uinaf/gh-setup
Set up or align GitHub repo settings, branch/ruleset policy, templates, Actions hardening, Environments, release workflows, and deploy workflows for continuously publishable or deployable repositories.
97
100%
Does it follow best practices?
Impact
96%
1.35xAverage score across 7 eval scenarios
Passed
No known issues
Evaluation results
97%
33%Automate Binary Releases for a Go CLI Tool
Tag-only SR plugins
0%
100%
GoReleaser conditional
70%
100%
GoReleaser --clean flag
100%
100%
Tap repo naming
100%
100%
TAP_GITHUB_TOKEN scope
50%
100%
Attestation permissions
100%
100%
Attest step conditional
100%
100%
GoReleaser brews block
100%
100%
No non-Go Homebrew action for Go
100%
100%
fetch-depth: 0
50%
100%
skip ci guards
0%
100%
Release concurrency
0%
100%
Secrets on step
100%
100%
SR action version
0%
50%
98%
54%Set Up Automated Release Pipeline for npm Library
fetch-depth verify
0%
100%
fetch-depth release
100%
100%
Verify concurrency group
0%
100%
Release concurrency group
100%
100%
skip ci on verify
0%
100%
skip ci on release
0%
100%
Bot identity in step env
0%
100%
Bot uses noreply address
0%
100%
Release permissions
50%
66%
semantic-release action version
0%
100%
Plugin order
62%
100%
Matching preset
0%
100%
git plugin message
100%
100%
No registry token auth
0%
100%
release needs verify
100%
100%
GitHub token on step
100%
100%
Checkout credential boundary
83%
100%
npm package metadata
100%
100%
100%
37%Publish a TypeScript GitHub Action to the Marketplace with Automated Releases
action.yml uses dist/index.js
100%
100%
dist built in verify
100%
100%
Moving major tag step
66%
100%
Major tag step is conditional
75%
100%
No npm publish plugin
100%
100%
SR plugins for action
100%
100%
git before github
100%
100%
skip ci on both jobs
0%
100%
Release concurrency non-cancellable
0%
100%
fetch-depth: 0
50%
100%
Bot identity in step env
0%
100%
SR action current major
0%
100%
94%
Preserve the Working Homebrew Tap Pattern
Uses sibling action
100%
100%
Removes incompatible action
100%
100%
No inline tap hack
100%
100%
Direct tap inputs
100%
100%
Conditional on release
100%
100%
Token scope documented
100%
100%
Preserves semantic-release
100%
100%
No broad PAT advice
100%
100%
Mentions sibling precedent
0%
0%
No manual PR requirement
100%
100%
94%
30%GitHub Actions Pipeline for a Two-App Monorepo
paths-filter for detection
0%
25%
Lockfile in filter
100%
100%
fetch-depth 0 on changes job
22%
100%
Lane conditional build
100%
100%
Deploy non-cancellable
100%
100%
Verify/e2e cancellable
0%
100%
Concurrency group lane-scoped
100%
100%
Shared concurrency key
100%
100%
Explicit result check
0%
100%
Manual deploy workflow
100%
100%
validated redeploy ref
62%
100%
Independent lane verification
100%
100%
95%
21%Reliable GitHub Actions Deploy Pipeline for a React SPA
No rebuild in deploy
100%
100%
Exact payload tested in e2e
88%
100%
Payload boundary justified
85%
100%
Missing output fails
100%
100%
Framework output covered
83%
100%
Lane-specific payload identity
20%
100%
Separate stages
100%
100%
Monitoring handoff present
80%
100%
No cheap smoke substitute
100%
100%
GITHUB_STEP_SUMMARY
100%
100%
Deploy needs both verify and e2e
60%
100%
Post-deploy handoff has no deploy credentials
33%
100%
Timeouts set
0%
100%
Artifact exception hygiene
60%
80%
Stable no-op result
33%
33%
Matrix controls
50%
100%
98%
-1%Secure Secrets and Credentials Wiring for a GitHub Actions Deploy Pipeline
Environment-scoped runtime env
100%
91%
op:// references in template
100%
100%
OIDC for cloud credentials
100%
100%
id-token write at job level
100%
100%
Root permissions minimal
100%
100%
Production environment declared
100%
100%
Post-deploy handoff credential isolation
100%
100%
No secrets as CLI flags
100%
100%
No env file dump
100%
100%
non-sensitive ids in vars
100%
100%
Fine-grained PAT
100%
100%
GitHub secrets only for bootstrap
80%
80%
- Evaluated
- Agent
- Claude Code
- Model
- Claude Sonnet 4.6
Table of Contents