{"id":"50e17ef1-03db-4453-a315-0d0029d28449","shortId":"mUepRE","kind":"skill","title":"vigilante-issue-implementation-on-github-actions","tagline":"Implement a GitHub issue end-to-end when Vigilante dispatches work for a repository with GitHub Actions workflows, applying workflow hardening, pinned actions, and secret-safe automation practices.","description":"# Vigilante GitHub Actions Issue Implementation\n\n## Focus\n- Read the prompt for detected tech stacks, process hints, and security guidance before changing workflow files.\n- Keep changes scoped to the issue and do not broaden into unrelated workflow or repository changes.\n- Treat `.github/workflows/` as a security-sensitive surface. Every workflow edit should consider permissions, secret exposure, and supply-chain risk.\n\n## Workflow File Conventions\n- Use `.yml` or `.yaml` consistently with the repository's existing convention. Do not mix extensions within the same repository.\n- Validate workflow syntax before committing. Use `actionlint` when it is available in the repository or installed locally. If `actionlint` is not available, note its absence and continue — do not fabricate output.\n- Keep workflow files readable: use clear job and step names, add inline comments for non-obvious logic, and prefer reusable workflows or composite actions over duplicated step blocks.\n\n## Pinned Actions\n- Pin third-party actions to full commit SHAs, not mutable tags or branch references. Example: `uses: actions/checkout@<full-sha>` with a trailing version comment.\n- When updating an action version, verify the new SHA corresponds to a reviewed release or tag.\n- First-party GitHub actions (`actions/*`) should also be pinned to SHAs for consistency and supply-chain safety.\n- When adding a new third-party action, prefer well-maintained actions with high community adoption. Avoid actions that request broad permissions or lack clear provenance.\n\n## Least-Privilege Permissions\n- Always declare a top-level `permissions:` block in workflow files. Default to the most restrictive set needed.\n- Use read-only `contents: read` unless the workflow must write (e.g., creating releases, pushing tags, commenting on PRs).\n- Scope token permissions per job when different jobs need different access levels.\n- Never use `permissions: write-all` or leave permissions unspecified, which defaults to broad access in some repository configurations.\n\n## Secret and Credential Safety\n- Never echo, log, or interpolate secrets directly in `run:` shell commands. Pass secrets through environment variables.\n- Use `::add-mask::` to mask dynamic values that may appear in logs.\n- Prefer OIDC-based authentication (e.g., `aws-actions/configure-aws-credentials` with `role-to-assume`) over long-lived cloud credentials stored as repository secrets.\n- Do not store secrets, tokens, or credentials in workflow files or committed configuration.\n- When a workflow needs elevated access, document why in a comment and scope the access as narrowly as possible.\n\n## Safe Workflow Authoring\n- Never interpolate untrusted event data (such as `${{ github.event.pull_request.title }}` or `${{ github.event.issue.body }}`) directly into `run:` shell scripts. Use an intermediate environment variable to prevent script injection.\n- Prefer `pull_request` over `pull_request_target` unless cross-fork access is explicitly required and the workflow is hardened against injection.\n- Use `concurrency` groups to prevent redundant or conflicting workflow runs.\n- Set appropriate `timeout-minutes` on jobs to prevent hung runners from consuming resources.\n\n## Reusable Workflows and Composite Actions\n- Prefer the repository's existing reusable workflows and composite actions over duplicating logic.\n- When creating new reusable workflows, define clear `inputs` and `secrets` contracts.\n- Respect the repository's branch-protection rules and required status checks when adding or modifying workflows.\n\n## Mixed-Stack Repositories\n- A repository with GitHub Actions workflows often also contains application code in Go, Node.js, Python, or other languages.\n- Scope workflow-specific guidance to `.github/workflows/` and related CI/CD configuration only. Do not apply workflow linting or hardening rules to application source code.\n- When an issue touches both workflow files and application code, validate each side with its appropriate toolchain.\n- Check the prompt for additional detected tech stacks and follow their respective guidance for non-workflow changes.