GitHub Actions Secure CI/CD Capability Pack Skill

Prerequisites

Existing workflows or target CI/CD architecture
Branch protection and environment policy context
Security/compliance requirements

Schema details

Install type: package
Reading time: 9 min
Difficulty score: 88
Troubleshooting: Yes
Breaking changes: No

Package metadata

Download URL: /downloads/skills/github-actions-secure-cicd-capability-pack.zip
Package verified: Yes
SHA-256: 171cde88dd94e324d349dfa76d0910dfd8bd3da54f1f22898331b04f5132e4b0

Skill and platform metadata

Skill type: capability-pack
Skill level: expert
Verification: validated
Verified at: 2026-04-10

Retrieval sources

https://docs.github.com/actionshttps://docs.github.com/actions/security-for-github-actions/security-guides/automatic-token-authenticationhttps://docs.github.com/actions/learn-github-actions/reusing-workflows

Tested platforms

ClaudeCodexOpenClawCursorWindsurfGemini

Platform	Support	Install path
claude-code	Native	.claude/skills/<skill-name>/SKILL.md
codex	Native	.agents/skills/<skill-name>/SKILL.md
windsurf	Native	.windsurf/skills/<skill-name>/SKILL.md
gemini	Native	.gemini/skills/<skill-name>/SKILL.md or .agents/skills/<skill-name>/SKILL.md
cursor	Adapter	.cursor/rules/<skill-name>.mdc
cli	Manual	AGENTS.md or tool-specific context file

Full copyable content

# Trigger
"Apply the GitHub Actions secure CI/CD capability pack to this repository."

# Required output
1) Workflow threat model
2) Permissions and token scope plan
3) Supply-chain hardening changes
4) Reliability and failure-recovery checklist

About this resource

Knowledge Freshness

This capability pack is pinned to documentation verified on 2026-04-10. When upstream docs change, refresh endpoint contracts, examples, and constraints before using this skill for production changes.

Retrieval Sources

Always prefer direct retrieval from official docs/API references over model memory for limits, endpoint signatures, and behavior guarantees.

Core Workflow

Confirm target version/runtime and pull latest official docs for the task scope.
Build an execution plan with explicit read-only discovery before any mutation.
Validate contracts, permissions, and safety constraints before applying changes.
Execute with deterministic checkpoints and rollback criteria.
Produce a verification report with evidence, caveats, and next actions.

Overview

This capability pack teaches agents how to build secure and resilient GitHub Actions systems. It focuses on practical controls that reduce compromise risk and operational breakage.

Capability Scope

Workflow architecture and trust boundaries
Token permissions and environment scoping
Action pinning and supply-chain controls
Reusable workflow governance
Build reliability and incident handling

Compatibility

Native

Claude Code / Claude: native skill usage via SKILL.md.
Codex/OpenAI workflows: compatible with Agent Skills-style SKILL.md content as reusable workflow instructions.

Manual Adaptation

Gemini CLI: native skill usage via .gemini/skills/<skill-name>/SKILL.md or .agents/skills/<skill-name>/SKILL.md where supported.
Cursor: use the generated .cursor/rules/*.mdc adapter for project rules.
OpenClaw and similar agents: use the same skill content as a reusable prompt/workflow file when native skill import is unavailable.

Production Rules

Grant minimum workflow permissions by job.
Pin third-party actions to immutable refs.
Separate trusted release workflows from untrusted PR execution.
Capture artifacts/logs for post-failure diagnostics.

Troubleshooting

Issue: CI passes in PRs but fails after merge
Fix: Align PR and main workflow environments and dependency assumptions.

Issue: Workflow has excessive token scope
Fix: Reduce permissions per job and isolate privileged steps to protected environments.

Issue: Third-party action risk is unclear
Fix: Pin exact versions/SHAs and periodically review upstream security posture.

Output Contract

Provide an implementation plan ordered by risk and dependency.
Provide exact production-ready config/commands with no placeholders.
Call out secrets, permissions, and least-privilege requirements.
Include rollback and recovery guidance for each risky step.

Validation Checklist

Verify all referenced docs/versions before applying changes.
Run regression checks for core user flow and error paths.
Confirm observability/logging is enabled for changed components.
Confirm security controls (auth, rate limits, input validation) still pass.
Record final known limitations and follow-up actions.

Content outline

Knowledge Freshness
Retrieval Sources
Core Workflow
Overview
Capability Scope
Compatibility
Native
Manual Adaptation
Production Rules
Troubleshooting
Output Contract
Validation Checklist

#github-actions#cicd#security#devops#capability-pack

Source citations

Related resources

skills

Code Review Automation Capability Pack Skill

Run a local, repeatable PR review loop with severity scoring, false-positive control, and fix-ready output.

Level:expertType:capability-packVerified:validated

TrustedFirst-partyReview firstAdded 2mo ago

Safety · Privacy ·

skills

Ethereum Base Smart Contract Security Capability Pack Skill

Deep smart contract security skill covering Solidity design, test rigor, deployment hygiene, and post-launch risk controls.

Level:expertType:capability-packVerified:validated

TrustedFirst-partyReview firstAdded 2mo ago

Safety · Privacy ·

skills

GitHub Actions AI-Powered CI/CD Automation Skill

Build intelligent CI/CD pipelines with GitHub Actions, AI-assisted workflow generation, automated testing, and deployment orchestration.

Level:advancedType:generalVerified:draft

TrustedFirst-partyReview firstAdded 8mo ago

Safety · Privacy ·

skills

MCP Server Authoring Security Capability Pack Skill

Deep MCP server skill for secure tool design, permissioning, contract stability, and production-grade safety controls.

Level:expertType:capability-packVerified:validated

TrustedFirst-partyReview firstAdded 2mo ago

Safety · Privacy ·

Signals

Loading live community signals…