omgkit 2.2.0 → 2.3.0

package/plugin/skills/devops/github-actions/SKILL.md

@@ -1,36 +1,11 @@
 ---
-name: github-actions
-description: GitHub Actions CI/CD with workflows, reusable actions, matrix builds, and deployment automation
-category: devops
-triggers:
-  - github actions
-  - github workflow
-  - ci cd
-  - github ci
-  - actions
-  - workflow
-  - github pipeline
+name: Automating with GitHub Actions
+description: The agent implements GitHub Actions CI/CD workflows with builds, tests, and deployments. Use when setting up continuous integration, automating deployments, creating reusable actions, or implementing security scanning.
 ---
 
-# GitHub Actions
+# Automating with GitHub Actions
 
-Enterprise-grade **GitHub Actions CI/CD** following industry best practices. This skill covers workflow configuration, reusable actions, matrix builds, deployment strategies, secrets management, and production-ready automation patterns used by top engineering teams.
-
-## Purpose
-
-Build robust CI/CD pipelines with GitHub Actions:
-
-- Configure comprehensive CI workflows
-- Create reusable composite actions
-- Implement matrix builds for multiple environments
-- Deploy to various platforms
-- Manage secrets and environments
-- Optimize workflow performance
-- Implement security scanning
-
-## Features
-
-### 1. Complete CI Workflow
+## Quick Start
 
 ```yaml
 # .github/workflows/ci.yml
@@ -38,681 +13,103 @@ name: CI
 
 on:
   push:
-    branches: [main, develop]
+    branches: [main]
   pull_request:
-    branches: [main, develop]
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-env:
-  NODE_VERSION: '20'
-  PNPM_VERSION: '8'
+    branches: [main]
 
 jobs:
-  lint:
-    name: Lint
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Setup pnpm
-        uses: pnpm/action-setup@v2
-        with:
-          version: ${{ env.PNPM_VERSION }}
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          cache: 'pnpm'
-
-      - name: Install dependencies
-        run: pnpm install --frozen-lockfile
-
-      - name: Run ESLint
-        run: pnpm lint
-
-      - name: Run Prettier
-        run: pnpm format:check
-
-      - name: TypeScript type check
-        run: pnpm type-check
-
-  test:
-    name: Test
-    runs-on: ubuntu-latest
-    needs: lint
-    services:
-      postgres:
-        image: postgres:15
-        env:
-          POSTGRES_USER: test
-          POSTGRES_PASSWORD: test
-          POSTGRES_DB: testdb
-        ports:
-          - 5432:5432
-        options: >-
-          --health-cmd pg_isready
-          --health-interval 10s
-          --health-timeout 5s
-          --health-retries 5
-
-      redis:
-        image: redis:7
-        ports:
-          - 6379:6379
-        options: >-
-          --health-cmd "redis-cli ping"
-          --health-interval 10s
-          --health-timeout 5s
-          --health-retries 5
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Setup pnpm
-        uses: pnpm/action-setup@v2
-        with:
-          version: ${{ env.PNPM_VERSION }}
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          cache: 'pnpm'
-
-      - name: Install dependencies
-        run: pnpm install --frozen-lockfile
-
-      - name: Run database migrations
-        run: pnpm db:migrate
-        env:
-          DATABASE_URL: postgresql://test:test@localhost:5432/testdb
-
-      - name: Run tests
-        run: pnpm test:coverage
-        env:
-          DATABASE_URL: postgresql://test:test@localhost:5432/testdb
-          REDIS_URL: redis://localhost:6379
-
-      - name: Upload coverage
-        uses: codecov/codecov-action@v3
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          files: ./coverage/lcov.info
-          fail_ci_if_error: true
-
   build:
-    name: Build
     runs-on: ubuntu-latest
-    needs: test
     steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Setup pnpm
-        uses: pnpm/action-setup@v2
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
         with:
-          version: ${{ env.PNPM_VERSION }}
+          node-version: 20
+          cache: npm
+      - run: npm ci
+      - run: npm test
+      - run: npm run build
+```
 
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          cache: 'pnpm'
+## Features
 
-      - name: Install dependencies
-        run: pnpm install --frozen-lockfile
+| Feature | Description | Guide |
+|---------|-------------|-------|
+| Workflows | Event-driven automation pipelines | Trigger on push, PR, schedule, or manual dispatch |
+| Jobs | Parallel or sequential task execution | Use `needs` for dependencies, matrix for variations |
+| Actions | Reusable workflow components | Use marketplace actions or create custom composite |
+| Environments | Deployment targets with protection | Configure approvals, secrets, and URLs |
+| Artifacts | Build output persistence | Upload/download between jobs, retention policies |
+| Caching | Dependency caching for speed | Cache npm, pip, gradle directories |
 
-      - name: Build application
-        run: pnpm build
+## Common Patterns
 
-      - name: Upload build artifacts
-        uses: actions/upload-artifact@v4
-        with:
-          name: build
-          path: dist/
-          retention-days: 7
-```
-
-### 2. Matrix Build Strategy
+### Matrix Build
 
