gh-actions
Use when creating GitHub Actions workflows, release automation, checksums, signing, or CI/CD.
适合你,如果需要在 GitHub 上设置自动化构建、测试和部署流程
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
~/.claude/skills/(项目级 .claude/skills/)~/.codex/skills/npx oh-my-skill add boshu2/agentops/gh-actionscurl -fsSL https://oh-my-skill.com/install.sh | bash -s -- boshu2/agentops/gh-actionsnpx oh-my-skill verify boshu2/agentops/gh-actions怎么用
技能原文 SKILL.md
Optimal GitHub Actions
Production-tested patterns + 2025-2026 best practices.
Quick Start: Which Workflow?
| Need | Template | Reference | |------|----------|-----------| | CI on push/PR | ci.yml | [CI-CORE](references/CI-CORE.md) | | Release on tag | release.yml | [RELEASE-BUILD](references/RELEASE-BUILD.md) | | Nightly fuzz/bench | fuzz.yml | [TESTING](references/TESTING.md) | | Dependency updates | dependabot.yml | [DEPENDABOT](references/DEPENDABOT.md) |
Core Patterns (Every Workflow)
on:
push:
branches: [main]
pull_request:
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true # false for releases
permissions:
contents: read # Minimal by default
jobs:
build:
timeout-minutes: 30 # Never use default 6h
Language Quick Reference
| Language | Setup | Template | |----------|-------|----------| | Rust | dtolnay/rust-toolchain@stable | [TEMPLATE-RUST](references/TEMPLATE-RUST.md) | | Go | actions/setup-go@v6 | [TEMPLATE-GO](references/TEMPLATE-GO.md) | | TypeScript | oven-sh/setup-bun@v2 | [TEMPLATE-TS](references/TEMPLATE-TS.md) | | Bash | — | [TEMPLATE-BASH](references/TEMPLATE-BASH.md) | | Python | astral-sh/setup-uv@v7 | [TEMPLATE-PYTHON](references/TEMPLATE-PYTHON.md) |
Cross-Platform Matrix (Native ARM 2025+)
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest # Linux x64
target: x86_64-unknown-linux-gnu
- os: ubuntu-24.04-arm # Linux ARM (native!)
target: aarch64-unknown-linux-gnu
- os: macos-14 # Apple Silicon (native!)
target: aarch64-apple-darwin
- os: macos-15-intel # macOS x64
target: x86_64-apple-darwin
- os: windows-latest # Windows x64
target: x86_64-pc-windows-msvc
Key insight: Native ARM runners are 10x faster than QEMU emulation.
Release Checklist
- [ ] Cross-platform build matrix
- [ ] Generate checksums (
sha256sum) - [ ] Sign artifacts (minisign/cosign)
- [ ] Create GitHub Release (
softprops/action-gh-release@v2) - [ ] Notify package managers (Homebrew/Scoop)
- [ ] Generate SBOM (syft)
- [ ] Attach SLSA provenance
Patterns: [RELEASE-BUILD](references/RELEASE-BUILD.md) | [RELEASE-EXTRAS](references/RELEASE-EXTRAS.md) | [SECURITY-SIGNING](references/SECURITY-SIGNING.md)
Caching
| Language | Action | Notes | |----------|--------|-------| | Rust | Swatinem/rust-cache@v2 | Auto-caches cargo + target | | Go | actions/setup-go@v6 | Built-in, enabled by default | | Node/Bun | actions/cache@v4 | Cache node_modules |
Include arch in cache key for cross-platform:
key: ${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('Cargo.lock') }}
Security (2025 Best Practices)
| Practice | Example | |----------|---------| | Pin to SHA | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | | OIDC auth | permissions: { id-token: write } + cloud provider action | | Keyless signing | sigstore/cosign-installer@v3 | | SLSA Level 3 | actions/attest-build-provenance@v2 |
Full patterns: [SECURITY-CORE](references/SECURITY-CORE.md) | [SECURITY-SIGNING](references/SECURITY-SIGNING.md)
Anti-Patterns
| Don't | Do Instead | |-------|------------| | @main for third-party actions | Pin to SHA | | Default 6h timeout | Set explicit timeout-minutes | | QEMU for ARM builds | Native ARM runners | | Store secrets in workflow | Use secrets.* | | Skip concurrency controls | Use concurrency: group |
Reference Index
By Topic
| Topic | Reference | |-------|-----------| | CI essentials (triggers, jobs, env) | [CI-CORE](references/CI-CORE.md) | | CI advanced (matrix, caching, artifacts) | [CI-ADVANCED](references/CI-ADVANCED.md) | | Release build workflows | [RELEASE-BUILD](references/RELEASE-BUILD.md) | | Signing, versioning, install scripts | [RELEASE-EXTRAS](references/RELEASE-EXTRAS.md) | | GoReleaser config | [GORELEASER](references/GORELEASER.md) | | Security fundamentals | [SECURITY-CORE](references/SECURITY-CORE.md) | | Signing and provenance | [SECURITY-SIGNING](references/SECURITY-SIGNING.md) | | Coverage collection | [COVERAGE](references/COVERAGE.md) | | Fuzzing, benchmarks, analysis | [TESTING](references/TESTING.md) | | Dependabot configuration | [DEPENDABOT](references/DEPENDABOT.md) | | Playwright browser tests | [BROWSER-TESTS](references/BROWSER-TESTS.md) | | Docker/OCI with signing | [OCI-PATTERNS](references/OCI-PATTERNS.md) | | Python wheels (maturin) | [PYTHON-WHEELS](references/PYTHON-WHEELS.md) | | Database service containers | [SERVICES](references/SERVICES.md) | | ACFS checksum notifications | [ACFS-PATTERNS](references/ACFS-PATTERNS.md) |
By Language
| Language | Template | |----------|----------| | Rust | [TEMPLATE-RUST](references/TEMPLATE-RUST.md) | | Go | [TEMPLATE-GO](references/TEMPLATE-GO.md) | | TypeScript/Bun | [TEMPLATE-TS](references/TEMPLATE-TS.md) | | Bash | [TEMPLATE-BASH](references/TEMPLATE-BASH.md) | | Python/uv | [TEMPLATE-PYTHON](references/TEMPLATE-PYTHON.md) |
Validation
actionlint .github/workflows/*.yml gh workflow list && gh run list --workflow=ci.yml