uinaf/gh-setup
Set up or align GitHub repo settings, branch/ruleset policy, templates, Actions hardening, Environments, release workflows, and deploy workflows for continuously publishable or deployable repositories.
97
100%
Does it follow best practices?
Impact
96%
1.35xAverage score across 7 eval scenarios
Passed
No known issues
Evaluation results
100%
40%Automate Binary Releases for a Go CLI Tool
Tag-only SR plugins
100%
100%
GoReleaser conditional
50%
100%
GoReleaser --clean flag
100%
100%
Tap repo naming
100%
100%
TAP_GITHUB_TOKEN scope
50%
100%
Attestation permissions
100%
100%
Attest step conditional
0%
100%
GoReleaser brews block
100%
100%
No non-Go Homebrew action for Go
100%
100%
fetch-depth: 0
50%
100%
skip ci guards
0%
100%
Release concurrency
0%
100%
Secrets on step
33%
100%
SR action version
0%
100%
100%
48%Set Up Automated Release Pipeline for npm Library
fetch-depth verify
0%
100%
fetch-depth release
100%
100%
Verify concurrency group
0%
100%
Release concurrency group
50%
100%
skip ci on verify
0%
100%
skip ci on release
100%
100%
Bot identity in step env
0%
100%
Bot uses noreply address
0%
100%
Release permissions
50%
100%
semantic-release action version
0%
100%
Plugin order
100%
100%
Matching preset
0%
100%
git plugin message
100%
100%
No registry token auth
25%
100%
release needs verify
100%
100%
GitHub token on step
100%
100%
Checkout credential boundary
100%
100%
npm package metadata
100%
100%
100%
49%Publish a TypeScript GitHub Action to the Marketplace with Automated Releases
action.yml uses dist/index.js
100%
100%
dist built in verify
100%
100%
Moving major tag step
50%
100%
Major tag step is conditional
50%
100%
No npm publish plugin
0%
100%
SR plugins for action
100%
100%
git before github
100%
100%
skip ci on both jobs
0%
100%
Release concurrency non-cancellable
0%
100%
fetch-depth: 0
50%
100%
Bot identity in step env
0%
100%
SR action current major
28%
100%
94%
Preserve the Working Homebrew Tap Pattern
Uses sibling action
100%
100%
Removes incompatible action
100%
100%
No inline tap hack
100%
100%
Direct tap inputs
100%
100%
Conditional on release
100%
100%
Token scope documented
100%
100%
Preserves semantic-release
100%
100%
No broad PAT advice
100%
100%
Mentions sibling precedent
0%
0%
No manual PR requirement
100%
100%
90%
16%GitHub Actions Pipeline for a Two-App Monorepo
paths-filter for detection
25%
37%
Lockfile in filter
100%
100%
fetch-depth 0 on changes job
100%
100%
Lane conditional build
100%
62%
Deploy non-cancellable
100%
100%
Verify/e2e cancellable
100%
100%
Concurrency group lane-scoped
100%
100%
Shared concurrency key
0%
90%
Explicit result check
20%
100%
Manual deploy workflow
100%
100%
validated redeploy ref
75%
87%
Independent lane verification
100%
100%
94%
22%Reliable GitHub Actions Deploy Pipeline for a React SPA
No rebuild in deploy
100%
100%
Exact payload tested in e2e
100%
100%
Payload boundary justified
57%
100%
Missing output fails
100%
100%
Framework output covered
50%
83%
Lane-specific payload identity
60%
100%
Separate stages
100%
100%
Monitoring handoff present
100%
100%
No cheap smoke substitute
66%
100%
GITHUB_STEP_SUMMARY
100%
100%
Deploy needs both verify and e2e
60%
60%
Post-deploy handoff has no deploy credentials
100%
100%
Timeouts set
0%
100%
Artifact exception hygiene
40%
100%
Stable no-op result
0%
83%
Matrix controls
50%
50%
100%
4%Secure Secrets and Credentials Wiring for a GitHub Actions Deploy Pipeline
Environment-scoped runtime env
100%
100%
op:// references in template
100%
100%
OIDC for cloud credentials
100%
100%
id-token write at job level
100%
100%
Root permissions minimal
100%
100%
Production environment declared
100%
100%
Post-deploy handoff credential isolation
100%
100%
No secrets as CLI flags
42%
100%
No env file dump
100%
100%
non-sensitive ids in vars
100%
100%
Fine-grained PAT
100%
100%
GitHub secrets only for bootstrap
100%
100%
- Evaluated
- Agent
- Claude Code
- Model
- Claude Sonnet 4.6
Table of Contents