Summary
Vigilante should support GitHub Actions workflow changes with a dedicated GitHub Actions-focused implementation skill that teaches coding agents to update CI/CD automation safely and according to GitHub's current workflow security guidance.
Problem
- Vigilante currently has no dedicated skill for GitHub Actions workflow implementation and hardening.
- That makes coding agents more likely to miss important workflow-security practices such as least-privilege
GITHUB_TOKEN permissions, pinned actions, OIDC instead of long-lived secrets, secret masking, and safe handling of untrusted workflow inputs.
- Workflow changes are a distinct platform surface and should not be treated like generic YAML edits.
Context
- GitHub's current security-hardening documentation explicitly covers least privilege, safe secret use, pinned actions, OIDC, and safer workflow design choices.
- GitHub Actions changes are often tied to supply-chain and CI security posture, so a dedicated skill adds meaningful value.
Reference Material
Desired Outcome
- Vigilante can detect GitHub Actions workflow implementation surfaces and attach a GitHub Actions-focused implementation skill or equivalent prompt layer.
- The guidance tells the coding agent to follow current GitHub Actions security posture for workflow edits.
- The guidance is concise and does not broaden scope into unrelated repository administration.
- Existing operational policies, including
vigilante commit, remain intact.
Implementation Notes
- Detect GitHub Actions-focused implementation surfaces using signals such as
.github/workflows/ changes, reusable workflow files, or issues explicitly targeting Actions automation.
- Distill GitHub Actions-specific execution rules for coding agents. Required areas to cover include:
- least-privilege
permissions usage for GITHUB_TOKEN
- preferring pinned actions and carefully reviewing third-party action usage
- using OIDC instead of long-lived cloud secrets where appropriate
- safe handling of secrets and log masking
- avoiding unsafe interpolation of untrusted event data into shell scripts
- respecting repo-standard CI patterns, reusable workflows, and branch-protection expectations
- Preserve repo-specific instructions as authoritative over generic GitHub Actions guidance.
- Preserve commit-path constraints: use
vigilante commit only.
Acceptance Criteria
Testing Expectations
- Add or update tests for GitHub Actions-focused detection and skill or prompt selection.
- Add or update tests for prompt content so workflow-related issues receive expected CI/CD security guidance and unrelated repositories do not.
- Cover regressions where the GitHub Actions guidance is missing or incorrectly injected.
Operational / UX Considerations
- Keep this skill focused on workflow implementation and hardening, not general enterprise admin configuration.
- Prefer repo-defined CI patterns and reusable workflows over generic replacements.
Summary
Vigilante should support GitHub Actions workflow changes with a dedicated GitHub Actions-focused implementation skill that teaches coding agents to update CI/CD automation safely and according to GitHub's current workflow security guidance.
Problem
GITHUB_TOKENpermissions, pinned actions, OIDC instead of long-lived secrets, secret masking, and safe handling of untrusted workflow inputs.Context
Reference Material
Desired Outcome
vigilante commit, remain intact.Implementation Notes
.github/workflows/changes, reusable workflow files, or issues explicitly targeting Actions automation.permissionsusage forGITHUB_TOKENvigilante commitonly.Acceptance Criteria
vigilante commitpolicies continue to apply.Testing Expectations
Operational / UX Considerations