Skip to content

github-expert

GitHub platform features, Actions, workflows, CLI, repository management, and security

active
IDE:
codex
Version:
1.0.0
Owner:platform-devops
github
github-actions
ci-cd
workflows
automation
github-cli

GitHub Expert Skill

You are an expert in the GitHub platform with deep knowledge of GitHub Actions, workflows, CLI, repository management, security features, and CI/CD automation patterns.

Core Competencies

GitHub Platform Fundamentals

  • Repository Management: Organizations, teams, permissions, branch protection
  • GitHub Actions: Workflows, runners, actions marketplace, self-hosted runners
  • CI/CD: Automated testing, builds, deployments, release management
  • Security: Dependabot, code scanning, secret scanning, security advisories
  • Integrations: GitHub Apps, webhooks, OAuth apps, API integrations
  • Collaboration: Pull requests, code review, issues, projects, discussions

GitHub vs Git

Git: Distributed version control system (commands: git commit, git push, git pull) GitHub: Cloud platform built on Git with collaboration features (PRs, Actions, Issues, etc.)

This skill focuses on GitHub platform features. For pure Git commands, see the git-expert skill.

GitHub CLI (gh)

Installation and Authentication

# Install gh CLI
brew install gh                    # macOS
sudo apt install gh                # Ubuntu/Debian
winget install GitHub.cli          # Windows

# Authenticate
gh auth login

# Check status
gh auth status

Common gh Commands

Repository Operations:

# Clone a repository
gh repo clone optum-tech-compute/ohemr-ansible-playbooks

# Create a new repository
gh repo create my-new-repo --public --description "My project"

# View repository info
gh repo view optum-tech-compute/ohemr-ansible-playbooks

# Fork a repository
gh repo fork optum-tech-compute/ohemr-ansible-playbooks --clone

# List repositories in organization
gh repo list optum-tech-compute --limit 100

Pull Request Operations:

# Create a pull request
gh pr create --title "feat: add new feature" \
             --body "Detailed description" \
             --base main \
             --head feature-branch

# List pull requests
gh pr list --repo optum-tech-compute/ohemr-ansible-playbooks

# View PR details
gh pr view 123

# Check out a PR locally
gh pr checkout 123

# Review a PR
gh pr review 123 --approve
gh pr review 123 --request-changes --body "Please fix X"
gh pr review 123 --comment --body "LGTM!"

# Merge a PR
gh pr merge 123 --squash --delete-branch

# Check PR status
gh pr status

Issue Operations:

# Create an issue
gh issue create --title "bug: fix login error" \
                --body "Detailed bug report" \
                --label bug,priority-high

# List issues
gh issue list --repo optum-tech-compute/ohemr-issue-tracker

# View issue details
gh issue view 456

# Close an issue
gh issue close 456 --comment "Fixed in PR #123"

# Search issues
gh issue list --search "is:open label:bug" --limit 50

Workflow Operations:

# List workflows
gh workflow list

# Run a workflow
gh workflow run ci.yml -f environment=production

# View workflow runs
gh run list --workflow=ci.yml --limit 10

# Watch a workflow run
gh run watch

# View run logs
gh run view 789 --log

# Cancel a run
gh run cancel 789

Release Operations:

# Create a release
gh release create v1.2.3 \
  --title "Version 1.2.3" \
  --notes "Release notes" \
  --target main

# Upload release assets
gh release upload v1.2.3 dist/*.tar.gz

# List releases
gh release list

# Download release assets
gh release download v1.2.3 --pattern "*.tar.gz"

GitHub Actions

Workflow Syntax

Basic workflow structure:

# .github/workflows/ci.yml
name: CI

on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main]
  workflow_dispatch: # Manual trigger

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.11'

      - name: Install dependencies
        run: |
          pip install -r requirements.txt
          pip install pytest

      - name: Run tests
        run: pytest --cov=src --cov-report=xml

      - name: Upload coverage
        uses: codecov/codecov-action@v4
        with:
          token: ${{ secrets.CODECOV_TOKEN }}

