mirror of
https://github.com/github/awesome-copilot.git
synced 2026-06-19 14:07:41 +00:00
chore: publish from staged
This commit is contained in:
github-actions[bot]
@@ -188,6 +188,7 @@ See [CONTRIBUTING.md](../CONTRIBUTING.md#adding-skills) for guidelines on how to
|
||||
| [git-flow-branch-creator](../skills/git-flow-branch-creator/SKILL.md)<br />`gh skills install github/awesome-copilot git-flow-branch-creator` | Intelligent Git Flow branch creator that analyzes git status/diff and creates appropriate branches following the nvie Git Flow branching model. | None |
|
||||
| [github-actions-efficiency](../skills/github-actions-efficiency/SKILL.md)<br />`gh skills install github/awesome-copilot github-actions-efficiency` | Audit GitHub Actions workflow efficiency and recommend fixes to reduce CI minutes and costs. | `references/actions.md`<br />`references/patterns.md`<br />`references/reporting.md`<br />`references/review-rubric.md` |
|
||||
| [github-actions-hardening](../skills/github-actions-hardening/SKILL.md)<br />`gh skills install github/awesome-copilot github-actions-hardening` | Security hardening reviewer for GitHub Actions workflow files (.github/workflows/*.yml). Reasons about the Actions threat model that pattern matchers and general code linters miss — untrusted-input script injection, privileged triggers running fork code, mutable action references, and over-scoped tokens. Use this skill when asked to review, audit, harden, or secure a GitHub Actions workflow, when writing a new workflow, or for any request like "is this workflow safe?", "review my CI for security issues", "why is pull_request_target dangerous here?", "pin my actions", or "lock down GITHUB_TOKEN permissions". Covers script injection via ${{ }} interpolation, pull_request_target / workflow_run privilege escalation, SHA-pinning of third-party actions, least-privilege permissions, GITHUB_ENV/GITHUB_OUTPUT injection, secret exposure, OIDC over long-lived credentials, and self-hosted runner exposure on public repositories. | `references/injection.md`<br />`references/permissions-and-tokens.md`<br />`references/report-format.md`<br />`references/supply-chain.md`<br />`references/triggers-and-privilege.md` |
|
||||
| [github-actions-runtime-upgrade-conventions](../skills/github-actions-runtime-upgrade-conventions/SKILL.md)<br />`gh skills install github/awesome-copilot github-actions-runtime-upgrade-conventions` | Upgrade GitHub Actions to supported runtimes by selecting safe action versions, preserving workflow behavior, and validating post-upgrade execution. | None |
|
||||
| [github-codespaces-efficiency](../skills/github-codespaces-efficiency/SKILL.md)<br />`gh skills install github/awesome-copilot github-codespaces-efficiency` | Audit and improve GitHub Codespaces efficiency. Use this skill when a user wants faster Codespaces startup, lower Codespaces spend, slim devcontainers, right-size machines, tune idle timeout, or scope prebuilds to branches with sustained usage. | `references/codespaces.md`<br />`references/review-rubric.md` |
|
||||
| [github-copilot-starter](../skills/github-copilot-starter/SKILL.md)<br />`gh skills install github/awesome-copilot github-copilot-starter` | Set up complete GitHub Copilot configuration for a new project based on technology stack | None |
|
||||
| [github-issues](../skills/github-issues/SKILL.md)<br />`gh skills install github/awesome-copilot github-issues` | Create, update, and manage GitHub issues using MCP tools. Use this skill when users want to create bug reports, feature requests, or task issues, update existing issues, add labels/assignees/milestones, set issue fields (dates, priority, custom fields), set issue types, manage issue workflows, link issues, add dependencies, or track blocked-by/blocking relationships. Triggers on requests like "create an issue", "file a bug", "request a feature", "update issue X", "set the priority", "set the start date", "link issues", "add dependency", "blocked by", "blocking", or any GitHub issue management task. | `references/dependencies.md`<br />`references/images.md`<br />`references/issue-fields.md`<br />`references/issue-types.md`<br />`references/projects.md`<br />`references/search.md`<br />`references/sub-issues.md`<br />`references/templates.md` |
|
||||
|
||||
@@ -0,0 +1,65 @@
|
||||
---
|
||||
name: github-actions-runtime-upgrade-conventions
|
||||
description: 'Upgrade GitHub Actions to supported runtimes by selecting safe action versions, preserving workflow behavior, and validating post-upgrade execution.'
|
||||
---
|
||||
|
||||
# GitHub Actions Runtime Upgrade Conventions
|
||||
|
||||
Use this skill when editing GitHub Actions workflows to address deprecation warnings about action runtimes (for example Node.js runtime migrations).
|
||||
|
||||
## Use This Skill When
|
||||
|
||||
- Workflow logs report an action is running on a deprecated runtime.
|
||||
- You are upgrading action versions in `.github/workflows/*.yml` or `.github/workflows/*.yaml`.
|
||||
- You need to keep existing workflow behavior while modernizing action dependencies.
|
||||
|
||||
## Upgrade Rules
|
||||
|
||||
- Prefer upgrading to the latest stable **major** version of each action that is compatible with the workflow.
|
||||
- Prefer immutable pins: resolve the target release to a full commit SHA and use that SHA in `uses:`.
|
||||
- Do not pin to mutable tags or branches (for example `@v4` or `@main`) in final recommendations.
|
||||
- Upgrade one action at a time per commit (or one tightly related group) so failures are easy to isolate.
|
||||
- Keep existing workflow behavior unchanged while upgrading runtime/dependency actions.
|
||||
|
||||
## Actions We Track in This Repo
|
||||
|
||||
Prioritize runtime review for these groups when warnings appear:
|
||||
|
||||
- Any first-party action under `actions/*`
|
||||
- Especially setup actions under `actions/setup-*` (for example `setup-node`, `setup-python`, `setup-dotnet`)
|
||||
- Any other action explicitly named by the runtime deprecation warning in workflow logs
|
||||
|
||||
## Pinning Pattern
|
||||
|
||||
```yaml
|
||||
steps:
|
||||
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.3.1
|
||||
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.4
|
||||
```
|
||||
|
||||
When recommending upgrades, identify the latest compatible release first, then use the corresponding commit SHA with an optional version comment.
|
||||
|
||||
## Verification Checklist
|
||||
|
||||
After changing action versions:
|
||||
|
||||
1. Ensure all edited workflows still parse and keep the same triggers/permissions unless intentionally changed.
|
||||
2. Run the affected workflows (or equivalent local build/test commands) and confirm the upgraded steps complete successfully.
|
||||
3. Confirm release/signing/artifact steps still produce expected outputs where applicable.
|
||||
4. Check workflow run logs for any new deprecation warnings or runtime migration notes.
|
||||
|
||||
## PR Notes
|
||||
|
||||
Include in the PR summary:
|
||||
|
||||
- Which actions were upgraded (from -> to).
|
||||
- Whether any action could not move to a new major and why.
|
||||
- Which workflows were re-run to validate the change.
|
||||
|
||||
## How This Complements Dependabot
|
||||
|
||||
Dependabot can automate many updates, but this skill still helps when:
|
||||
|
||||
- Dependabot is not enabled for workflows in a repository.
|
||||
- Runtime warnings appear before an automated update is available.
|
||||
- A workflow needs behavior-preserving validation after the action bump.
|
||||
Reference in New Issue
Block a user