aif-ci
CI — Pipeline Configuration Generator
Analyze a project and generate production-grade CI/CD pipeline configuration for GitHub Actions or GitLab CI. Generates separate jobs for linting, static analysis, tests, and security scanning — adapted to the project's language, framework, and existing tooling.
Three modes based on what exists:
| What exists | Mode | Action |
|---|---|---|
| No CI config | generate |
Create pipeline from scratch with interactive setup |
| CI config exists but incomplete | enhance |
Audit & improve, add missing jobs |
| Full CI config | audit |
Audit against best practices, fix gaps |
Step 0: Load Project Context
Read the project description if available:
Read .ai-factory/DESCRIPTION.md
Store project context for later steps. If absent, Step 2 detects everything.
Read .ai-factory/skill-context/aif-ci/SKILL.md — MANDATORY if the file exists.
This file contains project-specific rules accumulated by /aif-evolve from patches,
codebase conventions, and tech-stack analysis. These rules are tailored to the current project.
How to apply skill-context rules:
- Treat them as project-level overrides for this skill's general instructions
- When a skill-context rule conflicts with a general rule written in this SKILL.md, the skill-context rule wins (more specific context takes priority — same principle as nested CLAUDE.md files)
- When there is no conflict, apply both: general rules from SKILL.md + project rules from skill-context
- Do NOT ignore skill-context rules even if they seem to contradict this skill's defaults — they exist because the project's experience proved the default insufficient
- CRITICAL: skill-context rules apply to ALL outputs of this skill — including generated CI workflow files and audit reports. Templates in this skill are base structures. If a skill-context rule says "CI MUST include step X" or "workflow MUST have job Y" — you MUST augment the templates accordingly. Generating CI config that violates skill-context rules is a bug.
Enforcement: After generating any output artifact, verify it against all skill-context rules. If any rule is violated — fix the output before presenting it to the user.
Step 1: Detect Existing CI & Determine Mode
1.1 Scan for Existing CI Configuration
Glob: .github/workflows/*.yml, .github/workflows/*.yaml, .gitlab-ci.yml, .circleci/config.yml, Jenkinsfile, .travis.yml, bitbucket-pipelines.yml
Classify found files:
HAS_GITHUB_ACTIONS:.github/workflows/contains YAML filesHAS_GITLAB_CI:.gitlab-ci.ymlexistsHAS_OTHER_CI: CircleCI, Jenkins, Travis, or Bitbucket detected
1.2 Determine Mode
If $ARGUMENTS contains --enhance -> set MODE = "enhance" regardless.
Path A: No CI config exists (!HAS_GITHUB_ACTIONS && !HAS_GITLAB_CI && !HAS_OTHER_CI):
- Set
MODE = "generate" - Proceed to Step 1.3: Interactive Setup
Path B: CI config exists but is incomplete (e.g., has only tests, no linting):
- Set
MODE = "enhance" - Read all existing CI files -> store as
EXISTING_CONTENT - Log: "Found existing CI configuration. Will analyze and add missing jobs."
Path C: Full CI setup (has linting + tests + static analysis):
- Set
MODE = "audit" - Read all existing CI files -> store as
EXISTING_CONTENT - Log: "Found complete CI setup. Will audit against best practices and fix gaps."
1.3 Interactive Setup (Generate Mode Only)
Determine CI platform from $ARGUMENTS or ask:
If $ARGUMENTS contains github -> set PLATFORM = "github"
If $ARGUMENTS contains gitlab -> set PLATFORM = "gitlab"
Otherwise:
AskUserQuestion: Which CI/CD platform do you use?
Options:
1. GitHub Actions (Recommended) — .github/workflows/*.yml
2. GitLab CI — .gitlab-ci.yml
Ask about optional features:
AskUserQuestion: Which additional CI features do you need?
Options (multiSelect):
1. Security scanning — Dependency audit, SAST
2. Coverage reporting — Upload test coverage
3. Matrix builds — Test across multiple language versions
4. None — Just linting, static analysis, and tests
Store choices:
PLATFORM: github | gitlabWANT_SECURITY: booleanWANT_COVERAGE: booleanWANT_MATRIX: boolean
1.4 Read Existing Files (Enhance / Audit Modes)
Read all existing CI files and store as EXISTING_CONTENT:
- All
.github/workflows/*.ymlfiles .gitlab-ci.yml- Any included GitLab CI files (check
include:directives)
Determine PLATFORM from existing files.
Step 2: Deep Project Analysis
Scan the project thoroughly — every decision in the generated pipeline depends on this profile.
