GitHub Actions -- CI/CD Integration Expert

---

name: github-actions description: > Build custom workflows, reusable actions, OIDC auth, runner configs, and monorepo CI with GitHub Actions. USE WHEN: User needs CI/CD workflows, reusable actions, secret management, runner configuration, or monorepo build optimization with GitHub Actions. DON'T USE WHEN: User needs deployment platform configuration. Use Vercel skill for Vercel-specific deploys. Use Forge for general infrastructure provisioning. OUTPUTS: Workflow YAML files, composite actions, runner configs, caching strategies, matrix builds, OIDC federation setups, monorepo CI architectures. version: 1.1.0 author: SpookyJuice tags: [github-actions, ci-cd, workflows, automation, runners] price: 14 author_url: "https://www.shopclawmart.com" support: "brian@gorzelic.net" license: proprietary osps_version: "0.1" content_hash: "sha256:3325bc82039f7882c592280f615f42f322dfc28b075795d588b451dc4751a056"

#‍​‌‌​‌‌‌‌​‌‌‌​​‌‌​‌‌‌​​​​​‌‌‌​​‌‌​​‌‌‌​‌​​​‌‌​​​‌​​‌‌‌​‌​​‌‌‌​​‌‌​‌‌​‌​‌​​​‌​‌‌​‌​​‌‌‌​​​​​‌‌​​​​​​‌‌​‌‌‌​‌‌​​‌‌​​​‌‌‌​​​​‌‌​​​‌‌​​‌‌​​‌‌​‌‌​​​‌‌‍ GitHub Actions

Version: 1.1.0 Price: $14 Type: Skill

Description

Production CI/CD with GitHub Actions — beyond the starter workflow templates. The YAML surface is vast and the error messages are useless, so debugging why your matrix job silently skipped, your reusable workflow can't access secrets, or your monorepo rebuilds everything on every commit takes hours of pipeline archaeology. This skill gives you the workflow architecture patterns, caching strategies, and security configurations that teams spend months discovering through trial and error.

Prerequisites

• GitHub repository (public or private)
• GitHub Actions enabled (default for all repos)
• For OIDC: cloud provider account (AWS/GCP/Azure) with identity federation configured
• For self-hosted runners: compute infrastructure (VM, container, or bare metal)

Setup

1. Copy SKILL.md into your OpenClaw skills directory
2. Ensure .github/workflows/ directory exists in your repository
3. For secrets: configure via GitHub Settings → Secrets and variables → Actions
4. Reload OpenClaw

Commands

• "Create a CI workflow for [project type]"
• "Build a reusable workflow for [shared process]"
• "Set up OIDC auth for [cloud provider] deploys"
• "Configure self-hosted runners for [environment]"
• "Optimize CI for a monorepo with [packages]"
• "Add matrix testing for [OS/runtime/version]"
• "Debug this workflow failure: [error]"

Workflow

Custom Workflow Authoring

1. Trigger configuration — choose triggers precisely: push (branches, tags, paths), pull_request (types: opened, synchronize, reopened), schedule (cron syntax), workflow_dispatch (manual with inputs), repository_dispatch (API-triggered). Combine triggers but understand that pull_request from forks has restricted permissions.
2. Job DAG design — structure jobs as a directed acyclic graph with needs: dependencies. Independent jobs run in parallel automatically. Use if: conditions for conditional execution: if: github.event_name == 'push' or if: needs.test.result == 'success'. Group related steps into jobs by responsibility: lint, test, build, deploy.
3. Matrix strategies — strategy.matrix fans out across combinations: OS (ubuntu-latest, macos-latest, windows-latest), runtime versions (node: [18, 20, 22]), and custom dimensions. Use include to add specific combinations and exclude to remove them. Set fail-fast: false to continue other matrix legs when one fails.
4. Output passing — pass data between steps with $GITHUB_OUTPUT: echo "version=1.2.3" >> $GITHUB_OUTPUT. Pass between jobs using outputs: on the job definition. For complex data, use artifacts (actions/upload-artifact / actions/download-artifact) not outputs.
5. Concurrency control — use concurrency groups to prevent parallel runs: concurrency: { group: deploy-${{ github.ref }}, cancel-in-progress: true }. This cancels superseded deployments. For non-cancelable workflows (releases), omit cancel-in-progress.
6. Timeout and retry — set timeout-minutes per job and per step. Default is 360 minutes (6 hours) — far too long. Set aggressive timeouts: 5-10 min for tests, 15-20 min for builds. Use continue-on-error: true for non-critical steps.

