AgentSkillsCN

cicd-master

适用于 GitHub Actions 工作流、部署脚本以及服务器任务调度的 CI/CD 管道顾问。 适用场景:(1) 编辑或审阅 .github/workflows/*.yml 文件;(2) 开发 bin/ 目录下的部署脚本;(3) 针对本地服务器上的 Cron 作业或 systemd 服务提出疑问;(4) 构建/推送 Docker 镜像的流水线;(5) 为 CI/CD 进行安全加固(如密钥管理、权限配置、可信证明等)。 本技能仅提供专业建议与审核意见,不会直接执行服务器命令。

SKILL.md
--- frontmatter
name: cicd-master
description: |
  CI/CD pipeline advisor for GitHub Actions workflows, deployment scripts, and server task scheduling.
  Use when: (1) editing or reviewing .github/workflows/*.yml files, (2) working on deployment scripts
  in bin/, (3) questions about cron jobs or systemd services on local servers, (4) Docker image
  build/push pipelines, (5) security hardening for CI/CD (secrets, permissions, attestations).
  This skill provides advice and reviews - it does not execute server commands.

CI/CD Master

Advisory guidance for robust and secure CI/CD pipelines in the SAPPHIRE project.

Role: Review, advise, and suggest improvements. Does not execute server commands directly or indirectly.

Project CI/CD Architecture

code
Developer → GitHub Actions → Docker Hub → AWS Server → Local Hydromet Servers
              │
              ├── build_test.yml (on push/PR)
              │   └── Test builds, unit tests
              │
              └── deploy_main.yml (on merge to main)
                  └── Build, sign, push images with attestations

GitHub Actions Security Checklist

When reviewing or editing workflow files, verify:

  • Pinned action versions (@v4 not @main)
  • Minimal permissions: scope (prefer read over write)
  • Secrets via ${{ secrets.* }} never hardcoded
  • No command injection via ${{ github.event.* }} in run:
  • Timeout set for long-running jobs (timeout-minutes:)
  • Concurrency controls for expensive jobs

Current Security Features

FeatureStatusPurpose
SLSA ProvenanceEnabledSupply chain attestation
SBOM GenerationEnabledSoftware Bill of Materials
Cosign SigningEnabledImage signature verification
Non-root UserIn imagesContainer security
Pinned ActionsYesReproducible builds

Workflow Best Practices

Job Dependencies

yaml
jobs:
  test:
    runs-on: ubuntu-latest
  build:
    needs: test  # Only runs if test passes

Disk Space for Large Builds

ML image builds (~4GB) need disk cleanup:

yaml
- name: Free disk space
  run: |
    sudo rm -rf /usr/share/dotnet
    sudo rm -rf /opt/ghc
    sudo rm -rf /usr/local/share/boost
    sudo rm -rf /usr/local/lib/android

Supply Chain Security

yaml
- uses: docker/build-push-action@v6
  with:
    provenance: true
    sbom: true

Deployment Script Review (bin/)

When reviewing scripts in bin/, check for:

  • Proper error handling (set -e or equivalent)
  • No hardcoded credentials (use environment variables)
  • Logging for debugging
  • Idempotency (safe to run multiple times)
  • Clear documentation of prerequisites

Task Scheduling Guidance

Cron Syntax Reference

code
┌───────────── minute (0-59)
│ ┌───────────── hour (0-23)
│ │ ┌───────────── day of month (1-31)
│ │ │ ┌───────────── month (1-12)
│ │ │ │ ┌───────────── day of week (0-6, Sun=0)
│ │ │ │ │
* * * * *

# Examples
0 6 * * *    # Daily at 6:00 AM
0 */6 * * *  # Every 6 hours
0 6 1 * *    # First day of month at 6:00 AM

Systemd Timers (recommended over cron)

  • More reliable with Persistent=true (runs missed jobs)
  • Better logging via journalctl
  • Dependency management with other services

Common Issues & Solutions

IssueSolution
Build timeoutAdd timeout-minutes: 60
ML build failsAdd disk cleanup step
Docker rate limitsUse authenticated pulls
Workflow not triggeringCheck on: triggers and branch rules