2.1 Language & Runtime
| File | Language |
|---|---|
composer.json |
PHP |
package.json |
Node.js / TypeScript |
pyproject.toml / setup.py / setup.cfg |
Python |
go.mod |
Go |
Cargo.toml |
Rust |
pom.xml |
Java (Maven) |
build.gradle / build.gradle.kts |
Java/Kotlin (Gradle) |
2.2 Language Version
Detect the project's language version to use in CI:
| Language | Version Source | Example |
|---|---|---|
| PHP | composer.json -> require.php |
>=8.2 -> ['8.2', '8.3', '8.4'] |
| Node.js | package.json -> engines.node, .nvmrc, .node-version |
>=18 -> [18, 20, 22] |
| Python | pyproject.toml -> requires-python, .python-version |
>=3.11 -> ['3.11', '3.12', '3.13'] |
| Go | go.mod -> go directive |
go 1.23 -> '1.23' |
| Rust | Cargo.toml -> rust-version, rust-toolchain.toml |
1.82 -> '1.82' |
| Java | pom.xml -> maven.compiler.source, build.gradle -> sourceCompatibility |
17 -> [17, 21] |
For matrix builds: use the minimum version from the project config as the lowest, and include the latest stable version. For non-matrix builds: use the latest version that satisfies the constraint.
2.3 Package Manager & Lock File
| File | Package Manager | Install Command |
|---|---|---|
composer.lock |
Composer | composer install --no-interaction --prefer-dist |
bun.lockb |
Bun | bun install --frozen-lockfile |
pnpm-lock.yaml |
pnpm | pnpm install --frozen-lockfile |
yarn.lock |
Yarn | yarn install --frozen-lockfile |
package-lock.json |
npm | npm ci |
uv.lock |
uv | uv sync --all-extras --dev |
poetry.lock |
Poetry | poetry install |
Pipfile.lock |
Pipenv | pipenv install --dev |
requirements.txt |
pip | pip install -r requirements.txt |
go.sum |
Go modules | go mod download |
Cargo.lock |
Cargo | (built-in) |
Store: PACKAGE_MANAGER, LOCK_FILE, INSTALL_CMD.
2.4–2.7 Tool Detection
Detect project tools by scanning config files and dependencies. For the complete tool-to-command mapping → read references/TOOL-COMMANDS.md
Categories: Linters & Formatters (PHP-CS-Fixer, ESLint, Prettier, Biome, Ruff, golangci-lint, clippy, Checkstyle), Static Analysis (PHPStan, Psalm, Rector, mypy, tsc), Test Frameworks (PHPUnit, Pest, Jest, Vitest, pytest, go test, cargo test) with coverage flags, Security Audit (composer audit, npm audit, pip-audit, govulncheck, cargo audit).
2.8 Services Detection
Check if tests require external services (database, Redis, etc.):
Grep in tests/: postgres|mysql|redis|mongo|rabbitmq|elasticsearch
Glob: docker-compose.test.yml, docker-compose.ci.yml
If services are needed, they will be configured in the CI pipeline as service containers.
2.9 Build Output
Does the project have a build step?
| Language | Has Build | Build Command |
|---|---|---|
Node.js (with build script) |
Yes | npm run build / pnpm build |
| Go | Yes | go build ./... |
| Rust | Yes | cargo build --release |
| Java | Yes | mvn package -DskipTests -B / ./gradlew assemble |
| PHP | Usually no | — |
| Python | Usually no | — |
Summary
Build PROJECT_PROFILE:
language,language_version,language_versions(for matrix)package_manager,lock_file,install_cmdlinters: list of {name, command, config_file}static_analyzers: list of {name, command}test_framework,test_cmd,coverage_cmdsecurity_tools: list of {name, command}has_build_step,build_cmdhas_typescript: boolean (for typecheck job)services_needed: list of services for CIsource_dir: main source directory (src/, app/, lib/)
Step 3: Read Best Practices & Templates
Read skills/ci/references/BEST-PRACTICES.md
Select templates matching the platform and language:
GitHub Actions:
| Language | Template |
|---|---|
| PHP | templates/github/php.yml |
| Node.js | templates/github/node.yml |
| Python | templates/github/python.yml |
| Go | templates/github/go.yml |
| Rust | templates/github/rust.yml |
| Java | templates/github/java.yml |
GitLab CI:
| Language | Template |
|---|---|
| PHP | templates/gitlab/php.yml |
| Node.js | templates/gitlab/node.yml |
| Python | templates/gitlab/python.yml |
| Go | templates/gitlab/go.yml |
| Rust | templates/gitlab/rust.yml |
| Java | templates/gitlab/java.yml |
Read the selected template:
Read skills/ci/templates/<platform>/<language>.yml
Step 4: Generate Pipeline (Generate Mode)
Using the PROJECT_PROFILE, best practices, and template as a base, generate a customized CI pipeline.
