chore: minimize SKILL.md to essential triggers#5
Merged
Conversation
Reduce SKILL.md from 105 lines to 24 lines: - Keep only core triggers for repo creation/configuration - Point to README.md for detailed workflows and troubleshooting - Reference key files for discoverability
3 tasks
CybotTM
added a commit
that referenced
this pull request
May 4, 2026
…in-repo locations GH-3 (SECURITY.md), GH-4 (CONTRIBUTING.md), and GH-5 (CODEOWNERS) check for project-local files. GitHub honours these files org-wide via the special `.github` repo (e.g. netresearch/.github), so many repos that appear "missing" these files actually have them satisfied at the org level. The assessment runner cannot cheaply verify org-wide files (it would have to call the GitHub API, which requires auth and is outside the command allowlist). Demoting these from `warning` to `info` better reflects the real situation: nice-to-have at the repo level, often satisfied elsewhere. The descriptions now mention the org-wide fallback explicitly. Also broaden each target with brace expansion for the documented in-repo locations: - SECURITY.md → {SECURITY.md, .github/SECURITY.md, docs/SECURITY.md} - CONTRIBUTING.md → {CONTRIBUTING.md, .github/CONTRIBUTING.md, docs/CONTRIBUTING.md} - CODEOWNERS → {.github/CODEOWNERS, CODEOWNERS, docs/CODEOWNERS} GitHub itself accepts CODEOWNERS in any of those locations.
CybotTM
added a commit
that referenced
this pull request
May 4, 2026
…ert GH-5 demotion Addresses PR #69 review feedback: GH-2 (Copilot, Gemini): added missing license filenames the skill itself documents — COPYING, COPYING.md, COPYING.txt, LICENSE-BSD-2-Clause, LICENSE-BSD-3-Clause, LICENSE-GPL-2.0, LICENSE-GPL-3.0, LICENSE-LGPL, LICENSE-LGPL-3.0, LICENSE-AGPL-3.0, LICENSE-MPL-2.0. GH-5 (Copilot): reverted demotion to info — CODEOWNERS must exist in the repository itself on the default branch (.github/, root, or docs/), and the org-wide .github mechanism explicitly does NOT cover it (that mechanism only provides templates and community-health files, never review-routing rules). Severity restored to warning; description corrected to remove the misleading org-wide claim. GH-6 (Gemini): added .github/dependabot.yaml, renovate.json5, renovate config variants, and the .json5 form for Renovate. GH-13/14 (Gemini follow-on): brace-expanded targets to also accept .github/dependabot.yaml. GH-19/20/21 (Gemini): glob target now `.github/workflows/*.{yml,yaml}` to match either extension. GH-24..27 (Gemini): glob target now `.github/workflows/auto-merge*.{yml,yaml}`. Push-back on Copilot 'auto-merge.yml weakens GH-23' comment: GH-24..27 already use a glob (auto-merge*.yml — now expanded to *.{yml,yaml}) that matches both filenames, so adding auto-merge.yml to GH-23 does not produce false failures downstream. GH-30/31 desc: wrapped long lines as YAML folded scalars (no impact on runner — these are gh_api types, the desc field is human-readable). .yamllint.yml: line-length bumped 160 → 360 to accommodate single-line brace-expansion targets that the runner cannot read as folded scalars (the runner's parser is bash regex, not a YAML library).