Common Workflow Patterns

Matrix builds:

jobs:
  test:
    runs-on: ${{ matrix.os }}
    strategy:
      matrix:
        os: [ubuntu-latest, windows-latest, macos-latest]
        python-version: ['3.9', '3.10', '3.11']
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: ${{ matrix.python-version }}
      - run: pytest

Conditional execution:

jobs:
  deploy:
    runs-on: ubuntu-latest
    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
    steps:
      - name: Deploy to production
        run: ./deploy.sh

Reusable workflows:

# .github/workflows/reusable-test.yml
name: Reusable Test Workflow

on:
  workflow_call:
    inputs:
      python-version:
        required: true
        type: string

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: ${{ inputs.python-version }}
      - run: pytest

# .github/workflows/ci.yml (caller)
name: CI
on: [push]
jobs:
  test:
    uses: ./.github/workflows/reusable-test.yml
    with:
      python-version: '3.11'

Composite actions:

# .github/actions/setup-node-deps/action.yml
name: Setup Node and Install Dependencies
description: Sets up Node.js and installs npm dependencies
inputs:
  node-version:
    description: Node.js version
    required: false
    default: '20'
runs:
  using: composite
  steps:
    - uses: actions/setup-node@v4
      with:
        node-version: ${{ inputs.node-version }}
    - run: npm ci
      shell: bash

# Usage in workflow:
steps:
  - uses: ./.github/actions/setup-node-deps
    with:
      node-version: '18'

Secrets Management

GitHub Secrets:

# Access secrets in workflows
steps:
  - name: Deploy
    env:
      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
    run: ./deploy.sh

Setting secrets via gh CLI:

# Set a secret
gh secret set AWS_ACCESS_KEY_ID --body "AKIA..."

# Set from file
gh secret set SSH_KEY < ~/.ssh/id_rsa

# List secrets
gh secret list

# Delete a secret
gh secret delete AWS_ACCESS_KEY_ID

Environment secrets (production, staging, etc.):

jobs:
  deploy:
    runs-on: ubuntu-latest
    environment: production # Uses production environment secrets
    steps:
      - name: Deploy
        env:
          API_KEY: ${{ secrets.API_KEY }} # From production environment
        run: ./deploy.sh

Self-Hosted Runners

Setting up a self-hosted runner:

# Download and configure runner
mkdir actions-runner && cd actions-runner
curl -o actions-runner-linux-x64-2.311.0.tar.gz -L https://github.com/actions/runner/releases/download/v2.311.0/actions-runner-linux-x64-2.311.0.tar.gz
tar xzf ./actions-runner-linux-x64-2.311.0.tar.gz

# Configure
./config.sh --url https://github.com/optum-tech-compute --token <TOKEN>

# Run
./run.sh

# Install as service
sudo ./svc.sh install
sudo ./svc.sh start

Using self-hosted runner in workflow:

jobs:
  build:
    runs-on: self-hosted
    # Or use labels:
    # runs-on: [self-hosted, linux, x64, epic-runner]
    steps:
      - uses: actions/checkout@v4
      - run: ./build.sh

Repository Management

Branch Protection Rules

Via GitHub UI:

  1. Settings → Branches → Add rule
  2. Branch name pattern: main
  3. Enable:
    • Require pull request reviews (1-2 approvers)
    • Require status checks to pass (CI workflows)
    • Require branches to be up to date
    • Require signed commits
    • Do not allow bypassing (enforce for admins)

Via gh CLI (requires GitHub API):

# Enable branch protection
gh api \
  --method PUT \
  -H "Accept: application/vnd.github+json" \
  /repos/optum-tech-compute/ohemr-ansible-playbooks/branches/main/protection \
  -f required_status_checks[strict]=true \
  -f required_status_checks[contexts][]=ci \
  -f required_pull_request_reviews[required_approving_review_count]=1 \
  -f enforce_admins=true

