CI/CD Pipeline
Analyze a repository and maintain its GitHub Actions CI/CD pipeline. Designed to be called repeatedly — each invocation audits the current state and proposes additions and removals.
Workflow
Phase 1: Discover project state
Build a project profile by detecting:
- •Language & runtime — Check file extensions, config files (
pyproject.toml,package.json,go.mod,Cargo.toml,Gemfile, etc.) - •Package manager — pip/uv/poetry, npm/yarn/pnpm, cargo, go modules, etc.
- •Tooling configs — Lint (ruff, eslint, golangci-lint), format (ruff, prettier, gofmt), typecheck (mypy, pyright, tsc)
- •Test framework — pytest, jest, vitest, go test, cargo test, etc. Check for test files and config.
- •Docker — Dockerfile, docker-compose.yml, .dockerignore
- •Deploy targets — Railway, Fly.io, Vercel, AWS, Kubernetes manifests, Terraform, etc.
- •Existing workflows — Read all
.github/workflows/*.ymlfiles - •Python version / Node version — From
requires-python,engines,.python-version,.nvmrc,.node-version - •Dev dependencies — Check what's available in dev/test dependency groups
Key files to check:
- •
pyproject.toml,setup.cfg,setup.py,requirements*.txt - •
package.json,tsconfig.json - •
go.mod,Cargo.toml,Gemfile,pom.xml,build.gradle - •
Dockerfile,docker-compose.yml - •
.github/workflows/*.yml
Phase 2: Audit current pipeline
Read ~/.claude/skills/ci-cd-pipeline/references/actions-catalog.md for the full catalog of actions with add/remove criteria.
For each action in the catalog:
| Signal present? | Action exists? | Decision |
|---|---|---|
| Yes | No | Add |
| Yes | Yes | Check config is correct, update if stale |
| No | Yes | Remove |
| No | No | Skip |
Produce a structured diff of proposed changes.
Phase 3: Present the plan
Present findings to the user:
## CI/CD Audit Report ### Actions to Add - [ ] [action]: [rationale based on detected signal] ### Manual Setup Required > Only include this section when adding a deploy action. [Platform name]: 1. [step from deploy-prerequisites.md] 2. [step from deploy-prerequisites.md] 3. Add `SECRET_NAME` to GitHub repo secrets (Settings → Secrets and variables → Actions) 4. [verification step] ### Actions to Remove - [ ] [action]: [rationale — signal no longer present] ### Actions to Update - [ ] [action]: [what changed and why] ### No Changes Needed - [action]: correctly configured
When adding a deploy action, read ~/.claude/skills/ci-cd-pipeline/references/deploy-prerequisites.md for the detected platform and include its setup steps in the Manual Setup Required section. This ensures the user knows what manual steps are needed before the workflow will function.
If running interactively, wait for user approval before making changes. If running autonomously (e.g., as a post-task audit subagent), proceed directly to Phase 4 — apply all additions and updates from the audit.
Phase 4: Execute changes
After approval:
- •Create or edit
.github/workflows/*.ymlfiles - •If a new tool is needed (e.g., adding mypy job but mypy isn't in deps), add it to dev dependencies
- •If a tool config is missing (e.g.,
[tool.ruff]section), add it to the project config file - •Delete workflow files or jobs that are no longer needed
- •Run the tools locally to verify the pipeline starts green (lint, typecheck, test)
- •Present a summary of all changes made
Guidelines
- •Prefer fewer workflow files with multiple jobs over many single-job files.
- •Standard layout:
ci.ymlfor lint/typecheck/test,security.ymlfor audits/scanning,deploy.ymlfor deployment. - •All jobs in
ci.ymlshould run in parallel unless they have dependencies. - •Use
actions/checkout@v4andactions/setup-python@v5/actions/setup-node@v4. - •Pin action versions to major tags (e.g.,
@v4), not SHAs. - •CI triggers:
pushto main/master +pull_request. Security:pushto main + weeklyschedule. - •When adding tooling config, use the project's config file (e.g.,
pyproject.tomlfor Python,package.jsonfor JS). - •When removing an action, also clean up any orphaned tool configs that were only used by that action.