github-actions
Installation
SKILL.md
GitHub Actions Code Review Rules
Security (Critical)
- Pin actions to full commit SHA (not
@v1or@main) - Use minimal
permissionsblock (principle of least privilege) - Never echo secrets or use them in URLs
- Use
secrets.GITHUB_TOKENinstead of PATs when possible - Audit third-party actions before use
- Review expressions (
${{ }}) for injection risks; never interpolate untrusted user input - Validate all inputs to reusable workflows and custom actions
Permissions
permissions:
contents: read # Minimal by default
# Add only what's needed:
# pull-requests: write
# issues: write
Related skills
More from yldgio/codereview-skills
dotnet
ASP.NET Core patterns, dependency injection, middleware, async/await, and security
6docker
Dockerfile best practices, security hardening, multi-stage builds, and image optimization
5react
React component patterns, hooks best practices, state management, and performance optimization
3nextjs
Next.js 14+ App Router patterns, Server Components, API routes, and performance optimization
1angular
Angular component architecture, RxJS patterns, change detection, and module organization
1gh-cli
GitHub CLI (gh) comprehensive reference for repositories, issues, pull requests, Actions, projects, releases, gists, codespaces, organizations, extensions, and all GitHub operations from the command line.
1