github-actions-1-security-best-practices
Sub-skill of github-actions: 1. Security Best Practices (+3).
Best use case
github-actions-1-security-best-practices is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Sub-skill of github-actions: 1. Security Best Practices (+3).
Teams using github-actions-1-security-best-practices should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/1-security-best-practices/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How github-actions-1-security-best-practices Compares
| Feature / Agent | github-actions-1-security-best-practices | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Sub-skill of github-actions: 1. Security Best Practices (+3).
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# 1. Security Best Practices (+3)
## 1. Security Best Practices
```yaml
# Always pin action versions with SHA
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
# Use minimum required permissions
permissions:
contents: read
packages: write
# Never hardcode secrets
env:
API_KEY: ${{ secrets.API_KEY }} # Good
# API_KEY: "sk-1234567890" # Never do this
# Use OIDC for cloud provider authentication
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
```
## 2. Performance Optimization
```yaml
# Use caching aggressively
- uses: actions/cache@v4
with:
path: ~/.cache/pip
key: pip-${{ hashFiles('requirements.txt') }}
# Use matrix fail-fast wisely
strategy:
fail-fast: false # Continue other jobs on failure
# Limit concurrent runs
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
```
## 3. Maintainability
```yaml
# Use reusable workflows
jobs:
test:
uses: ./.github/workflows/reusable-test.yml
# Extract common steps into composite actions
- uses: ./.github/actions/setup-project
# Use environment variables for configuration
env:
PYTHON_VERSION: '3.11'
NODE_VERSION: '20'
```
## 4. Error Handling
```yaml
# Use continue-on-error for non-critical steps
- name: Optional step
continue-on-error: true
run: optional-command
# Add timeout to prevent stuck jobs
jobs:
build:
timeout-minutes: 30
# Always clean up resources
- name: Cleanup
if: always()
run: cleanup-command
```Related Skills
tax-filing-session-setup-with-github-tracking
Structured workflow for preparing and tracking a tax filing session using prepared documents, task checklist, and GitHub issue cross-referencing
tax-filing-session-setup-with-github-traceability
Structured workflow for setting up a multi-file tax filing session with GitHub issue tracking and prepared-file validation
github-issue-structure-for-personal-finance-tracking
Pattern for organizing financial analysis work across multiple repos (data/config vs. logic separation)
skill-dedup-collision-reconciliation-with-content-security-scan
Reconcile duplicate/colliding workspace-hub skills without losing useful content, while avoiding pre-commit skill-content security scan regressions.
github-actions-trigger-and-shell-gotchas
Prevent false verification gaps in GitHub Actions by checking push path filters, shell compatibility, and shared CI environment failures before concluding a workflow fix worked or failed.
github-actions-cross-platform-validation-gotchas
Execution-time GitHub Actions pitfalls discovered while fixing cross-platform CI workflows — path-filter non-triggers, Windows shell parsing mismatches, and job-scoped validation.
github-visual-planning-issues
Create review-friendly GitHub planning issues that supersede stale/seasonal issues and include source-backed image thumbnails for faster human review.
github-roadmap-anchor-reuse
Reuse and reopen existing roadmap/epic GitHub issues instead of fragmenting work across duplicate replacement epics; retarget children and link active issues for continuity.
github-repo-management
Clone, create, fork, configure, and manage GitHub repositories. Manage remotes, secrets, releases, and workflows. Works with gh CLI or falls back to git + GitHub REST API via curl.
github-pr-workflow
Full pull request lifecycle — create branches, commit changes, open PRs, monitor CI status, auto-fix failures, and merge. Works with gh CLI or falls back to git + GitHub REST API via curl.
github-issues
Create, manage, triage, and close GitHub issues. Search existing issues, add labels, assign people, and link to PRs. Works with gh CLI or falls back to git + GitHub REST API via curl.
github-issue-lifecycle-operations
Class-level GitHub issue lifecycle operations: issue creation, planning/execution routing, labels, evidence fields, roadmap anchors, closeout races, and visual planning.