← 返回 Skills 市场

GitHub Actions Deploy Risk Audit

Name: GitHub Actions Deploy Risk Audit
Author: daniellummis

作者 Daniel Lummis · GitHub ↗ · v1.0.0

cross-platform ✓ 安全检测通过

276

总下载

当前安装

版本数

在 OpenClaw 中安装

/install github-actions-deploy-risk-audit

功能描述

Audit deployment workflow risk from GitHub Actions runs by scoring failure rate, unresolved failure streaks, and time since last successful deploy.

使用说明 (SKILL.md)

GitHub Actions Deploy Risk Audit

Use this skill to rank deployment workflows that are currently risky to trust for production releases.

What this skill does

Reads GitHub Actions run JSON exports
Filters to deployment/release workflows (configurable regex)
Groups by repository + workflow + branch
Scores risk using:
- failure rate
- unresolved trailing failure streak
- days since last successful run
Flags warning/critical groups based on configurable score thresholds
Emits text or JSON output for CI dashboards and release gates

Inputs

Optional:

RUN_GLOB (default: artifacts/github-actions/*.json)
TOP_N (default: 20)
OUTPUT_FORMAT (text or json, default: text)
MIN_RUNS (default: 2)
DEPLOY_WORKFLOW_MATCH (default: (?i)(deploy|release|ship|production))
BRANCH_MATCH (regex, optional)
BRANCH_EXCLUDE (regex, optional)
REPO_MATCH (regex, optional)
REPO_EXCLUDE (regex, optional)
FAIL_WARN_PERCENT (default: 20)
FAIL_CRITICAL_PERCENT (default: 40)
STALE_SUCCESS_DAYS (default: 7)
WARN_SCORE (default: 35)
CRITICAL_SCORE (default: 60)
FAIL_ON_CRITICAL (0 or 1, default: 0)

Collect run JSON

gh run view \x3Crun-id> --json databaseId,workflowName,event,conclusion,headBranch,headSha,createdAt,updatedAt,startedAt,url,repository \
  > artifacts/github-actions/run-\x3Crun-id>.json

Run

Text report:

RUN_GLOB='artifacts/github-actions/*.json' \
DEPLOY_WORKFLOW_MATCH='(?i)(deploy|release)' \
MIN_RUNS=3 \
bash skills/github-actions-deploy-risk-audit/scripts/deploy-risk-audit.sh

JSON output with fail gate:

RUN_GLOB='artifacts/github-actions/*.json' \
OUTPUT_FORMAT=json \
FAIL_ON_CRITICAL=1 \
bash skills/github-actions-deploy-risk-audit/scripts/deploy-risk-audit.sh

Run with bundled fixtures:

RUN_GLOB='skills/github-actions-deploy-risk-audit/fixtures/*.json' \
bash skills/github-actions-deploy-risk-audit/scripts/deploy-risk-audit.sh

Output contract

Exit 0 in report mode (default)
Exit 1 when FAIL_ON_CRITICAL=1 and one or more groups are critical
Text mode prints summary + ranked deploy risk groups
JSON mode prints summary + scored groups + critical group details

安全使用建议

This skill appears to do what it says: parse local GitHub Actions run JSON files and compute risk scores. Before installing or running it: (1) Confirm where RUN_GLOB points — avoid matching sensitive or unrelated files; (2) The SKILL.md examples use the GitHub CLI ('gh') to collect run JSON, but 'gh' is not declared as required — install/authorize 'gh' yourself if you plan to use those collection steps; (3) Output can include run URLs from the JSON payloads — be careful not to send output to untrusted external systems if those URLs are sensitive; (4) The script accepts user-provided regex patterns (for workflows, repos, branches) so ensure patterns are trusted and avoid pathological regexes if supplied programmatically; (5) I reviewed the majority of the script but the provided file contents were truncated in the manifest — if you need higher assurance, inspect the complete scripts/deploy-risk-audit.sh file before use.

功能分析

Type: OpenClaw Skill Name: github-actions-deploy-risk-audit Version: 1.0.0 The skill is a legitimate utility for auditing GitHub Actions deployment risks by analyzing workflow run JSON exports. It calculates risk scores based on failure rates, streaks, and staleness, providing reports in text or JSON format. The implementation in `deploy-risk-audit.sh` uses a Python script to process local files identified via a glob pattern, with no evidence of network exfiltration, unauthorized command execution, or malicious intent.

能力评估

✓ Purpose & Capability

Name/description match the provided script: it ingests GitHub Actions run JSON exports, filters/group them, and computes risk scores. Required binaries (bash, python3) are proportional to the task.

ℹ Instruction Scope

SKILL.md shows how to collect run JSON using the 'gh' CLI, but 'gh' is not listed as a required binary; the script itself only reads local JSON files. The instructions and script operate on local artifacts (RUN_GLOB) and emit text/JSON; they do not access other system credentials or external endpoints. Be aware outputs include sample run URLs from the JSON payloads (which might expose internal URLs if sent to external logs).

✓ Install Mechanism

No install spec (instruction-only with an included script) — nothing is downloaded or extracted. The skill will run locally with bash and python3; that is low-risk from an install perspective.

✓ Credentials

The skill requests no secrets, no config paths, and only uses optional environment variables for filtering and formatting. The set of environment inputs shown in SKILL.md is reasonable and optional; no unrelated credentials are requested.

✓ Persistence & Privilege

always is false and the skill does not request persistent system presence or modify other skills. It runs on-demand and does not appear to alter agent configuration or store credentials.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install github-actions-deploy-risk-audit
安装完成后，直接呼叫该 Skill 的名称或使用 /github-actions-deploy-risk-audit 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release: deploy workflow risk scoring by failure rate, trailing failure streak, and stale-success age with text/json outputs and fail gate.

元数据

Slug github-actions-deploy-risk-audit

版本 1.0.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题