 ```yaml
-# .github/workflows/matrix.yml
-name: Matrix Build
-
-on:
-  push:
-    branches: [main]
-  pull_request:
-
 jobs:
   test:
-    name: Test (${{ matrix.os }}, Node ${{ matrix.node }})
     runs-on: ${{ matrix.os }}
     strategy:
-      fail-fast: false
       matrix:
-        os: [ubuntu-latest, macos-latest, windows-latest]
+        os: [ubuntu-latest, macos-latest]
         node: [18, 20, 22]
-        exclude:
-          - os: windows-latest
-            node: 18
-        include:
-          - os: ubuntu-latest
-            node: 20
-            coverage: true
-
     steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Setup Node.js ${{ matrix.node }}
-        uses: actions/setup-node@v4
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node }}
-          cache: 'npm'
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Run tests
-        run: npm test
-
-      - name: Run coverage
-        if: matrix.coverage
-        run: npm run test:coverage
-
-  e2e:
-    name: E2E Tests
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        browser: [chromium, firefox, webkit]
-        shard: [1, 2, 3]
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: 20
-          cache: 'npm'
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Install Playwright
-        run: npx playwright install --with-deps ${{ matrix.browser }}
-
-      - name: Run E2E tests
-        run: npx playwright test --project=${{ matrix.browser }} --shard=${{ matrix.shard }}/3
-
-      - name: Upload test results
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: playwright-report-${{ matrix.browser }}-${{ matrix.shard }}
-          path: playwright-report/
+      - run: npm ci && npm test
 ```
 
-### 3. Deployment Workflow
+### Deployment with Environments
 
