github-actions-pro

by @YuniorGlez in DevOps & Cloud

# Install this skill:

npx skills add YuniorGlez/gemini-elite-core --skill "github-actions-pro"

Install specific skill from multi-skill repository

# Description

Senior DevOps & CI/CD Architect for 2026. Specialized in hardened GitHub Actions workflows, Zero-Trust OIDC cloud integration, and high-performance Bun-optimized pipelines. Expert in multi-job orchestration, secure secret management, and ephemeral runner automation.

# SKILL.md

name: github-actions-pro
description: Senior DevOps & CI/CD Architect for 2026. Specialized in hardened GitHub Actions workflows, Zero-Trust OIDC cloud integration, and high-performance Bun-optimized pipelines. Expert in multi-job orchestration, secure secret management, and ephemeral runner automation.

⚙️ Skill: github-actions-pro (v1.0.0)

Executive Summary

📋 The Conductor's Protocol

Workflow Auditing: Review the current workflow file for security vulnerabilities (e.g., broad permissions, long-lived secrets).
Infrastructure Mapping: Identify target environments (staging, production) and required cloud provider permissions.
Sequential Activation:
activate_skill(name="github-actions-pro") → activate_skill(name="auditor-pro") → activate_skill(name="vercel-sync").
Verification: Use act or dry-run commits to verify YAML syntax and job dependencies before merging.

🛠️ Mandatory Protocols (2026 Standards)

1. Zero-Trust OIDC Integration

As of 2026, long-lived AWS/Azure/GCP keys are banned in production.
- Rule: Always use OIDC via id-token: write permission.
- Protocol: Configure aws-actions/configure-aws-credentials or equivalent using roles, not secrets.

2. Strict Permission Scoping

Follow the principle of least privilege for every job.
- Rule: Explicitly define permissions at the job level.
- Protocol: Default to contents: read and only add write permissions (e.g., pull-requests: write) where strictly necessary.

3. Bun-First CI/CD Optimization

Caching: Use actions/cache v4+ to cache Bun's install directory (~/.bun/install/cache).
Binary Format: Leverage bun.lockb for faster dependency resolution in CI.
Test Runner: Use bun test for sub-second unit and integration test execution.

4. Hardened Runners & Security

Ephemeral Runners: For self-hosted scenarios, use JIT (Just-in-Time) runners that are destroyed after one job.
Egress Control: Use tools like StepSecurity to restrict network egress from runners to known safe domains.
Action Pinning: Always pin third-party actions to a specific commit SHA (e.g., actions/checkout@b4ffde...) rather than a tag or branch.

🚀 Show, Don't Just Tell (Implementation Patterns)

Modern OIDC + Bun Workflow (2026)

name: Deploy to Production
on:
  push:
    branches: [main]

permissions:
  id-token: write # Mandatory for OIDC
  contents: read

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - uses: oven-sh/setup-bun@v2
        with:
          bun-version: latest

      - name: Cache Bun Dependencies
        uses: actions/cache@v4
        with:
          path: ~/.bun/install/cache
          key: ${{ runner.os }}-bun-${{ hashFiles('**/bun.lockb') }}
          restore-keys: |
            ${{ runner.os }}-bun-

      - name: Install dependencies
        run: bun install --frozen-lockfile

      - name: Configure AWS Credentials (OIDC)
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::1234567890:role/github-actions-deploy
          aws-region: us-east-1

      - name: Build & Deploy
        run: bun run build && bun run deploy

Matrix Build with Environment Protection

jobs:
  test:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        node-version: [20, 22, 24] # Testing against multiple LTS
    steps:
      - uses: actions/checkout@v4
      - name: Run Tests
        run: bun test

🛡️ The Do Not List (Anti-Patterns)

DO NOT use secrets.AWS_ACCESS_KEY_ID. Use OIDC roles.
DO NOT use actions/checkout@v1 or outdated versions. Always use the latest (v4+).
DO NOT leave permissions as default (broad). Always scope them.
DO NOT run CI on every branch for expensive jobs. Use on.pull_request filters.
DO NOT ignore cache keys. Stale caches lead to "it works on CI but not locally" bugs.

📂 Progressive Disclosure (Deep Dives)

OIDC Configuration Deep Dive: Setting up trust relationships in AWS/GCP/Azure.
Advanced Workflow Orchestration: Using needs, if, and outputs for complex pipelines.
Security Hardening Guide: SHA pinning, egress filtering, and audit logs.
Monorepo CI Strategies: Using Turborepo filters in GitHub Actions.

🛠️ Specialized Tools & Scripts

scripts/verify-sha-pinning.py: Checks all .github/workflows for actions not pinned to a SHA.
scripts/generate-workflow.ts: Generates a standard, hardened workflow boilerplate.

🎓 Learning Resources

Updated: January 23, 2026 - 18:45

# Supported AI Coding Agents

This skill is compatible with the SKILL.md standard and works with all major AI coding agents:

⚡ Amp 🚀 Antigravity 🤖 Claude Code 🦀 Clawdbot 📝 Codex ▶️ Cursor 🤖 Droid 💎 Gemini CLI 🐙 GitHub Copilot 🪿 Goose 📊 Kilo Code 🔧 Kiro CLI 💻 OpenCode 🦘 Roo Code 🌲 Trae 🏄 Windsurf

Learn more about the SKILL.md standard and how to use these skills with your preferred AI coding agent.