4.1 GitHub Actions Generation
One workflow per concern — each file has its own triggers, permissions, concurrency:
| File | Name | Jobs | When to create |
|---|---|---|---|
lint.yml |
Lint | code-style, static-analysis, rector | Linters or SA detected |
tests.yml |
Tests | tests (+ service containers) | Always |
build.yml |
Build | build | has_build_step |
security.yml |
Security | dependency-audit, dependency-review | WANT_SECURITY |
Why one file per concern:
- Each check is a separate status check in PR — instantly see what failed
- Independent triggers — security on schedule, tests on push/PR, build only after tests
- Independent permissions — security may need
security-events: write - Can disable/re-run one workflow without touching others
- Branch protection rules can require specific workflows (e.g. require
testsbut notsecurity)
When to keep single file: Only for very small projects with just lint + tests (2 jobs). As soon as there are 3+ concerns — split.
Every workflow gets the same header pattern:
name: <Name>
on:
push:
branches: [main]
pull_request:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
Per-file job organization:
lint.yml — all code quality checks in parallel:
| Job | Purpose | When to include |
|---|---|---|
code-style |
Formatting (CS-Fixer, Prettier, Ruff format, rustfmt) | Formatter detected |
lint |
Linting (ESLint, Ruff check, Clippy, golangci-lint) | Linter detected |
static-analysis |
Type checking / SA (PHPStan, Psalm, mypy, tsc) | SA tools detected |
rector |
Rector dry-run (PHP only) | Rector detected |
All jobs run in parallel (no needs). If only one tool detected (e.g. Go with just golangci-lint) — single job in the file is fine.
tests.yml — test suite:
| Job | Purpose | When to include |
|---|---|---|
tests |
Unit/integration tests | Always |
tests-<service> |
Tests requiring service containers | services_needed detected |
Matrix builds (multiple language versions) only in this file.
build.yml — build verification:
| Job | Purpose | Notes |
|---|---|---|
build |
Verify compilation/bundling | Can depend on external workflow via workflow_run or just run independently |
security.yml — security scanning:
| Job | Purpose | Extra triggers |
|---|---|---|
dependency-audit |
Vulnerability scan | schedule: cron '0 6 * * 1' (weekly) |
dependency-review |
PR dependency diff | Only on pull_request |
Per-job rules:
- Each job gets its own setup (checkout, language setup, cache, dependency install)
- Use language-specific setup actions with built-in cache:
- PHP:
shivammathur/setup-php@v2withtools:parameter - Node.js:
actions/setup-node@v4withcache:parameter - Python:
astral-sh/setup-uv@v5(if uv) oractions/setup-python@v5(if pip) - Go:
actions/setup-go@v5(auto-caches) - Rust:
dtolnay/rust-toolchain@stable+Swatinem/rust-cache@v2 - Java:
actions/setup-java@v4withcache:parameter
- PHP:
- Use
fail-fast: falsein matrix builds - Upload coverage as artifact when
WANT_COVERAGE
Matrix builds (when WANT_MATRIX):
Only the tests job uses a matrix. Lint/SA jobs run on the latest version only.
tests:
name: Tests (${{ matrix.<language>-version }})
strategy:
fail-fast: false
matrix:
<language>-version: <language_versions from PROJECT_PROFILE>
Combining linter jobs:
If the project has both a formatter AND a linter from the same ecosystem, combine them into one job:
- PHP:
php-cs-fixercheck + other lint ->code-stylejob - Node.js:
eslint+prettier->lintjob. Biome replaces BOTH ESLint and Prettier — if Biome is detected, use onlynpx biome check .in a singlelintjob - Python:
ruff check+ruff format --check->lintjob (Ruff handles both) - Rust:
cargo fmt+cargo clippy-> can be separate (fmt is fast, clippy needs compilation)
Do NOT combine lint/SA with tests — they should fail independently with clear feedback.
Use the templates in templates/github/ and templates/gitlab/ as a base for generating workflow files. Follow the header pattern (name, on, concurrency, permissions) and per-file job organization described above.
4.2 GitLab CI Generation
Output file: .gitlab-ci.yml
For GitLab-specific pipeline structure, cache strategy, report format integration, and language-specific patterns → read references/GITLAB-PATTERNS.md
Pipeline stages: install → lint → test → build → security
4.3 Service Containers
If services_needed is not empty, add service containers to the test job.