 ```yaml
-# .github/workflows/deploy.yml
-name: Deploy
-
-on:
-  push:
-    branches: [main]
-  workflow_dispatch:
-    inputs:
-      environment:
-        description: 'Deployment environment'
-        required: true
-        type: choice
-        options:
-          - staging
-          - production
-
 jobs:
-  build:
-    name: Build
+  deploy:
     runs-on: ubuntu-latest
-    outputs:
-      version: ${{ steps.version.outputs.version }}
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: 20
-          cache: 'npm'
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Build
-        run: npm run build
-
-      - name: Get version
-        id: version
-        run: echo "version=$(node -p "require('./package.json').version")" >> $GITHUB_OUTPUT
-
-      - name: Upload build
-        uses: actions/upload-artifact@v4
-        with:
-          name: build-${{ steps.version.outputs.version }}
-          path: dist/
-
-  deploy-staging:
-    name: Deploy to Staging
-    needs: build
-    runs-on: ubuntu-latest
-    environment:
-      name: staging
-      url: https://staging.example.com
-
-    steps:
-      - name: Download build
-        uses: actions/download-artifact@v4
-        with:
-          name: build-${{ needs.build.outputs.version }}
-          path: dist/
-
-      - name: Deploy to staging
-        run: |
-          echo "Deploying version ${{ needs.build.outputs.version }} to staging"
-          # Add deployment commands here
-
-      - name: Run smoke tests
-        run: |
-          curl -f https://staging.example.com/health || exit 1
-
-  deploy-production:
-    name: Deploy to Production
-    needs: [build, deploy-staging]
-    runs-on: ubuntu-latest
-    if: github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'production'
     environment:
       name: production
       url: https://example.com
-
     steps:
-      - name: Download build
-        uses: actions/download-artifact@v4
-        with:
-          name: build-${{ needs.build.outputs.version }}
-          path: dist/
-
-      - name: Deploy to production
-        run: |
-          echo "Deploying version ${{ needs.build.outputs.version }} to production"
-          # Add deployment commands here
-
-      - name: Notify deployment
-        uses: slackapi/slack-github-action@v1
-        with:
-          payload: |
-            {
-              "text": "Deployed v${{ needs.build.outputs.version }} to production"
-            }
+      - uses: actions/checkout@v4
+      - run: npm ci && npm run build
+      - name: Deploy
+        run: ./deploy.sh
         env:
-          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }}
-```
-
-### 4. Reusable Composite Action
-
-```yaml
-# .github/actions/setup-node-env/action.yml
-name: 'Setup Node Environment'
-description: 'Setup Node.js with caching and dependencies'
-
-inputs:
-  node-version:
-    description: 'Node.js version'
-    required: false
-    default: '20'
-  package-manager:
-    description: 'Package manager (npm, pnpm, yarn)'
-    required: false
-    default: 'npm'
-  install-deps:
-    description: 'Install dependencies'
-    required: false
-    default: 'true'
-
-outputs:
-  cache-hit:
-    description: 'Whether cache was hit'
-    value: ${{ steps.cache.outputs.cache-hit }}
-
-runs:
-  using: 'composite'
-  steps:
-    - name: Setup pnpm
-      if: inputs.package-manager == 'pnpm'
-      uses: pnpm/action-setup@v2
-      with:
-        version: 8
-
-    - name: Setup Node.js
-      uses: actions/setup-node@v4
-      with:
-        node-version: ${{ inputs.node-version }}
-        cache: ${{ inputs.package-manager }}
-
-    - name: Get cache directory
-      id: cache-dir
-      shell: bash
-      run: |
-        if [ "${{ inputs.package-manager }}" = "npm" ]; then
-          echo "dir=$(npm config get cache)" >> $GITHUB_OUTPUT
-        elif [ "${{ inputs.package-manager }}" = "pnpm" ]; then
-          echo "dir=$(pnpm store path)" >> $GITHUB_OUTPUT
-        else
-          echo "dir=$(yarn cache dir)" >> $GITHUB_OUTPUT
-        fi
-
-    - name: Cache dependencies
-      id: cache
-      uses: actions/cache@v4
-      with:
-        path: ${{ steps.cache-dir.outputs.dir }}
-        key: ${{ runner.os }}-${{ inputs.package-manager }}-${{ hashFiles('**/package-lock.json', '**/pnpm-lock.yaml', '**/yarn.lock') }}
-        restore-keys: |
-          ${{ runner.os }}-${{ inputs.package-manager }}-
-
-    - name: Install dependencies
-      if: inputs.install-deps == 'true'
-      shell: bash
-      run: |
-        if [ "${{ inputs.package-manager }}" = "npm" ]; then
-          npm ci
-        elif [ "${{ inputs.package-manager }}" = "pnpm" ]; then
-          pnpm install --frozen-lockfile
-        else
-          yarn install --frozen-lockfile
-        fi
+          DEPLOY_TOKEN: ${{ secrets.DEPLOY_TOKEN }}
 ```
 
-### 5. Docker Build and Push
+### Docker Build and Push
 