\n\n## Workflow\n- Follow the base `vigilante-issue-implementation` workflow for issue comments, validation, push, and PR creation.\n- Use `vigilante commit` for all commit-producing operations. Do not use `git commit` or GitHub CLI commit flows directly.\n- Any commit or amend must preserve the user's existing git author, committer, and signing configuration. Commit on behalf of the user and do not overwrite `git config` with a coding-agent identity.\n- Do not add `Co-authored by:` trailers or any other agent attribution for Codex, Claude, Gemini, or similar coding-agent identities.\n- Repository-specific instructions (`AGENTS.md`, `README.md`, CI config) remain authoritative when they are more specific than the generic GitHub Actions guidance in this skill.","tags":["vigilante","issue","implementation","github","actions","aliengiraffe","agent","agent-skills","agentic-ai","agentic-workflow","agents","ai-orchestration"],"capabilities":["skill","source-aliengiraffe","skill-vigilante-issue-implementation-on-github-actions","topic-agent","topic-agent-skills","topic-agentic-ai","topic-agentic-workflow","topic-agents","topic-ai-orchestration","topic-ai-orchestrator","topic-orchestration"],"categories":["vigilante"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/aliengiraffe/vigilante/vigilante-issue-implementation-on-github-actions","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add aliengiraffe/vigilante","source_repo":"https://github.com/aliengiraffe/vigilante","install_from":"skills.sh"}},"qualityScore":"0.464","qualityRationale":"deterministic score 0.46 from registry signals: · indexed on github topic:agent-skills · 28 github stars · SKILL.md body (4,888 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-01T07:01:24.171Z","embedding":null,"createdAt":"2026-04-18T22:23:12.536Z","updatedAt":"2026-05-01T07:01:24.171Z","lastSeenAt":"2026-05-01T07:01:24.171Z","tsv":"'/configure-aws-credentials':380 'absenc':143 'access':317,333,414,423,466 'action':7,25,31,40,174,180,185,207,224,225,246,251,257,379,505,515,555,741 'actionlint':125,137 'actions/checkout':198 'ad':240,543 'add':160,360,701 'add-mask':359 'addit':614 'adopt':255 'agent':697,710,720 'agents.md':726 'also':227,558 'alway':270 'amend':668 'appear':368 'appli':27,583 'applic':560,590,601 'appropri':488,608 'assum':385 'attribut':711 'authent':375 'author':430,676,704 'authorit':731 'autom':36 'avail':129,140 'avoid':256 'aw':378 'aws-act':377 'base':374,631 'behalf':683 'block':178,277 'branch':194,535 'branch-protect':534 'broad':260,332 'broaden':69 'chain':95,237 'chang':57,61,75,627 'check':541,610 'ci':728 'ci/cd':578 'claud':714 'clear':155,264,525 'cli':661 'cloud':390 'co':703 'co-author':702 'code':561,592,602,696,719 'codex':713 'coding-ag':695,718 'command':352 'comment':162,203,304,419,639 'commit':123,188,407,647,651,658,662,666,681 'commit-produc':650 'committ':677 'communiti':254 'composit':173,504,514 'concurr':478 'config':692,729 'configur':337,408,579,680 'conflict':484 'consid':88 'consist':104,233 'consum':499 'contain':559 'content':292 'continu':145 'contract':529 'convent':99,110 'correspond':213 'creat':300,520 'creation':644 'credenti':340,391,402 'cross':464 'cross-fork':463 'data':435 'declar':271 'default':281,330 'defin':524 'detect':48,615 'differ':313,316 'direct':348,441,664 'dispatch':18 'document':415 'duplic':176,517 'dynam':364 'e.g':299,376 'echo':343 'edit':86 'elev':413 'end':13,15 'end-to-end':12 'environ':356,449 'event':434 'everi':84 'exampl':196 'exist':109,510,674 'explicit':468 'exposur':91 'extens':114 'fabric':148 'file':59,98,152,280,405,599 'first':221 'first-parti':220 'flow':663 'focus':43 'follow':619,629 'fork':465 'full':187 'gemini':715 'generic':739 'git':657,675,691 'github':6,10,24,39,223,554,660,740 'github.event.issue.body':440 'github.event.pull_request.title':438 'github/workflows':77,575 'go':563 'group':479 'guidanc':55,573,622,742 'harden':29,474,587 'high':253 'hint':52 'hung':496 'ident':698,721 'implement':4,8,42,635 'inject':454,476 'inlin':161 'input':526 'instal':134 'instruct':725 'intermedi':448 'interpol':346,432 'issu':3,11,41,65,595,634,638 'job':156,311,314,493 'keep':60,150 'lack':263 'languag':568 'least':267 'least-privileg':266 'leav':326 'level':275,318 'lint':585 'live':389 'local':135 'log':344,370 'logic':167,518 'long':388 'long-liv':387 'maintain':250 'mask':361,363 'may':367 'minut':491 'mix':113,548 'mixed-stack':547 'modifi':545 'must':297,669 'mutabl':191 'name':159 'narrowli':425 'need':287,315,412 'never':319,342,431 