For GitHub Actions and GitLab CI service container syntax → read references/SERVICE-CONTAINERS.md
Quality Checks (Before Writing)
Verify generated pipeline before writing:
Correctness:
- Every job has checkout/setup/install steps
- Cache is configured for the correct lock file
- All commands match tools actually present in the project
- Matrix versions match the project's version constraints
- Service containers have health checks
Best practices:
-
concurrencygroup set (GitHub Actions) -
permissions: contents: readset (GitHub Actions) -
interruptible: trueset (GitLab CI) -
workflow.rulesdefined (GitLab CI) - Jobs are parallel where possible (no unnecessary
needs) -
fail-fast: falseon matrix builds
No over-engineering:
- No jobs for tools not present in the project
- No matrix builds if the project only targets one version
- No security scanning unless requested or tools are installed
- No build job if the project has no build step
Step 5: Enhance / Audit Existing Pipeline
When MODE = "enhance" or MODE = "audit", analyze EXISTING_CONTENT against the project profile and best practices.
5.1 Gap Analysis
Compare existing pipeline against PROJECT_PROFILE:
Missing jobs:
- Linter installed but no lint job in CI?
- SA tool installed but no SA job?
- Tests exist but no test job?
- Security tools installed but no security job?
Configuration issues:
- No caching configured?
- No concurrency group (GitHub Actions)?
- Using deprecated actions (e.g.,
actions-rsinstead ofdtolnay/rust-toolchain)? - Hardcoded language versions instead of variable/matrix?
- Missing
fail-fast: falseon matrix? - Using
policy: pull-pushon all GitLab jobs instead ofpullon non-install jobs?
Missing features:
- No coverage reporting when coverage tools are available?
- No JUnit/codequality report integration (GitLab)?
- No path filtering for monorepos?
- No
workflow_dispatchtrigger (GitHub Actions)?
5.2 Audit Report & Fix
For audit report format, fix flow options, and display templates → read references/AUDIT-REPORT.md
Present results as tables with ✅/❌/⚠️ per check. Categorize recommendations by severity (CRITICAL, HIGH, MEDIUM, LOW). Ask user to choose: fix all, fix critical only, or show details first.
If fixing: preserve existing structure, job names, and ordering conventions.
Step 6: Write Files
6.1 Generate Mode — Write Pipeline
GitHub Actions:
Bash: mkdir -p .github/workflows
Write .github/workflows/lint.yml # If linters/SA detected
Write .github/workflows/tests.yml # Always
Write .github/workflows/build.yml # If has_build_step
Write .github/workflows/security.yml # If WANT_SECURITY
Only create files for detected concerns. If only lint + tests — two files. If the project is trivially small (single lint + single test job) — a single ci.yml is acceptable.
GitLab CI:
Write .gitlab-ci.yml
GitLab CI uses a single .gitlab-ci.yml — stages and DAG (needs:) handle separation.
6.2 Enhance / Audit Mode — Update Existing
Edit existing files using the Edit tool. Preserve the original structure and only add/modify what's needed.
Step 7: Summary & Follow-Up
7.1 Display Summary
Display summary using format from references/AUDIT-REPORT.md (Summary Display Template section). Show platform, files created, features, and quick start commands.
7.2 Suggest Follow-Up Skills
Suggest: /aif-build-automation for CI targets in Makefile/Taskfile, /aif-dockerize for containerization.
Artifact Ownership and Config Policy
- Primary ownership: CI pipeline artifacts such as
.github/workflows/*and.gitlab-ci.yml. - Allowed companion updates: none by default outside CI files.
- Config policy: config-agnostic by design. This skill relies on repository detection and explicit user choices, not
config.yaml.
More from lee-to/ai-factory
aif-skill-generator
Generate professional Agent Skills for AI agents. Creates complete skill packages with SKILL.md, references, scripts, and templates. Use when creating new skills, generating custom slash commands, or building reusable AI capabilities. Validates against Agent Skills specification.
39aif-implement
Execute implementation tasks from the current plan. Works through tasks sequentially, marks completion, and preserves progress for continuation across sessions. Use when user says "implement", "start coding", "execute plan", or "continue implementation".
38aif-security-checklist
Security audit checklist based on OWASP Top 10 and best practices. Covers authentication, injection, XSS, CSRF, secrets management, and more. Use when reviewing security, before deploy, asking "is this secure", "security check", "vulnerability".
36aif-plan
Plan implementation for a feature or task. Two modes — fast (single quick plan) or full (richer plan with optional git branch/worktree flow). Use when user says "plan", "new feature", "start feature", "create tasks".
35aif-improve
Refine and enhance an existing implementation plan with a second iteration. Re-analyzes the codebase, checks for gaps, missing tasks, wrong dependencies, and improves the plan quality. Use after /aif-plan to polish the plan before implementation, or to improve an existing /aif-fix plan.
34aif-commit
Create conventional commit messages by analyzing staged changes. Generates semantic commit messages following the Conventional Commits specification. Use when user says "commit", "save changes", or "create commit".
34