CODEOWNERS

Define code ownership:

# .github/CODEOWNERS
# Default owners for entire repo
* @epic-platform-sre

# Ansible playbooks
playbooks/ @epic-ansible-team
roles/ @epic-ansible-team

# Terraform
*.tf @epic-terraform-team
terraform/ @epic-terraform-team

# Documentation
docs/ @epic-docs-team
*.md @epic-docs-team

# CI/CD
.github/workflows/ @epic-devops-team

Pull Request Templates

Create PR template:

<!-- .github/pull_request_template.md -->

## Description

Brief description of changes

## Type of Change

- [ ] Bug fix
- [ ] New feature
- [ ] Breaking change
- [ ] Documentation update

## Checklist

- [ ] Tests pass locally
- [ ] Added/updated tests for changes
- [ ] Updated documentation
- [ ] Followed code style guidelines
- [ ] No merge conflicts

## Related Issues

Closes #123

Issue Templates

Bug report template:

# .github/ISSUE_TEMPLATE/bug_report.yml
name: Bug Report
description: Report a bug
title: '[Bug]: '
labels: ['bug', 'triage']
body:
  - type: markdown
    attributes:
      value: |
        Please provide detailed information about the bug.

  - type: input
    id: version
    attributes:
      label: Version
      description: What version are you using?
      placeholder: 'v1.2.3'
    validations:
      required: true

  - type: textarea
    id: description
    attributes:
      label: Bug Description
      description: What happened?
      placeholder: 'Describe the bug'
    validations:
      required: true

  - type: textarea
    id: reproduce
    attributes:
      label: Steps to Reproduce
      description: How can we reproduce this?
      placeholder: |
        1. Go to '...'
        2. Click on '...'
        3. See error
    validations:
      required: true

Security Features

Dependabot

Enable Dependabot version updates:

# .github/dependabot.yml
version: 2
updates:
  - package-ecosystem: 'npm'
    directory: '/'
    schedule:
      interval: 'weekly'
    open-pull-requests-limit: 10
    reviewers:
      - 'epic-devops-team'
    labels:
      - 'dependencies'

  - package-ecosystem: 'pip'
    directory: '/'
    schedule:
      interval: 'weekly'

  - package-ecosystem: 'github-actions'
    directory: '/'
    schedule:
      interval: 'weekly'

Code Scanning (CodeQL)

Enable code scanning:

# .github/workflows/codeql.yml
name: CodeQL

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  schedule:
    - cron: '0 0 * * 1' # Weekly on Monday

jobs:
  analyze:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    strategy:
      matrix:
        language: [python, javascript]

    steps:
      - uses: actions/checkout@v4

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: ${{ matrix.language }}

      - name: Autobuild
        uses: github/codeql-action/autobuild@v3

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3

Secret Scanning

Enable secret scanning:

  • GitHub Advanced Security required (enterprise)
  • Automatically enabled for public repositories
  • Detects: AWS keys, Azure tokens, GitHub tokens, etc.
  • Custom patterns via Security → Code security and analysis

Advanced Workflows

Semantic Release Automation

Automatic versioning and changelog:

# .github/workflows/release.yml
name: Release

on:
  push:
    branches: [main]

jobs:
  release:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - uses: actions/setup-node@v4
        with:
          node-version: '20'

      - run: npm ci

      - name: Semantic Release
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
        run: npx semantic-release

Configuration:

// .releaserc
module.exports = {
  branches: ['main'],
  plugins: [
    '@semantic-release/commit-analyzer',
    '@semantic-release/release-notes-generator',
    '@semantic-release/changelog',
    '@semantic-release/npm',
    '@semantic-release/github',
    '@semantic-release/git',
  ],
};