'new':211,242,521 'node.js':564 'non':165,625 'non-obvi':164 'non-workflow':624 'note':141 'obvious':166 'often':557 'oidc':373 'oidc-bas':372 'oper':653 'output':149 'overwrit':690 'parti':184,222,245 'pass':353 'per':310 'permiss':89,261,269,276,309,321,327 'pin':30,179,181,229 'possibl':427 'pr':643 'practic':37 'prefer':169,247,371,455,506 'preserv':670 'prevent':452,481,495 'privileg':268 'process':51 'produc':652 'prompt':46,612 'protect':536 'proven':265 'prs':306 'pull':456,459 'push':302,641 'python':565 'read':44,290,293 'read-on':289 'readabl':153 'readme.md':727 'redund':482 'refer':195 'relat':577 'releas':217,301 'remain':730 'repositori':22,74,107,118,132,336,394,508,532,550,552,723 'repository-specif':722 'request':259,457,460 'requir':469,539 'resourc':500 'respect':530,621 'restrict':285 'reusabl':170,501,511,522 'review':216 'risk':96 'role':383 'role-to-assum':382 'rule':537,588 'run':350,443,486 'runner':497 'safe':35,428 'safeti':238,341 'scope':62,307,421,569 'script':445,453 'secret':34,90,338,347,354,395,399,528 'secret-saf':33 'secur':54,81 'security-sensit':80 'sensit':82 'set':286,487 'sha':212 'shas':189,231 'shell':351,444 'side':605 'sign':679 'similar':717 'skill':745 'skill-vigilante-issue-implementation-on-github-actions' 'sourc':591 'source-aliengiraffe' 'specif':572,724,736 'stack':50,549,617 'status':540 'step':158,177 'store':392,398 'suppli':94,236 'supply-chain':93,235 'surfac':83 'syntax':121 'tag':192,219,303 'target':461 'tech':49,616 'third':183,244 'third-parti':182,243 'timeout':490 'timeout-minut':489 'token':308,400 'toolchain':609 'top':274 'top-level':273 'topic-agent' 'topic-agent-skills' 'topic-agentic-ai' 'topic-agentic-workflow' 'topic-agents' 'topic-ai-orchestration' 'topic-ai-orchestrator' 'topic-orchestration' 'touch':596 'trail':201 'trailer':706 'treat':76 'unless':294,462 'unrel':71 'unspecifi':328 'untrust':433 'updat':205 'use':100,124,154,197,288,320,358,446,477,645,656 'user':672,686 'valid':119,603,640 'valu':365 'variabl':357,450 'verifi':209 'version':202,208 'vigilant':2,17,38,633,646 'vigilante-issue-implement':632 'vigilante-issue-implementation-on-github-act':1 'well':249 'well-maintain':248 'within':115 'work':19 'workflow':26,28,58,72,85,97,120,151,171,279,296,404,411,429,472,485,502,512,523,546,556,571,584,598,626,628,636 'workflow-specif':570 'write':298,323 'write-al':322 'yaml':103 'yml':101","prices":[{"id":"49d6bf7b-54a0-46f1-9e34-18fa12b07279","listingId":"50e17ef1-03db-4453-a315-0d0029d28449","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"aliengiraffe","category":"vigilante","install_from":"skills.sh"},"createdAt":"2026-04-18T22:23:12.536Z"}],"sources":[{"listingId":"50e17ef1-03db-4453-a315-0d0029d28449","source":"github","sourceId":"aliengiraffe/vigilante/vigilante-issue-implementation-on-github-actions","sourceUrl":"https://github.com/aliengiraffe/vigilante/tree/main/skills/vigilante-issue-implementation-on-github-actions","isPrimary":false,"firstSeenAt":"2026-04-18T22:23:12.536Z","lastSeenAt":"2026-05-01T07:01:24.171Z"}],"details":{"listingId":"50e17ef1-03db-4453-a315-0d0029d28449","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"aliengiraffe","slug":"vigilante-issue-implementation-on-github-actions","github":{"repo":"aliengiraffe/vigilante","stars":28,"topics":["agent","agent-skills","agentic-ai","agentic-workflow","agents","ai","ai-orchestration","ai-orchestrator","orchestration"],"license":"apache-2.0","html_url":"https://github.com/aliengiraffe/vigilante","pushed_at":"2026-04-23T16:58:46Z","description":"Vigilante is a sandbox-first orchestration layer for coding agents. It isolates every task in a git worktree, enforces strict credential scoping, and gives you full audit logs — so your agents can't burn down production.","skill_md_sha":"3288e2ae3195a7db25e6847a6f3b981216324060","skill_md_path":"skills/vigilante-issue-implementation-on-github-actions/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/aliengiraffe/vigilante/tree/main/skills/vigilante-issue-implementation-on-github-actions"},"layout":"multi","source":"github","category":"vigilante","frontmatter":{"name":"vigilante-issue-implementation-on-github-actions","description":"Implement a GitHub issue end-to-end when Vigilante dispatches work for a repository with GitHub Actions workflows, applying workflow hardening, pinned actions, and secret-safe automation practices."},"skills_sh_url":"https://skills.sh/aliengiraffe/vigilante/vigilante-issue-implementation-on-github-actions"},"updatedAt":"2026-05-01T07:01:24.171Z"}}