github-actions-hardened
A Claude Code skill that generates production-hardened GitHub Actions CI/CD workflows enforcing security best practices by default.
What It Does
Every workflow generated by this skill enforces five hardening principles:
| Principle | Why It Matters |
|---|
| Job-level least-privilege permissions | Limits blast radius if a step is compromised by a malicious dependency |
Latest major version action pins (@v4) | Prevents silent breaking changes from @latest / @main moving targets |
| Concurrency groups | Cancels stale PR runs; never cancels in-flight production deploys |
| Timeout guards | Stops hung jobs from consuming 6 hours of runner minutes per incident |
| Native dependency caching | Cuts redundant network I/O — the single biggest source of avoidable CI latency |
It also co-generates a .github/dependabot.yml with every workflow so action versions stay current automatically.
Install
Via npx skills (skills.sh)
# Project-level (committed with your repo)
npx skills add arash77/github-actions-skill
# Global (available across all projects)
npx skills add arash77/github-actions-skill -g
# Target Claude Code specifically, auto-confirm
npx skills add arash77/github-actions-skill -g -a claude-code -y
Via Claude Code plugin marketplace
# Step 1 — add this repo as a marketplace (once per machine)
/plugin marketplace add arash77/github-actions-skill
# Step 2 — install the plugin
/plugin install github-actions-hardened@github-actions-skill
Via --plugin-dir (local dev / one-off)
git clone https://github.com/arash77/github-actions-skill
claude --plugin-dir ./github-actions-skill
Usage
Once installed, ask Claude Code for any GitHub Actions workflow and it will apply all five hardening principles automatically:
Create a CI workflow for my TypeScript monorepo using pnpm
Set up a hardened Docker build pipeline that pushes to GHCR
Generate a release workflow that creates GitHub Releases on version tags
Skills are namespaced when installed via the plugin marketplace:
/github-actions-hardened:github-actions-hardened
What Gets Generated
Workflow Patterns Included
- Pattern A — CI Test Workflow (Node.js, Python, Go, Rust, Java/Maven, Java/Gradle)
- Pattern B — Docker Build and Push to GHCR
- Pattern C — Tagged Release
Always Included Alongside Every Workflow
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
groups:
github-actions:
patterns: ["*"]
commit-message:
prefix: "chore(ci)"
labels:
- "dependencies"
- "ci"
When to Use This vs github-actions-templates
| Scenario | Use |
|---|
| Production, externally visible, or compliance-scoped project | this skill |
| Security audit, SOC 2, or third-party actions involved | this skill |
| Quick throwaway prototype, purely internal script | github-actions-templates |
Repository Structure
github-actions-skill/
├── .claude-plugin/
│ ├── plugin.json # Claude Code plugin manifest
│ └── marketplace.json # Plugin marketplace catalog
├── skills/
│ └── github-actions-hardened/
│ ├── SKILL.md # Skill instructions
│ └── references/
│ └── dependabot-config.md
├── evals/
│ └── evals.json # Evaluation test cases
└── README.md
Evals
The evals/evals.json file contains three test cases covering:
- TypeScript monorepo with pnpm
- Docker build + GHCR push (security audit scenario)
- Go CI without internet access (version verification handling)
License
MIT
arash77