AgentSkillsCN

ci-guardrails

用于优化GitHub Actions的工作流,提升速度、可靠性和安全性。除非CI流程有强制要求,否则切勿更改产品代码。确保检查过程具有确定性,并与分支保护策略保持一致。

SKILL.md
--- frontmatter
name: ci-guardrails
description: Use to improve GitHub Actions workflows for speed, reliability, and security. Do NOT change product code unless required by CI. Keep checks deterministic and aligned with branch protection.

Checklist:

  1. Required checks alignment
  • Ensure workflow/job names match branch protection required checks
  • Ensure PR checks run on pull_request and are fast and deterministic
  1. Least privilege & secure defaults
  • Set default workflow permissions to minimal required
  • Use per-job permissions: blocks for elevation
  • Prefer OIDC auth to clouds; avoid long-lived secrets
  1. Build/test hygiene
  • Cache appropriately:
    • .NET: NuGet packages
    • Node: npm/pnpm/yarn cache + lockfile-based key
  • Use matrix for OS/runtime versions only if valuable
  • Use concurrency to cancel redundant runs on the same branch/PR
  • Split "quick PR checks" vs "full pipeline" when needed
  1. Artifact handling
  • Upload test results/coverage as artifacts if useful
  • Ensure artifacts are not treated as trusted input without validation
  • Add provenance attestation for release artifacts where applicable
  1. Reusability
  • Convert repeated logic into reusable workflows (workflow_call)
  • Centralize security-hardening steps (permissions, pinning policy, dependency checks)

Finish with:

  • Summary of workflow changes
  • Expected performance impact (faster? less flaky?)
  • Security impact (permissions, OIDC, pinning)
  • Any follow-ups (branch protection updates, secrets/env setup)