Skip to content

chore: minimize SKILL.md to essential triggers#5

Merged
CybotTM merged 1 commit into
mainfrom
chore/minimize-skill-md
Dec 26, 2025
Merged

chore: minimize SKILL.md to essential triggers#5
CybotTM merged 1 commit into
mainfrom
chore/minimize-skill-md

Conversation

@CybotTM

@CybotTM CybotTM commented Dec 26, 2025

Copy link
Copy Markdown
Member

Reduce SKILL.md from 105 lines to 24 lines:

  • Keep only core triggers for repo creation/configuration
  • Point to README.md for detailed workflows and troubleshooting
  • Reference key files for discoverability

Reduce SKILL.md from 105 lines to 24 lines:
- Keep only core triggers for repo creation/configuration
- Point to README.md for detailed workflows and troubleshooting
- Reference key files for discoverability
@CybotTM CybotTM merged commit 879de94 into main Dec 26, 2025
@CybotTM CybotTM deleted the chore/minimize-skill-md branch February 8, 2026 20:21
CybotTM added a commit that referenced this pull request May 4, 2026
…in-repo locations

GH-3 (SECURITY.md), GH-4 (CONTRIBUTING.md), and GH-5 (CODEOWNERS) check
for project-local files. GitHub honours these files org-wide via the
special `.github` repo (e.g. netresearch/.github), so many repos that
appear "missing" these files actually have them satisfied at the org level.

The assessment runner cannot cheaply verify org-wide files (it would have
to call the GitHub API, which requires auth and is outside the command
allowlist). Demoting these from `warning` to `info` better reflects the
real situation: nice-to-have at the repo level, often satisfied elsewhere.
The descriptions now mention the org-wide fallback explicitly.

Also broaden each target with brace expansion for the documented in-repo
locations:
  - SECURITY.md      → {SECURITY.md, .github/SECURITY.md, docs/SECURITY.md}
  - CONTRIBUTING.md  → {CONTRIBUTING.md, .github/CONTRIBUTING.md, docs/CONTRIBUTING.md}
  - CODEOWNERS       → {.github/CODEOWNERS, CODEOWNERS, docs/CODEOWNERS}

GitHub itself accepts CODEOWNERS in any of those locations.
CybotTM added a commit that referenced this pull request May 4, 2026
…ert GH-5 demotion

Addresses PR #69 review feedback:

GH-2 (Copilot, Gemini): added missing license filenames the skill itself
documents — COPYING, COPYING.md, COPYING.txt, LICENSE-BSD-2-Clause,
LICENSE-BSD-3-Clause, LICENSE-GPL-2.0, LICENSE-GPL-3.0, LICENSE-LGPL,
LICENSE-LGPL-3.0, LICENSE-AGPL-3.0, LICENSE-MPL-2.0.

GH-5 (Copilot): reverted demotion to info — CODEOWNERS must exist in the
repository itself on the default branch (.github/, root, or docs/), and
the org-wide .github mechanism explicitly does NOT cover it (that
mechanism only provides templates and community-health files, never
review-routing rules). Severity restored to warning; description
corrected to remove the misleading org-wide claim.

GH-6 (Gemini): added .github/dependabot.yaml, renovate.json5, renovate
config variants, and the .json5 form for Renovate.

GH-13/14 (Gemini follow-on): brace-expanded targets to also accept
.github/dependabot.yaml.

GH-19/20/21 (Gemini): glob target now `.github/workflows/*.{yml,yaml}`
to match either extension.

GH-24..27 (Gemini): glob target now
`.github/workflows/auto-merge*.{yml,yaml}`.

Push-back on Copilot 'auto-merge.yml weakens GH-23' comment: GH-24..27
already use a glob (auto-merge*.yml — now expanded to *.{yml,yaml})
that matches both filenames, so adding auto-merge.yml to GH-23 does
not produce false failures downstream.

GH-30/31 desc: wrapped long lines as YAML folded scalars (no impact on
runner — these are gh_api types, the desc field is human-readable).

.yamllint.yml: line-length bumped 160 → 360 to accommodate single-line
brace-expansion targets that the runner cannot read as folded scalars
(the runner's parser is bash regex, not a YAML library).
CybotTM added a commit that referenced this pull request May 5, 2026
GH-3 (SECURITY.md), GH-4 (CONTRIBUTING.md), GH-7 (PR template)
declare org_provides: paths so the runner falls back to
`gh api repos/{owner}/.github/contents/<path>` when the local file
is missing. Repos that opt into org-wide community-health files (the
documented GitHub default) now stop being flagged.

