← 返回 Skills 市场

GitHub Actions Conclusion Volatility Audit

Name: GitHub Actions Conclusion Volatility Audit
Author: daniellummis

作者 Daniel Lummis · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

333

总下载

当前安装

版本数

在 OpenClaw 中安装

/install github-actions-conclusion-volatility-audit

功能描述

Audit GitHub Actions workflow conclusion volatility to surface unstable pipelines before they become chronic failures.

使用说明 (SKILL.md)

GitHub Actions Conclusion Volatility Audit

Use this skill to detect unstable workflows that frequently flip between success and failure-like outcomes.

What this skill does

Reads one or more workflow run JSON exports
Groups runs by repository + workflow + branch
Calculates volatility using conclusion transitions across run history
Flags groups by warn/critical instability thresholds
Emits text or JSON output for CI reporting and quality gates

Inputs

Optional:

RUN_GLOB (default: artifacts/github-actions/*.json)
TOP_N (default: 20)
OUTPUT_FORMAT (text or json, default: text)
MIN_RUNS (default: 5) — minimum runs before severity is applied
WARN_INSTABILITY_PCT (default: 35)
CRITICAL_INSTABILITY_PCT (default: 60)
FAIL_ON_CRITICAL (0 or 1, default: 0)
WORKFLOW_MATCH, WORKFLOW_EXCLUDE (regex, optional)
BRANCH_MATCH, BRANCH_EXCLUDE (regex, optional)
REPO_MATCH, REPO_EXCLUDE (regex, optional)

Failure-like conclusions are: failure, cancelled, timed_out, action_required, startup_failure.

Collect run JSON

gh run view \x3Crun-id> --json databaseId,workflowName,headBranch,conclusion,createdAt,updatedAt,url,repository \
  > artifacts/github-actions/run-\x3Crun-id>.json

Run

Text report:

RUN_GLOB='artifacts/github-actions/*.json' \
WARN_INSTABILITY_PCT=35 \
CRITICAL_INSTABILITY_PCT=60 \
bash skills/github-actions-conclusion-volatility-audit/scripts/conclusion-volatility-audit.sh

JSON output + fail gate:

RUN_GLOB='artifacts/github-actions/*.json' \
OUTPUT_FORMAT=json \
FAIL_ON_CRITICAL=1 \
bash skills/github-actions-conclusion-volatility-audit/scripts/conclusion-volatility-audit.sh

Output contract

Exit 0 in reporting mode
Exit 1 when FAIL_ON_CRITICAL=1 and one or more critical groups are found
Text output includes summary and top unstable workflow groups
JSON output includes summary, ranked groups, and critical_groups

安全使用建议

This skill appears to do what it says: analyze GitHub Actions run JSON files and report unstable workflows. Before installing/run: (1) Ensure bash and python3 are available. (2) Prepare artifacts by exporting workflow runs (the SKILL.md suggests using 'gh run view' — that will contact GitHub and use the host's gh authentication), and ensure you are comfortable with that network access and the credentials the gh CLI will use. (3) Run the script in a controlled workspace where the JSON artifacts come from trusted repositories (these files include repo names and run URLs). (4) No extra secrets or external endpoints are required by the skill itself, but if you adapt it to automatically fetch runs you should be aware it will contact GitHub via the gh CLI. If you need confirmation of behavior, inspect the included script (scripts/conclusion-volatility-audit.sh) — it is fully self-contained and readable.

功能分析

Type: OpenClaw Skill Name: github-actions-conclusion-volatility-audit Version: 1.0.0 The skill audits GitHub Actions workflow stability by analyzing JSON run logs, but it is classified as suspicious due to broad file system access capabilities. Specifically, the `RUN_GLOB` environment variable in `scripts/conclusion-volatility-audit.sh` is passed directly to Python's `glob.glob()` and `open()` functions without path validation or sanitization, which constitutes a potential arbitrary file read vulnerability. While this capability is plausibly needed for the stated purpose and no evidence of intentional malice or data exfiltration was found, the lack of input restriction on the file paths is a significant security flaw.

能力评估

✓ Purpose & Capability

The name/description match the implementation: the script reads GitHub Actions run JSON files, groups runs, computes transition-based volatility, and emits text/JSON reports. Required binaries (bash, python3) are appropriate for the provided shell + embedded Python implementation.

✓ Instruction Scope

SKILL.md and the script consistently instruct the agent to collect run JSON (example uses 'gh run view'), run the audit script against artifacts/* JSON files, and emit results or fail CI on critical groups. The instructions operate only on local JSON artifacts and do not instruct broad file-system reads or transmitting data to unknown endpoints.

✓ Install Mechanism

This is an instruction-only skill with one included script file; there is no install spec, no archives or third-party downloads, and nothing is written to disk beyond the normal execution of the script and the user-supplied artifacts. Risk from the install mechanism is minimal.

ℹ Credentials

The skill declares no required environment variables and the script accepts many optional environment switches (RUN_GLOB, thresholds, filters). One thing to note: SKILL.md shows collecting run JSON via the 'gh' CLI, which uses the user's GitHub authentication (stored credentials or token). The skill itself does not request any secrets, which is proportionate, but collectors (gh) will use whatever GitHub auth is configured on the host.

✓ Persistence & Privilege

The skill is not always-enabled and has no install-time persistence. It does not modify other skills or system-wide config. Autonomous invocation is allowed (platform default) but not combined with elevated privileges or secret access.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install github-actions-conclusion-volatility-audit
安装完成后，直接呼叫该 Skill 的名称或使用 /github-actions-conclusion-volatility-audit 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release of GitHub Actions Conclusion Volatility Audit. - Audits workflow run histories to identify unstable pipelines based on conclusion changes. - Groups runs by repository, workflow, and branch for fine-grained analysis. - Calculates and flags volatility by configurable warning and critical thresholds. - Supports text and JSON output for CI reporting and quality gates. - Flexible filtering with regex for workflows, branches, and repositories. - Optionally exits with failure when critical instability is detected.

元数据

Slug github-actions-conclusion-volatility-audit

版本 1.0.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题