pantheon-ai/github-actions-generator

Comprehensive toolkit for generating best practice GitHub Actions workflows, custom local actions, and configurations following current standards and conventions. Use this skill when creating new GitHub Actions resources, implementing CI/CD workflows, or building reusable actions.

Overall
score

100%

Review — 100%

Does it follow best practices?

Validation — 11 / 11 Passed

Validation for skill structure

name:: github-actions-generator
description:: Generates production-ready GitHub Actions workflows, custom actions, and CI/CD configurations following security and performance standards. Creates CI/CD pipelines, test workflows, deployment configurations, matrix builds, caching strategies, composite actions, Docker actions, JavaScript actions, and reusable workflows. Use when creating or scaffolding GHA resources, writing .github/workflows YAML files, setting up build automation, implementing deployment pipelines, adding security scanning, or building reusable actions — including triggers like 'create a workflow', 'build a pipeline', 'add CI', 'set up GHA', or 'generate a YAML workflow'.

GitHub Actions Generator

Name: pantheon-ai/github-actions-generator
Author: pantheon-ai

Generate production-ready GitHub Actions workflows and custom actions following current best practices, security standards, and naming conventions. All generated resources are automatically validated using the devops-skills:github-actions-validator skill.

Quick Reference

Capability	When to Use	Reference
Workflows	CI/CD, automation, testing	`references/best-practices.md`
Composite Actions	Reusable step combinations	`references/custom-actions.md`
Docker Actions	Custom environments/tools	`references/custom-actions.md`
JavaScript Actions	API interactions, complex logic	`references/custom-actions.md`
Reusable Workflows	Shared patterns across repos	`references/advanced-triggers.md`
Security Scanning	Dependency review, SBOM	`references/best-practices.md`
Modern Features	Summaries, environments	`references/modern-features.md`

Core Capabilities

1. Generate Workflows

Triggers: "Create a workflow for...", "Build a CI/CD pipeline..."

Process:

Understand requirements (triggers, runners, dependencies)
Reference references/best-practices.md for patterns
Reference references/common-actions.md for action versions
Generate workflow with:
- Semantic names, pinned actions (SHA), proper permissions
- Concurrency controls, caching, matrix strategies
Validate with devops-skills:github-actions-validator skill
Fix issues and re-validate if needed

Minimal Example:

name: CI Pipeline

on:
  push:
    branches: [main]
  pull_request:

permissions:
  contents: read

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
        with:
          node-version: '20'
          cache: 'npm'
      - run: npm ci
      - run: npm test

2. Generate Custom Actions

Triggers: "Create a composite action...", "Build a Docker action...", "Create a JavaScript action..."

Types:

Composite: Combine multiple steps → Fast startup
Docker: Custom environment/tools → Isolated
JavaScript: API access, complex logic → Fastest

Process:

Use templates from assets/templates/action/
Follow structure in references/custom-actions.md
Include branding, inputs/outputs, documentation
Validate with devops-skills:github-actions-validator skill

See references/custom-actions.md for:

Action metadata and branding
Directory structure patterns
Versioning and release workflows

3. Generate Reusable Workflows

Triggers: "Create a reusable workflow...", "Make this workflow callable..."

Key Elements:

workflow_call trigger with typed inputs
Explicit secrets (avoid secrets: inherit)
Outputs mapped from job outputs
Minimal permissions

on:
  workflow_call:
    inputs:
      environment:
        required: true
        type: string
    secrets:
      deploy-token:
        required: true
    outputs:
      result:
        value: ${{ jobs.build.outputs.result }}

See references/advanced-triggers.md for complete patterns.

4. Generate Security Workflows

Triggers: "Add security scanning...", "Add dependency review...", "Generate SBOM..."

Components:

Dependency Review: actions/dependency-review-action@v4
SBOM Attestations: actions/attest-sbom@v2
CodeQL Analysis: github/codeql-action

Required Permissions:

permissions:
  contents: read
  security-events: write  # For CodeQL
  id-token: write         # For attestations
  attestations: write     # For attestations

See references/best-practices.md section on security.

5. Modern Features

Triggers: "Add job summaries...", "Use environments...", "Run in container..."

See references/modern-features.md for:

Job summaries ($GITHUB_STEP_SUMMARY)
Deployment environments with approvals
Container jobs with services
Workflow annotations

6. Public Action Documentation

When using public actions:

Search for documentation:

"[owner/repo] [version] github action documentation"

Or use Context7 MCP:
- mcp__context7__resolve-library-id to find action
- mcp__context7__get-library-docs for documentation

Pin to SHA with version comment:

- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

See references/common-actions.md for pre-verified action versions.

Validation Workflow

CRITICAL: Every generated resource MUST be validated.

Generate workflow/action file
Invoke devops-skills:github-actions-validator skill
If errors: fix and re-validate
If success: present with usage instructions

Skip validation only for:

Partial code snippets
Documentation examples
User explicitly requests skip

Mandatory Standards

All generated resources must follow:

Standard	Implementation
Security	Pin to SHA, minimal permissions, mask secrets
Performance	Caching, concurrency, shallow checkout
Naming	Descriptive names, lowercase-hyphen files
Error Handling	Timeouts, cleanup with `if: always()`

See references/best-practices.md for complete guidelines.

Resources

Reference Documents

Document	Content	When to Use
`references/best-practices.md`	Security, performance, patterns	Every workflow
`references/common-actions.md`	Action versions, inputs, outputs	Public action usage
`references/expressions-and-contexts.md`	`${{ }}` syntax, contexts, functions	Complex conditionals
`references/advanced-triggers.md`	workflow_run, dispatch, ChatOps	Workflow orchestration
`references/custom-actions.md`	Metadata, structure, versioning	Custom action creation
`references/modern-features.md`	Summaries, environments, containers	Enhanced workflows

Templates

Template	Location
Basic Workflow	`assets/templates/workflow/basic_workflow.yml`
Composite Action	`assets/templates/action/composite/action.yml`
Docker Action	`assets/templates/action/docker/`
JavaScript Action	`assets/templates/action/javascript/`

Common Patterns

Matrix Testing

strategy:
  matrix:
    os: [ubuntu-latest, windows-latest]
    node: [18, 20, 22]
  fail-fast: false

Conditional Deployment

deploy:
  if: github.event_name == 'push' && github.ref == 'refs/heads/main'

Artifact Sharing

# Upload
- uses: actions/upload-artifact@v4
  with:
    name: build-${{ github.sha }}
    path: dist/

# Download (in dependent job)
- uses: actions/download-artifact@v4
  with:
    name: build-${{ github.sha }}

Workflow Summary

Understand requirements
Reference appropriate docs
Generate with standards
Search for public action docs (if needed)
Validate with devops-skills:github-actions-validator
Fix any errors
Present validated result

Install with Tessl CLI

npx tessl i pantheon-ai/github-actions-generator

Workspace: pantheon-ai
Visibility: Public
Created: about 1 hour ago
Last updated: about 1 hour ago