1

    Github Actions Architect

    by Tommi Sullivan

    Generate secure, SHA-pinned, and cost-optimized GitHub Actions workflows with OIDC and least-privilege defaults.

    Updated Jul 2026
    Security scanned
    Cursor

    $12

    · or 60 credits

    30-day refund guarantee

    Secure checkout via Stripe

    Included in download

    • Enforce least-privilege GITHUB_TOKEN permissions across all workflow jobs.
    • Secure cloud deployments using OIDC to eliminate long-lived access keys.
    • Ready for Cursor
    • Instant install

    Media gallery

    See it in action

    You say

    Set up a CI pipeline for my Node.js app that deploys to AWS when I push to main.

    Your agent does

    I've generated ci.yml and deploy.yml. They use SHA-pinned actions, OIDC for AWS auth (no secrets stored), and job-level permissions set to 'contents: read'. Dependencies are cached via actions/setup-node and deployments are gated by a 'production' environment.

    About This Skill

    The problem

    Standard CI/CD templates often use broad write permissions and unpinned third-party actions, creating significant supply chain vulnerabilities. Most pipelines also waste money and time by rebuilding dependencies from scratch on every commit.

    What it does

    • Generates hardened YAML workflows using explicit least-privilege permissions and SHA-pinned actions.
    • Implements intelligent caching and concurrency controls to reduce runner minutes and build times.
    • Configures secure cloud authentication using OIDC instead of long-lived, high-risk secrets.
    • Automates environment-specific deployments with gated approvals and path-based triggers for monorepos.

    Frameworks & tools

    GitHub Actions, OIDC (AWS, GCP, Azure), actionlint, YAML, and ecosystem-specific caching (Node.js, Python, Go, Rust).

    Why this beats prompting it yourself

    General LLMs often overlook critical security practices like SHA-pinning or the risks of pull_request_target. This skill enforces a hard requirement for security defaults and cost-saving job topology that standard prompts miss.

    Use cases

    • Setting up a secure PR validation pipeline with parallel testing and linting.
    • Automating package releases to npm or PyPI with provenance and granular permissions.
    • Deploying to cloud providers using Workload Identity Federation instead of static keys.
    • Managing complex monorepo builds that only trigger jobs for modified packages.

    Known limitations

    Does not support self-hosted runner configuration or Enterprise Server-specific features like Runner Groups unless specified.

    Use Cases

    • Enforce least-privilege GITHUB_TOKEN permissions across all workflow jobs.
    • Reduce CI costs by implementing concurrency groups and path-based filtering.
    • Secure cloud deployments using OIDC to eliminate long-lived access keys.
    • Prevent supply chain attacks by pinning third-party actions to immutable SHAs.

    How to install

    Drop the file into your AI tool. Works with Claude, Cursor, ChatGPT, and 20+ more.

    Reviews

    No reviews yet - be the first to share your experience.

    Only users who have downloaded or purchased this skill can leave a review.

    Security Scanned

    Passed automated security review

    Permissions

    No special permissions declared or detected

    Compatible with SKILL.md-compatible agents including Claude Code, Cursor, and Aider.

    Frequently Asked Questions

    More Premium Skills

    $12