Add skill-check CI workflow and make rule#7
Merged
gonzaloserrano merged 9 commits intomainfrom Feb 26, 2026
Merged
Conversation
Add GitHub Actions workflow using thedaviddias/skill-check@v1 to validate skill files on push/PR to main. Add `make check` target for local validation. https://claude.ai/code/session_017xNXidqKW984RBgDZjDVpt
Fold the single-line Enums section into Code Style as a bullet point, bringing the body from 503 to 499 lines (max 500). Score: 95/100. https://claude.ai/code/session_017xNXidqKW984RBgDZjDVpt
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
3 issues found across 3 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="Makefile">
<violation number="1" location="Makefile:18">
P2: Pin the `skill-check` package version in the `npx` call to avoid supply-chain risks and ensure local runs match the CI version.</violation>
</file>
<file name=".github/workflows/skill-check.yml">
<violation number="1" location=".github/workflows/skill-check.yml:9">
P2: Add an explicit `permissions` block to restrict the `GITHUB_TOKEN` to the minimum required scope. This workflow only needs read access to repository contents.</violation>
<violation number="2" location=".github/workflows/skill-check.yml:15">
P1: Pin third-party action to a full commit SHA instead of a mutable version tag to mitigate supply chain attacks. If the `thedaviddias` account were compromised, the `v1` tag could be pointed at arbitrary code that runs in your CI with repo access. Look up the current SHA for the `v1` tag and pin to it, adding a version comment for readability.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
| echo "Bumped version: $$current -> $$new_version" | ||
|
|
||
| check: | ||
| npx skill-check . |
There was a problem hiding this comment.
P2: Pin the skill-check package version in the npx call to avoid supply-chain risks and ensure local runs match the CI version.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At Makefile, line 18:
<comment>Pin the `skill-check` package version in the `npx` call to avoid supply-chain risks and ensure local runs match the CI version.</comment>
<file context>
@@ -13,3 +13,6 @@ bump:
echo "Bumped version: $$current -> $$new_version"
+
+check:
+ npx skill-check .
</file context>
Suggested change
| npx skill-check . | |
| npx skill-check@1 . |
| pull_request: | ||
| branches: [main] | ||
|
|
||
| jobs: |
There was a problem hiding this comment.
P2: Add an explicit permissions block to restrict the GITHUB_TOKEN to the minimum required scope. This workflow only needs read access to repository contents.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/skill-check.yml, line 9:
<comment>Add an explicit `permissions` block to restrict the `GITHUB_TOKEN` to the minimum required scope. This workflow only needs read access to repository contents.</comment>
<file context>
@@ -0,0 +1,18 @@
+ pull_request:
+ branches: [main]
+
+jobs:
+ skill-check:
+ runs-on: ubuntu-latest
</file context>
skill-check was interpreting Go generics syntax [T](err) and [T cmp.Ordered](a, b T) as markdown links. Restructured the inline code to avoid the [text](url) pattern. https://claude.ai/code/session_017xNXidqKW984RBgDZjDVpt
The thedaviddias/skill-check repo has no v1 major version tag, only v1.0.0, v1.1.0, and v1.2.0. Pin to the latest release. https://claude.ai/code/session_017xNXidqKW984RBgDZjDVpt
The thedaviddias/skill-check action cannot be resolved in this CI environment. Replace with a direct npx invocation which is more portable and avoids the action resolution issue entirely. https://claude.ai/code/session_017xNXidqKW984RBgDZjDVpt
There was a problem hiding this comment.
1 issue found across 3 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name=".github/workflows/skill-check.yml">
<violation number="1" location=".github/workflows/skill-check.yml:20">
P1: Using `@latest` in CI is a supply chain risk and breaks reproducibility. Pin to a specific version to match the previously pinned `v1.2.0`.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
.github/workflows/skill-check.yml
Outdated
| node-version: '20' | ||
|
|
||
| - name: Run skill-check | ||
| run: npx skill-check@latest --format github . |
There was a problem hiding this comment.
P1: Using @latest in CI is a supply chain risk and breaks reproducibility. Pin to a specific version to match the previously pinned v1.2.0.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/skill-check.yml, line 20:
<comment>Using `@latest` in CI is a supply chain risk and breaks reproducibility. Pin to a specific version to match the previously pinned `v1.2.0`.</comment>
<file context>
@@ -12,7 +12,9 @@ jobs:
+ node-version: '20'
+
+ - name: Run skill-check
+ run: npx skill-check@latest --format github .
</file context>
Suggested change
| run: npx skill-check@latest --format github . | |
| run: npx --yes skill-check@1.2.0 --format github . |
Replace thedaviddias/skill-check action and actions/setup-node with a simple npm install + run. The CI environment cannot resolve third-party action references. ubuntu-latest already has Node.js. https://claude.ai/code/session_017xNXidqKW984RBgDZjDVpt
The CLI requires the explicit `check` subcommand and the `.` target arg was causing "too many arguments" error. Default target is cwd. https://claude.ai/code/session_017xNXidqKW984RBgDZjDVpt
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add GitHub Actions workflow using thedaviddias/skill-check@v1 to validate
skill files on push/PR to main. Add
make checktarget for local validation.https://claude.ai/code/session_017xNXidqKW984RBgDZjDVpt