AgentSkillsCN

prowler-ci

协助Prowler仓库CI和PR门禁(GitHub Actions工作流)。触发条件:调查PR上CI检查失败、PR标题验证、变更日志门禁/无变更日志标签、冲突标记检查、密钥扫描、CODEOWNERS/标签自动化或.github/workflows下的任何内容。

SKILL.md
--- frontmatter
name: prowler-ci
description: >
  Helps with Prowler repository CI and PR gates (GitHub Actions workflows).
  Trigger: When investigating CI checks failing on a PR, PR title validation, changelog gate/no-changelog label,
  conflict marker checks, secret scanning, CODEOWNERS/labeler automation, or anything under .github/workflows.
license: Apache-2.0
metadata:
  author: prowler-cloud
  version: "1.0"
  scope: [root]
  auto_invoke:
    - "Inspect PR CI checks and gates (.github/workflows/*)"
    - "Debug why a GitHub Actions job is failing"
    - "Understand changelog gate and no-changelog label behavior"
    - "Understand PR title conventional-commit validation"
    - "Understand CODEOWNERS/labeler-based automation"
allowed-tools: Read, Edit, Write, Glob, Grep, Bash

What this skill covers

Use this skill whenever you are:

  • Reading or changing GitHub Actions workflows under .github/workflows/
  • Explaining why a PR fails checks (title, changelog, conflict markers, secret scanning)
  • Figuring out which workflows run for UI/API/SDK changes and why
  • Diagnosing path-filtering behavior (why a workflow did/didn't run)

Quick map (where to look)

  • PR template: .github/pull_request_template.md
  • PR title validation: .github/workflows/conventional-commit.yml
  • Changelog gate: .github/workflows/pr-check-changelog.yml
  • Conflict markers check: .github/workflows/pr-conflict-checker.yml
  • Secret scanning: .github/workflows/find-secrets.yml
  • Auto labels: .github/workflows/labeler.yml and .github/labeler.yml
  • Review ownership: .github/CODEOWNERS

Debug checklist (PR failing checks)

  1. Identify which workflow/job is failing (name + file under .github/workflows/).
  2. Check path filters: is the workflow supposed to run for your changed files?
  3. If it's a title check: verify PR title matches Conventional Commits.
  4. If it's changelog: verify the right CHANGELOG.md is updated OR apply no-changelog label.
  5. If it's conflict checker: remove <<<<<<<, =======, >>>>>>> markers.
  6. If it's secrets (TruffleHog): see section below.

TruffleHog Secret Scanning

TruffleHog scans for leaked secrets. Common false positives in test files:

Patterns that trigger TruffleHog:

  • sk-*T3BlbkFJ* - OpenAI API keys
  • AKIA[A-Z0-9]{16} - AWS Access Keys
  • ghp_* / gho_* - GitHub tokens
  • Base64-encoded strings that look like credentials

Fix for test files:

python
# BAD - looks like real OpenAI key
api_key = "sk-test1234567890T3BlbkFJtest1234567890"

# GOOD - obviously fake
api_key = "sk-fake-test-key-for-unit-testing-only"

If TruffleHog flags a real secret:

  1. Remove the secret from the code immediately
  2. Rotate the credential (it's now in git history)
  3. Consider using .trufflehog-ignore for known false positives (rarely needed)

Notes

  • Keep prowler-pr focused on creating PRs and filling the template.
  • Use prowler-ci for CI policies and gates that apply to PRs.