missing workflows.

If --check-only is set, stop here.

For the report format, see REFERENCE.md.

Step 5: Apply configuration (if --fix or user confirms)

Missing workflows: Create from standard templates
Outdated actions: Update version numbers
Missing multi-platform: Add platforms to build-push
Missing caching: Add GHA cache configuration

For standard templates (container build, test workflow), see REFERENCE.md.

Step 6: Update standards tracking

Update .project-standards.yaml:

components:
  workflows: "2025.1"

Agentic Optimizations

Context	Command
Quick compliance check	`/configure:workflows --check-only`
Auto-fix all issues	`/configure:workflows --fix`
List workflow files	`find .github/workflows -name '.yml' -o -name '.yaml'`
Check action versions	`rg 'uses:' .github/workflows/ --no-heading`
Verify release-please config	`test -f release-please-config.json && echo "EXISTS"`

Flags

Flag	Description
`--check-only`	Report status without offering fixes
`--fix`	Apply fixes automatically

configure-workflows