Reusable Workflows and Composite Actions

1. Reusable workflows — extract shared CI logic into .github/workflows/reusable-*.yml with workflow_call trigger. Define typed inputs (inputs:) and secrets (secrets:). Consumers call with uses: org/repo/.github/workflows/reusable-ci.yml@v1. Secrets must be explicitly passed — they are NOT inherited by default (use secrets: inherit to pass all).
2. Composite actions — create action.yml in a directory or separate repo. Composite actions bundle multiple run steps and uses steps into a single invocation. Define inputs, outputs, and runs.steps. Unlike reusable workflows, composite actions run in the calling job's context.
3. Versioning strategy — tag releases with semver: v1.0.0, and maintain a major version tag: v1 that points to the latest v1.x.x. Consumers pin to @v1 for automatic minor/patch updates, @v1.2.3 for exact version, or @main for latest (not recommended for production).
4. Input validation — validate inputs early with conditional steps. Check required inputs aren't empty, enum inputs match allowed values, and version strings match expected patterns. Fail fast with clear error messages rather than letting invalid inputs cascade through the workflow.
5. Testing actions — create a test workflow in the action's repo that exercises all inputs and edge cases. Use act (local runner) for fast iteration. Test against multiple runner OS versions. Pin action dependencies to specific versions in tests.
6. Documentation — every reusable workflow and composite action gets: a description of what it does, input/output reference table, usage example, and version changelog. Put this in the action's README.md.

Monorepo CI Optimization

1. Path filtering — use paths: in trigger to run workflows only when relevant files change. For finer control, use dorny/paths-filter action to detect which packages changed and set output flags for downstream jobs.
2. Dependency graph — map which packages depend on which. When packages/core changes, all consumers (apps/web, apps/api) must rebuild and test. Implement this as a job that outputs a build matrix based on changed packages and their dependents.
3. Caching strategy — layer your caches: package manager cache (actions/cache with package-lock.json hash key), build cache (compiled outputs with content hash), and Docker layer cache (docker/build-push-action with cache-from). Caches have a 10GB per-repo limit — prune aggressively.
4. Selective testing — run only the test suites affected by changes. Use affected tooling from Nx, Turborepo, or custom scripts. Fall back to full test suite on main branch pushes to catch integration issues.
5. Build artifact sharing — use actions/upload-artifact and actions/download-artifact to share build outputs between jobs. For Docker images, push to a registry with a commit SHA tag for downstream jobs to pull. Don't rebuild the same code in multiple jobs.
6. CI minutes optimization — profile your workflows: identify slow steps, parallelize independent work, cache aggressively, and skip unnecessary runs. Use actions/cache/restore (read-only) in PR workflows and actions/cache (read-write) in main branch workflows to maximize cache hits.

Output Format

⚙ GITHUB ACTIONS — [WORKFLOW TYPE]
Project: [Name]
Repository: [owner/repo]
Date: [YYYY-MM-DD]

═══ WORKFLOW CONFIG ═══
[YAML workflow content]

═══ JOB GRAPH ═══
| Job | Depends On | Runner | Timeout | Condition |
|-----|-----------|--------|---------|-----------|
| [job] | [deps] | [runner] | [min] | [if condition] |

═══ MATRIX ═══
| Dimension | Values | Total Combinations |
|-----------|--------|--------------------|
| [dim] | [values] | [N] |

═══ CACHING ═══
| Cache | Key Pattern | Size | Hit Rate |
|-------|-------------|------|----------|
| [cache] | [key] | [MB] | [%] |

═══ SECRETS ═══
| Secret | Scope | Used By | Rotation |
|--------|-------|---------|----------|
| [name] | [repo/org/env] | [jobs] | [schedule] |

Common Pitfalls

• Fork PR permissions — pull_request from forks runs with read-only permissions and no access to secrets. Use pull_request_target carefully (it runs in the base repo context with full permissions — security risk if you check out fork code).
• Secret inheritance in reusable workflows — secrets are NOT passed to reusable workflows by default. You must explicitly pass each secret or use secrets: inherit. Missing secrets fail silently with empty strings.
• Cache key collisions — using only package-lock.json hash as cache key means different branches share caches. Include github.ref in keys when branch-specific caches matter. Caches from main are available to PRs but not vice versa.
• Matrix dimension explosion — 3 OS × 4 Node versions × 2 architectures = 24 jobs. Each takes a runner slot and billing minutes. Use include for specific tested combinations instead of full cartesian product.
• Stale action versions — pinning to @v1 means you get updates automatically, which can break workflows. For critical CI, pin to exact SHA: uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29. Use Dependabot to update action versions.

Guardrails

• Never uses long-lived credentials. Cloud deploys use OIDC federation for keyless authentication. No AWS access keys or GCP service account JSON stored as secrets.
• Secrets are scoped minimally. Secrets use environment-level scoping (not repo-level) for production credentials. Review required before production environment secrets are accessible.
• Fork PRs are sandboxed. Fork pull requests never have write permissions or secret access. Workflows that need elevated permissions use pull_request_target with explicit checkout controls.
• Workflow changes are reviewed. .github/workflows/ modifications require PR review. No direct pushes to workflow files on protected branches.
• CI minutes are tracked. Workflow duration and runner minutes are monitored. Alerts fire when approaching plan limits or when workflow duration regresses significantly.
• Actions are version-pinned. Third-party actions are pinned to commit SHA, not tags. Dependabot manages version updates with automated PR review.
• Workflow files scanned for secrets. All workflow YAML files are checked for hardcoded tokens, API keys, and credentials before commit. Secrets must use ${{ secrets.NAME }} references, never inline values. CI includes a secret-scanning step that blocks PRs with leaked credentials.

Support

Questions or issues with this skill? Contact brian@gorzelic.net Published by SpookyJuice — https://www.shopclawmart.com