CybotTM
added a commit
that referenced
this pull request
May 5, 2026
GH-3 (SECURITY.md), GH-4 (CONTRIBUTING.md), GH-7 (PR template) declare org_provides: paths so the runner falls back to `gh api repos/{owner}/.github/contents/<path>` when the local file is missing. Repos that opt into org-wide community-health files (the documented GitHub default) now stop being flagged. GH-7 also accepts both PULL_REQUEST_TEMPLATE.md and the lowercase pull_request_template.md (which is what netresearch/.github actually uses) — GitHub treats these case-insensitively. GH-5 (CODEOWNERS) intentionally stays local-only — GitHub's review routing only honours CODEOWNERS in the consuming repo, not the org's .github fallback. GH-8 / GH-9 (issue templates) declare org_provides for completeness but most orgs don't ship default issue templates; for those repos this still surfaces as a finding. When an org does provide them at {owner}/.github/.github/ISSUE_TEMPLATE/<name>, the checkpoint passes. Signed-off-by: Sebastian Mendel <github@sebastianmendel.de>
CybotTM
added a commit
that referenced
this pull request
May 28, 2026
…ved-repo handling Migrated from a personal global rules file so the whole team shares them: - reusable-workflow-security: never use `secrets: inherit` (forwards every secret transitively; limits blast radius to named secrets) - reusable-workflow-pitfalls: #5 inline `config_data` replaces the repo's own linter config entirely instead of merging - auto-merge-guide: handle Dependabot/Renovate PRs on archived repos (unarchive -> close -> re-archive; never auto-merge archived) Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
CybotTM
added a commit
that referenced
this pull request
May 28, 2026
…ved-repo handling Migrated from a personal global rules file so the whole team shares them: - reusable-workflow-security: never use `secrets: inherit` (forwards every secret transitively; limits blast radius to named secrets) - reusable-workflow-pitfalls: #5 inline `config_data` replaces the repo's own linter config entirely instead of merging - auto-merge-guide: handle Dependabot/Renovate PRs on archived repos (unarchive -> close -> re-archive; never auto-merge archived) Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
CybotTM
added a commit
that referenced
this pull request
May 28, 2026
…repo handling (#80) Three GitHub-ops rules migrated from a personal `~/.claude/CLAUDE.md` into the skill (team memory). | File | Added | |---|---| | `reusable-workflow-security.md` | **Never use `secrets: inherit`** — explicit per-secret passing, blast-radius rationale | | `reusable-workflow-pitfalls.md` | **#5** inline `config_data` overrides the repo's own config (fallback pattern) | | `auto-merge-guide.md` | **Archived repos** — unarchive → close → re-archive; filter before batch auto-merge | markdownlint-cli2: **0 errors**. Docs only. Skipped a 4th candidate ("annotations must be resolved") — already covered by the existing *CI Annotations* section.
2 tasks
CybotTM
added a commit
that referenced
this pull request
May 31, 2026
A /retro session on 2026-05-31 (session 743f82e8) surfaced a standing user preference stated during TYPO3 extension work: 'DRY — we use re-usable workflows so all our projects gain from improvements', with the instruction to check the shared typo3-ci reusable-workflow repo before patching a project. Adds pitfall #6 to reusable-workflow-pitfalls.md: when a CI/quality gap surfaces in a consumer, fix it in the shared reusable-workflow repo so every consumer inherits it, rather than patching the single project. Distinct from the existing pitfalls (#1-#5 cover how to author/reference; this covers where a fix belongs) and from reusable-workflow-security.md (SHA pinning). Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
CybotTM
added a commit
that referenced
this pull request
May 31, 2026
…, not per-project (#82) ## Summary Adds pitfall **#6** to `references/reusable-workflow-pitfalls.md`: when a CI/quality gap surfaces in a consumer of a shared reusable workflow, fix it upstream in the shared workflow repo so every consumer inherits the fix — don't patch the single project's `.github/workflows/`. ## Came from `/retro` session on 2026-05-31 (session `743f82e8`). Finding: a standing user preference, stated verbatim during TYPO3 extension work — *"DRY — we use re-usable workflows so all our projects gain from improvements"* — together with the instruction to check the shared `typo3-ci` reusable-workflow repo before adding a per-project guard. Existing references cover *how* to reference/pin/secure reusable workflows but not *where* a fix belongs. ## Change New section #6 (principle, not a structural trap): per-project patches reintroduce the duplication the shared workflow removes, drift out of sync, and force rediscovery in the next repo. Check whether the shared repo owns the concern; if so, land the fix there and let consumers pick it up via `@main`/`@vX.Y.Z`. Explicitly contrasted with pitfalls #1–#5 and with `reusable-workflow-security.md`. ## Test plan - [ ] `markdownlint-cli2` clean (verified locally: 0 errors) - [ ] Renders correctly; cross-links to `reusable-workflow-security.md` resolve
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Reduce SKILL.md from 105 lines to 24 lines: