Name: uinaf/gh-setup
Rating: 97.6 (1 reviews)
Author: uinaf

uinaf/gh-setup

Set up or align GitHub repo settings, branch/ruleset policy, templates, Actions hardening, Environments, release workflows, and deploy workflows for continuously publishable or deployable repositories.

1.35x

Quality

100%

Does it follow best practices?

Impact

96%

1.35x

Average score across 7 eval scenarios

Securityby

Passed

No known issues

{
  "context": "Tests whether the agent correctly sets up a GitHub Actions CI/CD pipeline for an npm TypeScript library using semantic-release, covering the verify/release job structure, concurrency configuration, [skip ci] guards, checkout depth, bot identity, permissions, and semantic-release plugin ordering and configuration.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "fetch-depth verify",
      "description": "The verify job's checkout step uses `fetch-depth: 0` (not the default shallow clone)",
      "max_score": 5
    },
    {
      "name": "fetch-depth release",
      "description": "The release job's checkout step uses `fetch-depth: 0`",
      "max_score": 5
    },
    {
      "name": "Verify concurrency group",
      "description": "The verify job (or workflow-level) has a cancellable concurrency group with `cancel-in-progress: true`",
      "max_score": 6
    },
    {
      "name": "Release concurrency group",
      "description": "The release job has a job-level non-cancellable concurrency group with `cancel-in-progress: false`",
      "max_score": 6
    },
    {
      "name": "skip ci on verify",
      "description": "The verify job has an `if:` condition that skips execution when the commit message contains `[skip ci]`",
      "max_score": 6
    },
    {
      "name": "skip ci on release",
      "description": "The release job has an `if:` condition that skips execution when the commit message contains `[skip ci]`",
      "max_score": 6
    },
    {
      "name": "Bot identity in step env",
      "description": "GIT_AUTHOR_NAME, GIT_AUTHOR_EMAIL, GIT_COMMITTER_NAME, GIT_COMMITTER_EMAIL are set inside the semantic-release step's `env:`, NOT at job level",
      "max_score": 7
    },
    {
      "name": "Bot uses noreply address",
      "description": "The bot email addresses use a `noreply.github.com` domain (not a real human email)",
      "max_score": 4
    },
    {
      "name": "Release permissions",
      "description": "The release job explicitly declares only the needed write permissions, including `contents: write` for GitHub release/pushback and `id-token: write` for npm Trusted Publishing; `issues: write` and `pull-requests: write` are absent unless comments are configured",
      "max_score": 6
    },
    {
      "name": "semantic-release action version",
      "description": "Uses `cycjimmy/semantic-release-action` pinned to a full commit SHA with an exact same-line version comment, preserving the repo's current major unless there is a concrete migration reason",
      "max_score": 5
    },
    {
      "name": "Plugin order",
      "description": "Plugins are ordered: commit-analyzer before release-notes-generator, both before publish plugins, @semantic-release/git before @semantic-release/github",
      "max_score": 8
    },
    {
      "name": "Matching preset",
      "description": "Both @semantic-release/commit-analyzer and @semantic-release/release-notes-generator are configured with `\"preset\": \"conventionalcommits\"`",
      "max_score": 8
    },
    {
      "name": "git plugin message",
      "description": "The @semantic-release/git plugin's message contains `[skip ci]` and uses the `chore(release): ${nextRelease.version}` format",
      "max_score": 8
    },
    {
      "name": "No registry token auth",
      "description": "The semantic-release npm publish path uses npm Trusted Publishing/OIDC and does not set `registry-url` or expose `NPM_TOKEN`",
      "max_score": 8
    },
    {
      "name": "release needs verify",
      "description": "The release job declares `needs: [verify]` (or equivalent), making verify the gate to publish",
      "max_score": 6
    },
    {
      "name": "GitHub token on step",
      "description": "GITHUB_TOKEN or the dedicated release-bot token is declared only on the semantic-release step, not at the job level",
      "max_score": 6
    },
    {
      "name": "Checkout credential boundary",
      "description": "Checkout/install/build steps do not expose persisted write credentials before package-manager lifecycle scripts run; any pushback credential is introduced only at the release boundary",
      "max_score": 6
    },
    {
      "name": "npm package metadata",
      "description": "package.json includes public `repository` metadata matching the GitHub repo and public `publishConfig.access` when publishing a scoped public package",
      "max_score": 5
    }
  ]
}

uinaf/gh-setup

criteria.json.css-3qkkll{font-size:var(--chakra-font-sizes-sm);font-weight:var(--chakra-font-weights-normal);color:var(--chakra-colors-gray-300);}evals/scenario-2/

criteria.jsonevals/scenario-2/