 ```yaml
-# .github/workflows/docker.yml
-name: Docker Build
-
-on:
-  push:
-    branches: [main]
-    tags: ['v*']
-  pull_request:
-    branches: [main]
-
-env:
-  REGISTRY: ghcr.io
-  IMAGE_NAME: ${{ github.repository }}
-
 jobs:
-  build:
-    name: Build and Push
+  docker:
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
-
     steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Login to Container Registry
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v3
+      - uses: actions/checkout@v4
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/login-action@v3
         with:
-          registry: ${{ env.REGISTRY }}
+          registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Extract metadata
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          tags: |
-            type=ref,event=branch
-            type=ref,event=pr
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=sha
-
-      - name: Build and push
-        uses: docker/build-push-action@v5
+      - uses: docker/build-push-action@v5
         with:
-          context: .
-          platforms: linux/amd64,linux/arm64
-          push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
+          push: true
+          tags: ghcr.io/${{ github.repository }}:${{ github.sha }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
 ```
 
-### 6. Security Scanning
-
-```yaml
-# .github/workflows/security.yml
-name: Security
-
-on:
-  push:
-    branches: [main]
-  pull_request:
-  schedule:
-    - cron: '0 0 * * 0' # Weekly
-
-jobs:
-  codeql:
-    name: CodeQL Analysis
-    runs-on: ubuntu-latest
-    permissions:
-      security-events: write
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
-        with:
-          languages: javascript, typescript
-
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
-
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
-
-  dependency-review:
-    name: Dependency Review
-    runs-on: ubuntu-latest
-    if: github.event_name == 'pull_request'
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Dependency Review
-        uses: actions/dependency-review-action@v3
-        with:
-          fail-on-severity: high
-
-  secrets-scan:
-    name: Secret Scanning
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: TruffleHog Scan
-        uses: trufflesecurity/trufflehog@main
-        with:
-          extra_args: --only-verified
-
-  container-scan:
-    name: Container Scanning
-    runs-on: ubuntu-latest
-    needs: build
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Build image
-        run: docker build -t app:scan .
-
-      - name: Run Trivy scanner
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: 'app:scan'
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-
-      - name: Upload scan results
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: 'trivy-results.sarif'
-```
-
-## Use Cases
-
-### Release Workflow
-
-```yaml
-# .github/workflows/release.yml
-name: Release
-
-on:
-  push:
-    tags: ['v*']
-
-jobs:
-  release:
-    name: Create Release
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Generate changelog
-        id: changelog
-        uses: orhun/git-cliff-action@v2
-        with:
-          args: --latest
-
-      - name: Create Release
-        uses: softprops/action-gh-release@v1
-        with:
-          body: ${{ steps.changelog.outputs.content }}
-          draft: false
-          prerelease: ${{ contains(github.ref, '-') }}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-```
-
-### Scheduled Jobs
-
-```yaml
-# .github/workflows/scheduled.yml
-name: Scheduled Tasks
-
-on:
-  schedule:
-    - cron: '0 0 * * *' # Daily at midnight
-
-jobs:
-  cleanup:
-    name: Cleanup Old Artifacts
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Delete old artifacts
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const days = 30;
-            const cutoff = Date.now() - days * 24 * 60 * 60 * 1000;
-
-            const artifacts = await github.rest.actions.listArtifactsForRepo({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-            });
-
-            for (const artifact of artifacts.data.artifacts) {
-              if (new Date(artifact.created_at).getTime() < cutoff) {
-                await github.rest.actions.deleteArtifact({
-                  owner: context.repo.owner,
-                  repo: context.repo.repo,
-                  artifact_id: artifact.id,
-                });
-              }
-            }
-```
-
 ## Best Practices
 
-### Do's
-
-- Use concurrency groups to cancel redundant runs
-- Cache dependencies for faster builds
-- Use matrix strategies for cross-platform testing
-- Implement proper secret management
-- Use environment protection rules
-- Add status badges to README
-- Use reusable workflows and composite actions
-- Implement security scanning
-- Set timeouts on jobs
-- Use artifact retention policies
-
-### Don'ts
-
-- Don't hardcode secrets in workflows
-- Don't skip concurrency controls
-- Don't ignore failing security scans
-- Don't use deprecated action versions
-- Don't skip caching for dependencies
-- Don't run unnecessary jobs on PRs
-- Don't ignore workflow permissions
-- Don't skip environment approvals for production
-- Don't use self-hosted runners without security review
-- Don't ignore workflow run costs
-
-## References
-
-- [GitHub Actions Documentation](https://docs.github.com/en/actions)
-- [Workflow Syntax](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions)
-- [GitHub Actions Marketplace](https://github.com/marketplace?type=actions)
-- [Security Hardening](https://docs.github.com/en/actions/security-guides)
-- [Reusable Workflows](https://docs.github.com/en/actions/using-workflows/reusing-workflows)
+| Do | Avoid |
+|----|-------|
+| Use concurrency groups to cancel stale runs | Hardcoding secrets in workflows |
+| Cache dependencies for faster builds | Skipping security scanning |
+| Use matrix strategies for cross-platform | Using deprecated action versions |
+| Implement environment protection rules | Running unnecessary jobs on PRs |
+| Set timeouts on long-running jobs | Ignoring workflow permissions |
+| Use reusable workflows for common patterns | Self-hosted runners without security review |
+| Upload test artifacts on failure | Skipping concurrency controls |