github-actions-hardened

A Claude Code skill that generates production-hardened GitHub Actions CI/CD workflows enforcing security best practices by default.

What It Does

Every workflow generated by this skill enforces five hardening principles:

Principle	Why It Matters
Job-level least-privilege permissions	Limits blast radius if a step is compromised by a malicious dependency
Latest major version action pins (`@v4`)	Prevents silent breaking changes from `@latest` / `@main` moving targets
Concurrency groups	Cancels stale PR runs; never cancels in-flight production deploys
Timeout guards	Stops hung jobs from consuming 6 hours of runner minutes per incident
Native dependency caching	Cuts redundant network I/O — the single biggest source of avoidable CI latency

It also co-generates a .github/dependabot.yml with every workflow so action versions stay current automatically.

Install

Via `npx skills` (skills.sh)

# Project-level (committed with your repo)
npx skills add arash77/github-actions-skill

# Global (available across all projects)
npx skills add arash77/github-actions-skill -g

# Target Claude Code specifically, auto-confirm
npx skills add arash77/github-actions-skill -g -a claude-code -y

Via Claude Code plugin marketplace

# Step 1 — add this repo as a marketplace (once per machine)
/plugin marketplace add arash77/github-actions-skill

# Step 2 — install the plugin
/plugin install github-actions-hardened@github-actions-skill

Via `--plugin-dir` (local dev / one-off)

git clone https://github.com/arash77/github-actions-skill
claude --plugin-dir ./github-actions-skill

Usage

Once installed, ask Claude Code for any GitHub Actions workflow and it will apply all five hardening principles automatically:

Create a CI workflow for my TypeScript monorepo using pnpm

Set up a hardened Docker build pipeline that pushes to GHCR

Generate a release workflow that creates GitHub Releases on version tags

Skills are namespaced when installed via the plugin marketplace:

/github-actions-hardened:github-actions-hardened

What Gets Generated

Workflow Patterns Included

Pattern A — CI Test Workflow (Node.js, Python, Go, Rust, Java/Maven, Java/Gradle)
Pattern B — Docker Build and Push to GHCR
Pattern C — Tagged Release
Pattern D — Staged Deployment with GitHub Environments (staging → manual approval → production, OIDC auth)

Always Included Alongside Every Workflow

# .github/dependabot.yml
version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
      day: "monday"
    groups:
      github-actions:
        patterns: ["*"]
    commit-message:
      prefix: "chore(ci)"
    labels:
      - "dependencies"
      - "ci"

When to Use This vs `github-actions-templates`

Scenario	Use
Production, externally visible, or compliance-scoped project	this skill
Security audit, SOC 2, or third-party actions involved	this skill
Quick throwaway prototype, purely internal script	`github-actions-templates`

Repository Structure

github-actions-skill/
├── .claude-plugin/
│   ├── plugin.json           # Claude Code plugin manifest
│   └── marketplace.json      # Plugin marketplace catalog
├── skills/
│   └── github-actions-hardened/
│       ├── SKILL.md          # Skill instructions
│       └── references/
│           └── dependabot-config.md
├── evals/
│   └── evals.json            # Evaluation test cases
└── README.md

Evals

The evals/evals.json file contains six test cases covering:

TypeScript monorepo with pnpm
Docker build + GHCR push (security audit scenario)
Go CI without internet access (version verification handling)
AWS deployment with GitHub Environments and manual approval gate
pull_request_target security warning and safe alternative patterns
Python CI with pytest and pip caching

License

MIT

github-actions-hardened

Popularity

What's Inside

README