AgentSkillsCN

ci-setup

设置预提交钩子和GitHub Actions工作流,用于测试、代码检查、安全扫描、发布和部署。支持Python、Node.js、Go、Rust和多语言项目。

SKILL.md
--- frontmatter
name: ci-setup
description: Set up pre-commit hooks and GitHub Actions workflows for testing, linting, security scanning, releases, and deployments. Supports Python, Node.js, Go, Rust, and multi-language projects.

CI/CD Setup

Configure pre-commit hooks and GitHub Actions for automated testing, linting, security scanning, and release management across multiple languages and package registries.

Pre-commit Hooks

Installation

bash
pip install pre-commit
pre-commit install

Core Hooks (Language-Agnostic)

yaml
repos:
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v5.0.0
    hooks:
      - id: end-of-file-fixer
      - id: trailing-whitespace
      - id: check-yaml
      - id: check-json
      - id: check-added-large-files

Python Hooks

HookPurposeConfig
blackCode formattingpyproject.toml
ruffLinting (replaces flake8/isort)pyproject.toml
mypyType checkingpyproject.toml
banditSecurity scanningArgs: -r src -x tests

JavaScript/TypeScript Hooks

HookPurposeConfig
eslintLintingeslint.config.js
prettierFormatting.prettierrc
yaml
- repo: https://github.com/pre-commit/mirrors-eslint
  rev: v9.0.0
  hooks:
    - id: eslint
      additional_dependencies:
        - eslint
        - typescript
        - "@typescript-eslint/parser"
        - "@typescript-eslint/eslint-plugin"

- repo: https://github.com/pre-commit/mirrors-prettier
  rev: v4.0.0
  hooks:
    - id: prettier

Go Hooks

yaml
- repo: https://github.com/dnephin/pre-commit-golang
  rev: v0.5.1
  hooks:
    - id: go-fmt
    - id: go-vet
    - id: golangci-lint

Rust Hooks

yaml
- repo: https://github.com/doublify/pre-commit-rust
  rev: v1.0
  hooks:
    - id: fmt
    - id: cargo-check
    - id: clippy

Package Registries

LanguageRegistryWorkflow TemplateAuth Method
PythonPyPIpublish-pypi.ymlOIDC Trusted Publishing
Node.jsNPMpublish-npm.ymlNPM_TOKEN secret or OIDC
Gopkg.go.devAuto-indexedNone needed
Rustcrates.iopublish-crates.ymlCARGO_REGISTRY_TOKEN

GitHub Workflows

Workflow Matrix by Language

Python:

WorkflowTriggerPurpose
python-ci.yamlpush, PRTests, lint, security
publish-pypi.ymlrelease/latestPublish to PyPI

Node.js:

WorkflowTriggerPurpose
node-ci.yamlpush, PRTests, lint, security
publish-npm.ymlrelease/latestPublish to NPM

Shared:

WorkflowTriggerPurpose
docs.ymlpush to main/releaseDeploy docs
create-release.ymlrelease/* branchDraft GitHub release
codeql.ymlpush, PR, weeklySecurity analysis
docker-build-push.ymlpush to release/*Container builds
validate-branch-flow.ymlPR to release/*Enforce branch rules

Branch Flow

code
main → release/latest → release/x.y.z
         ↓                    ↓
    publishes package    creates draft release
    (PyPI/NPM/crates)

Trusted Publishing (OIDC)

Both PyPI and NPM support OIDC - no secrets required:

PyPI:

yaml
permissions:
  id-token: write
steps:
  - uses: pypa/gh-action-pypi-publish@release/v1

NPM (provenance):

yaml
permissions:
  id-token: write
steps:
  - run: npm publish --provenance --access public
    env:
      NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

Required Secrets

SecretPurposeRequired For
CODECOV_TOKENCoverage uploadsAll languages
NPM_TOKENNPM publishingNode.js
CARGO_REGISTRY_TOKENcrates.io publishingRust
DIGITALOCEAN_ACCESS_TOKENContainer registryDocker (if using DO)
None for PyPIOIDC Trusted PublishingPython

Templates

Pre-commit

  • templates/.pre-commit-config.yaml - Multi-language configuration

Python

  • templates/workflows/python-ci.yaml - Tests and linting
  • templates/workflows/publish-pypi.yml - PyPI publishing

Node.js

  • templates/workflows/node-ci.yaml - Tests and linting
  • templates/workflows/publish-npm.yml - NPM publishing

Shared

  • templates/workflows/docs.yml - MkDocs deployment with mike
  • templates/workflows/create-release.yml - Draft release automation
  • templates/workflows/codeql.yml - CodeQL security scanning
  • templates/workflows/docker-build-push.yml - Container builds
  • templates/workflows/validate-branch-flow.yml - Branch flow enforcement