Claude Code Plugins

Community-maintained marketplace

Feedback

complete-workflow-examples

@adaptive-enforcement-lab/claude-skills
0
0

>-

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name complete-workflow-examples
description Copy-paste hardened CI/CD workflows with SHA-pinned actions, minimal GITHUB_TOKEN permissions, OIDC authentication, and comprehensive security scanning for GitHub Actions.

Complete Workflow Examples

When to Use This Skill

Ready-to-Deploy Templates

These examples integrate multiple security controls into production-ready workflows. Each template includes inline security comments, permission scoping, and cross-references to detailed pattern documentation.

Copy-paste ready workflows demonstrating all security patterns from this hub.

Each example integrates multiple security controls from across the hub: action pinning, minimal permissions, secret management, safe triggers, and more. All examples are complete and production-ready.

Implementation

Ready-to-Deploy Templates

These examples integrate multiple security controls into production-ready workflows. Each template includes inline security comments, permission scoping, and cross-references to detailed pattern documentation.

Copy-paste ready workflows demonstrating all security patterns from this hub.

Each example integrates multiple security controls from across the hub: action pinning, minimal permissions, secret management, safe triggers, and more. All examples are complete and production-ready.

Available Examples

Secure CI Workflow

Hardened continuous integration with comprehensive security controls.

Key Patterns:

  • Fork PR security with two-stage workflows
  • Language-specific testing (Node.js, Python, Go)
  • Secret scanning prevention
  • Minimal GITHUB_TOKEN permissions
  • SHA-pinned actions with version comments

Use Cases: Test automation, PR validation, pre-merge quality gates

Release Workflow

Signed releases with SLSA provenance and artifact attestations.

Key Patterns:

  • Keyless signing with OIDC
  • SLSA L2/L3 provenance generation
  • Artifact attestations for GitHub releases, containers, and NPM packages
  • Environment protection for release branches
  • Minimal permissions with id-token: write and attestations: write

Use Cases: GitHub releases, container publishing, NPM publishing, signed artifacts

Deployment Workflow

OIDC-based cloud deployment with environment protection and automated rollback.

Key Patterns:

  • OIDC federation to GCP (no stored secrets)
  • Environment protection with approval gates and wait timers
  • Canary rollout with traffic migration (10% → 100%)
  • Container scanning and signing
  • Automated rollback on deployment failure

Use Cases: Cloud Run deployment, Kubernetes/Helm deployment, multi-environment pipelines, canary releases

Security Scanning

Comprehensive SAST, dependency scanning, container scanning, and SARIF upload.

Key Patterns:

  • CodeQL SAST with security-extended queries
  • Dependency review with severity-based failure
  • Container scanning (Trivy, SBOM generation with Syft/Grype)
  • Language-specific scanning (Bandit, gosec, ESLint)
  • SARIF aggregation and upload to Security tab
  • Scheduled vulnerability scanning with issue creation

Use Cases: Security validation, compliance scanning, vulnerability detection, scheduled audits

Common Security Controls

All examples use:

  • SHA-pinned actions with version comments for supply chain security
  • Minimal GITHUB_TOKEN permissions scoped to job requirements
  • Environment protection where appropriate (deployments, releases)
  • OIDC federation for cloud access (no stored secrets)
  • Input validation and safe trigger patterns
  • Inline # SECURITY: comments explaining security decisions

Using These Examples

Each example includes:

  • Complete workflow YAML ready to copy
  • Inline # SECURITY: comments explaining security decisions
  • Language-specific variants where applicable
  • Security checklist for validation
  • Common mistakes and how to avoid them
  • Cross-references to relevant security patterns

Integration Points

These examples reference patterns from:

Quick Start

  1. Choose the example that matches your use case
  2. Copy the workflow YAML to .github/workflows/
  3. Customize the language/framework-specific steps
  4. Review the security checklist
  5. Test with act or a draft PR
  6. Deploy to production

For additional guidance, see the Quick Reference Cheat Sheet.

Available Examples

Secure CI Workflow

Hardened continuous integration with comprehensive security controls.

Key Patterns:

  • Fork PR security with two-stage workflows
  • Language-specific testing (Node.js, Python, Go)
  • Secret scanning prevention
  • Minimal GITHUB_TOKEN permissions
  • SHA-pinned actions with version comments

Use Cases: Test automation, PR validation, pre-merge quality gates

Release Workflow

Signed releases with SLSA provenance and artifact attestations.

Key Patterns:

  • Keyless signing with OIDC
  • SLSA L2/L3 provenance generation
  • Artifact attestations for GitHub releases, containers, and NPM packages
  • Environment protection for release branches
  • Minimal permissions with id-token: write and attestations: write

Use Cases: GitHub releases, container publishing, NPM publishing, signed artifacts

Deployment Workflow

OIDC-based cloud deployment with environment protection and automated rollback.

Key Patterns:

  • OIDC federation to GCP (no stored secrets)
  • Environment protection with approval gates and wait timers
  • Canary rollout with traffic migration (10% → 100%)
  • Container scanning and signing
  • Automated rollback on deployment failure

Use Cases: Cloud Run deployment, Kubernetes/Helm deployment, multi-environment pipelines, canary releases

Security Scanning

Comprehensive SAST, dependency scanning, container scanning, and SARIF upload.

Key Patterns:

  • CodeQL SAST with security-extended queries
  • Dependency review with severity-based failure
  • Container scanning (Trivy, SBOM generation with Syft/Grype)
  • Language-specific scanning (Bandit, gosec, ESLint)
  • SARIF aggregation and upload to Security tab
  • Scheduled vulnerability scanning with issue creation

Use Cases: Security validation, compliance scanning, vulnerability detection, scheduled audits

Common Security Controls

All examples use:

  • SHA-pinned actions with version comments for supply chain security
  • Minimal GITHUB_TOKEN permissions scoped to job requirements
  • Environment protection where appropriate (deployments, releases)
  • OIDC federation for cloud access (no stored secrets)
  • Input validation and safe trigger patterns
  • Inline # SECURITY: comments explaining security decisions

Using These Examples

Each example includes:

  • Complete workflow YAML ready to copy
  • Inline # SECURITY: comments explaining security decisions
  • Language-specific variants where applicable
  • Security checklist for validation
  • Common mistakes and how to avoid them
  • Cross-references to relevant security patterns

Integration Points

These examples reference patterns from:

Quick Start

  1. Choose the example that matches your use case
  2. Copy the workflow YAML to .github/workflows/
  3. Customize the language/framework-specific steps
  4. Review the security checklist
  5. Test with act or a draft PR
  6. Deploy to production

For additional guidance, see the Quick Reference Cheat Sheet.

References