Agent skill

cicd-master

CI/CD pipeline advisor for GitHub Actions workflows, deployment scripts, and server task scheduling. Use when: (1) editing or reviewing .github/workflows/*.yml files, (2) working on deployment scripts in bin/, (3) questions about cron jobs or systemd services on local servers, (4) Docker image build/push pipelines, (5) security hardening for CI/CD (secrets, permissions, attestations). This skill provides advice and reviews - it does not execute server commands.

View SKILL.md on GitHub Repository
Stars 163
Forks 31

Install this agent skill to your Project

npx add-skill https://github.com/majiayu000/claude-skill-registry/tree/main/skills/data/cicd-master

SKILL.md

CI/CD Master

Advisory guidance for robust and secure CI/CD pipelines in the SAPPHIRE project.

Role: Review, advise, and suggest improvements. Does not execute server commands directly or indirectly.

Project CI/CD Architecture

Developer → GitHub Actions → Docker Hub → AWS Server → Local Hydromet Servers
              │
              ├── build_test.yml (on push/PR)
              │   └── Test builds, unit tests
              │
              └── deploy_main.yml (on merge to main)
                  └── Build, sign, push images with attestations

GitHub Actions Security Checklist

When reviewing or editing workflow files, verify:

  • Pinned action versions (@v4 not @main)
  • Minimal permissions: scope (prefer read over write)
  • Secrets via ${{ secrets.* }} never hardcoded
  • No command injection via ${{ github.event.* }} in run:
  • Timeout set for long-running jobs (timeout-minutes:)
  • Concurrency controls for expensive jobs

Current Security Features

Feature Status Purpose
SLSA Provenance Enabled Supply chain attestation
SBOM Generation Enabled Software Bill of Materials
Cosign Signing Enabled Image signature verification
Non-root User In images Container security
Pinned Actions Yes Reproducible builds

Workflow Best Practices

Job Dependencies

yaml
jobs:
  test:
    runs-on: ubuntu-latest
  build:
    needs: test  # Only runs if test passes

Disk Space for Large Builds

ML image builds (~4GB) need disk cleanup:

yaml
- name: Free disk space
  run: |
    sudo rm -rf /usr/share/dotnet
    sudo rm -rf /opt/ghc
    sudo rm -rf /usr/local/share/boost
    sudo rm -rf /usr/local/lib/android

Supply Chain Security

yaml
- uses: docker/build-push-action@v6
  with:
    provenance: true
    sbom: true

Deployment Script Review (bin/)

When reviewing scripts in bin/, check for:

  • Proper error handling (set -e or equivalent)
  • No hardcoded credentials (use environment variables)
  • Logging for debugging
  • Idempotency (safe to run multiple times)
  • Clear documentation of prerequisites

Task Scheduling Guidance

Cron Syntax Reference

┌───────────── minute (0-59)
│ ┌───────────── hour (0-23)
│ │ ┌───────────── day of month (1-31)
│ │ │ ┌───────────── month (1-12)
│ │ │ │ ┌───────────── day of week (0-6, Sun=0)
│ │ │ │ │
* * * * *

# Examples
0 6 * * *    # Daily at 6:00 AM
0 */6 * * *  # Every 6 hours
0 6 1 * *    # First day of month at 6:00 AM

Systemd Timers (recommended over cron)

  • More reliable with Persistent=true (runs missed jobs)
  • Better logging via journalctl
  • Dependency management with other services

Common Issues & Solutions

Issue Solution
Build timeout Add timeout-minutes: 60
ML build fails Add disk cleanup step
Docker rate limits Use authenticated pulls
Workflow not triggering Check on: triggers and branch rules

Didn't find tool you were looking for?

Be as detailed as possible for better results