GH-7 also accepts both PULL_REQUEST_TEMPLATE.md and the lowercase
pull_request_template.md (which is what netresearch/.github actually
uses) — GitHub treats these case-insensitively.

GH-5 (CODEOWNERS) intentionally stays local-only — GitHub's review
routing only honours CODEOWNERS in the consuming repo, not the org's
.github fallback.

GH-8 / GH-9 (issue templates) declare org_provides for completeness
but most orgs don't ship default issue templates; for those repos
this still surfaces as a finding. When an org does provide them at
{owner}/.github/.github/ISSUE_TEMPLATE/<name>, the checkpoint passes.

Signed-off-by: Sebastian Mendel <github@sebastianmendel.de>
CybotTM added a commit that referenced this pull request May 28, 2026
…ved-repo handling

Migrated from a personal global rules file so the whole team shares them:
- reusable-workflow-security: never use `secrets: inherit` (forwards every
  secret transitively; limits blast radius to named secrets)
- reusable-workflow-pitfalls: #5 inline `config_data` replaces the repo's own
  linter config entirely instead of merging
- auto-merge-guide: handle Dependabot/Renovate PRs on archived repos
  (unarchive -> close -> re-archive; never auto-merge archived)

Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
CybotTM added a commit that referenced this pull request May 28, 2026
…ved-repo handling

Migrated from a personal global rules file so the whole team shares them:
- reusable-workflow-security: never use `secrets: inherit` (forwards every
  secret transitively; limits blast radius to named secrets)
- reusable-workflow-pitfalls: #5 inline `config_data` replaces the repo's own
  linter config entirely instead of merging
- auto-merge-guide: handle Dependabot/Renovate PRs on archived repos
  (unarchive -> close -> re-archive; never auto-merge archived)

Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
CybotTM added a commit that referenced this pull request May 28, 2026
…repo handling (#80)

Three GitHub-ops rules migrated from a personal `~/.claude/CLAUDE.md`
into the skill (team memory).

| File | Added |
|---|---|
| `reusable-workflow-security.md` | **Never use `secrets: inherit`** —
explicit per-secret passing, blast-radius rationale |
| `reusable-workflow-pitfalls.md` | **#5** inline `config_data`
overrides the repo's own config (fallback pattern) |
| `auto-merge-guide.md` | **Archived repos** — unarchive → close →
re-archive; filter before batch auto-merge |

markdownlint-cli2: **0 errors**. Docs only. Skipped a 4th candidate
("annotations must be resolved") — already covered by the existing *CI
Annotations* section.
CybotTM added a commit that referenced this pull request May 31, 2026
A /retro session on 2026-05-31 (session 743f82e8) surfaced a standing user
preference stated during TYPO3 extension work: 'DRY — we use re-usable
workflows so all our projects gain from improvements', with the instruction to
check the shared typo3-ci reusable-workflow repo before patching a project.

Adds pitfall #6 to reusable-workflow-pitfalls.md: when a CI/quality gap
surfaces in a consumer, fix it in the shared reusable-workflow repo so every
consumer inherits it, rather than patching the single project. Distinct from
the existing pitfalls (#1-#5 cover how to author/reference; this covers where
a fix belongs) and from reusable-workflow-security.md (SHA pinning).

Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
CybotTM added a commit that referenced this pull request May 31, 2026
…, not per-project (#82)

## Summary

Adds pitfall **#6** to `references/reusable-workflow-pitfalls.md`: when
a CI/quality gap surfaces in a consumer of a shared reusable workflow,
fix it upstream in the shared workflow repo so every consumer inherits
the fix — don't patch the single project's `.github/workflows/`.

## Came from

`/retro` session on 2026-05-31 (session `743f82e8`).
Finding: a standing user preference, stated verbatim during TYPO3
extension work — *"DRY — we use re-usable workflows so all our projects
gain from improvements"* — together with the instruction to check the
shared `typo3-ci` reusable-workflow repo before adding a per-project
guard. Existing references cover *how* to reference/pin/secure reusable
workflows but not *where* a fix belongs.

## Change

New section #6 (principle, not a structural trap): per-project patches
reintroduce the duplication the shared workflow removes, drift out of
sync, and force rediscovery in the next repo. Check whether the shared
repo owns the concern; if so, land the fix there and let consumers pick
it up via `@main`/`@vX.Y.Z`. Explicitly contrasted with pitfalls #1#5
and with `reusable-workflow-security.md`.

## Test plan

- [ ] `markdownlint-cli2` clean (verified locally: 0 errors)
- [ ] Renders correctly; cross-links to `reusable-workflow-security.md`
resolve
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant