feat: add Go project CI checklist and related skills section#6
Merged
Conversation
- Add Go Project CI Checklist to SKILL.md with settings table - Add Related Skills section to SKILL.md and README.md - Add Skill Coordination diagram showing hub-and-spoke model - Cross-reference go-development and enterprise-readiness skills Part of skill unification effort for consistent enterprise-ready Go project setup.
CybotTM
added a commit
that referenced
this pull request
Mar 15, 2026
The file_exists check only looked for .github/dependabot.yml, producing false positives on repos using Renovate for dependency updates. Switch to a command check that accepts dependabot.yml, renovate.json, .github/renovate.json, .renovaterc.json, or .renovaterc. Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
3 tasks
CybotTM
added a commit
that referenced
this pull request
Mar 15, 2026
fix: GH-6 accept Renovate as alternative to Dependabot
3 tasks
CybotTM
added a commit
that referenced
this pull request
May 4, 2026
…allowlist The automated-assessment runner enforces a command allowlist that rejects command-chaining metacharacters (; && || backticks $()) and only accepts specific base commands. Four checkpoints failed allowlist validation and were never actually evaluated against target projects. GH-6 and GH-23 used `test -f X || test -f Y` chains to test for any of several files. Rewritten as `type: file_exists` with brace expansion, which is the runner's first-class idiom for "any of these files". GH-30 and GH-31 used multi-line YAML literal-block scalars (`target: |`) to invoke `gh api` for branch protection audits. The runner's simple line parser sees the literal-block indicator as the first token and rejects with "'|' not in allowed command whitelist". Even with the allowlist passing, these cannot be executed mechanically — they require GitHub API auth context. Converted to `type: gh_api`, which the runner recognises and skips with a clear evidence string. The semantically equivalent audit is preserved in GH-32 (llm_reviews).
CybotTM
added a commit
that referenced
this pull request
May 4, 2026
…ert GH-5 demotion Addresses PR #69 review feedback: GH-2 (Copilot, Gemini): added missing license filenames the skill itself documents — COPYING, COPYING.md, COPYING.txt, LICENSE-BSD-2-Clause, LICENSE-BSD-3-Clause, LICENSE-GPL-2.0, LICENSE-GPL-3.0, LICENSE-LGPL, LICENSE-LGPL-3.0, LICENSE-AGPL-3.0, LICENSE-MPL-2.0. GH-5 (Copilot): reverted demotion to info — CODEOWNERS must exist in the repository itself on the default branch (.github/, root, or docs/), and the org-wide .github mechanism explicitly does NOT cover it (that mechanism only provides templates and community-health files, never review-routing rules). Severity restored to warning; description corrected to remove the misleading org-wide claim. GH-6 (Gemini): added .github/dependabot.yaml, renovate.json5, renovate config variants, and the .json5 form for Renovate. GH-13/14 (Gemini follow-on): brace-expanded targets to also accept .github/dependabot.yaml. GH-19/20/21 (Gemini): glob target now `.github/workflows/*.{yml,yaml}` to match either extension. GH-24..27 (Gemini): glob target now `.github/workflows/auto-merge*.{yml,yaml}`. Push-back on Copilot 'auto-merge.yml weakens GH-23' comment: GH-24..27 already use a glob (auto-merge*.yml — now expanded to *.{yml,yaml}) that matches both filenames, so adding auto-merge.yml to GH-23 does not produce false failures downstream. GH-30/31 desc: wrapped long lines as YAML folded scalars (no impact on runner — these are gh_api types, the desc field is human-readable). .yamllint.yml: line-length bumped 160 → 360 to accommodate single-line brace-expansion targets that the runner cannot read as folded scalars (the runner's parser is bash regex, not a YAML library).
2 tasks
CybotTM
added a commit
that referenced
this pull request
May 31, 2026
A /retro session on 2026-05-31 (session 743f82e8) surfaced a standing user preference stated during TYPO3 extension work: 'DRY — we use re-usable workflows so all our projects gain from improvements', with the instruction to check the shared typo3-ci reusable-workflow repo before patching a project. Adds pitfall #6 to reusable-workflow-pitfalls.md: when a CI/quality gap surfaces in a consumer, fix it in the shared reusable-workflow repo so every consumer inherits it, rather than patching the single project. Distinct from the existing pitfalls (#1-#5 cover how to author/reference; this covers where a fix belongs) and from reusable-workflow-security.md (SHA pinning). Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
CybotTM
added a commit
that referenced
this pull request
May 31, 2026
…, not per-project (#82) ## Summary Adds pitfall **#6** to `references/reusable-workflow-pitfalls.md`: when a CI/quality gap surfaces in a consumer of a shared reusable workflow, fix it upstream in the shared workflow repo so every consumer inherits the fix — don't patch the single project's `.github/workflows/`. ## Came from `/retro` session on 2026-05-31 (session `743f82e8`). Finding: a standing user preference, stated verbatim during TYPO3 extension work — *"DRY — we use re-usable workflows so all our projects gain from improvements"* — together with the instruction to check the shared `typo3-ci` reusable-workflow repo before adding a per-project guard. Existing references cover *how* to reference/pin/secure reusable workflows but not *where* a fix belongs. ## Change New section #6 (principle, not a structural trap): per-project patches reintroduce the duplication the shared workflow removes, drift out of sync, and force rediscovery in the next repo. Check whether the shared repo owns the concern; if so, land the fix there and let consumers pick it up via `@main`/`@vX.Y.Z`. Explicitly contrasted with pitfalls #1–#5 and with `reusable-workflow-security.md`. ## Test plan - [ ] `markdownlint-cli2` clean (verified locally: 0 errors) - [ ] Renders correctly; cross-links to `reusable-workflow-security.md` resolve
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Changes
SKILL.md
README.md
Skill Unification
This is part of a broader skill unification effort:
Test Plan