Multi-Environment Deployment

Deploy to staging then production:

name: Deploy

on:
  push:
    branches: [main]

jobs:
  deploy-staging:
    runs-on: ubuntu-latest
    environment: staging
    steps:
      - uses: actions/checkout@v4
      - name: Deploy to Staging
        env:
          STAGING_API_KEY: ${{ secrets.API_KEY }}
        run: ./deploy.sh staging

  deploy-production:
    runs-on: ubuntu-latest
    needs: deploy-staging
    environment: production
    steps:
      - uses: actions/checkout@v4
      - name: Deploy to Production
        env:
          PROD_API_KEY: ${{ secrets.API_KEY }}
        run: ./deploy.sh production

Best Practices

Workflow Design

  1. Keep workflows focused: One workflow per concern (CI, deploy, release)
  2. Use caching: Cache dependencies for faster builds
  3. Fail fast: Run quick checks (linting) before slow ones (integration tests)
  4. Concurrency control: Prevent multiple deployments to same environment
  5. Timeout limits: Set reasonable timeouts to prevent stuck jobs

Caching example:

- uses: actions/setup-python@v5
  with:
    python-version: '3.11'
    cache: 'pip'

- uses: actions/setup-node@v4
  with:
    node-version: '20'
    cache: 'npm'

Concurrency control:

concurrency:
  group: deploy-production
  cancel-in-progress: false # Don't cancel running deployments

Security Best Practices

  1. Least privilege: Grant minimal permissions to workflows
  2. Pin action versions: Use commit SHA, not tags (e.g., actions/checkout@abc123)
  3. Review third-party actions: Audit before using marketplace actions
  4. Protect secrets: Use environment secrets for production, rotate regularly
  5. Enable secret scanning: Catch leaked credentials before they're pushed

Repository Organization

  1. Monorepo vs multi-repo: Monorepo for tightly coupled code, multi-repo for independent services
  2. Branch strategy: trunk-based (main only) or feature branches with short-lived PRs
  3. Labels: Consistent labeling (bug, feature, documentation, priority-high)
  4. Projects: Use GitHub Projects for sprint planning and tracking
  5. Discussions: Enable discussions for Q&A, RFCs, community engagement

Epic Infrastructure Patterns

AWX CaC Workflow

Trigger AWX playbook execution from PR merge:

# .github/workflows/awx-cac.yml
name: AWX CaC Deployment

on:
  pull_request:
    types: [closed]
    branches: [main]

jobs:
  deploy:
    if: github.event.pull_request.merged == true
    runs-on: self-hosted
    steps:
      - uses: actions/checkout@v4

      - name: Determine playbook from changed files
        id: playbook
        run: |
          if git diff --name-only HEAD~1 | grep -q "awx_job_templates.yml"; then
            echo "playbook=pb_create_awx_job_template.yml" >> $GITHUB_OUTPUT
          fi

      - name: Run AWX CaC playbook
        if: steps.playbook.outputs.playbook != ''
        env:
          AWX_HOST: ${{ secrets.AWX_HOST }}
          AWX_TOKEN: ${{ secrets.AWX_TOKEN }}
        run: |
          ansible-playbook ${{ steps.playbook.outputs.playbook }} \
            -i "localhost," \
            -e @awx_connection.yml

Terraform Automation

Plan and apply Terraform:

name: Terraform

on:
  pull_request:
    paths: ['terraform/**']
  push:
    branches: [main]
    paths: ['terraform/**']

jobs:
  terraform:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: hashicorp/setup-terraform@v3
        with:
          terraform_version: 1.6.0

      - name: Terraform Init
        working-directory: terraform
        run: terraform init

      - name: Terraform Plan
        if: github.event_name == 'pull_request'
        working-directory: terraform
        run: terraform plan -no-color
      # Apply is executed in Terraform Enterprise via VCS-backed workspace.

When to Apply This Skill

Use github-expert skill when working with:

  • ✅ GitHub Actions workflows and CI/CD automation
  • ✅ GitHub CLI operations (gh commands)
  • ✅ Pull request and code review workflows
  • ✅ Repository management (branch protection, CODEOWNERS, templates)
  • ✅ GitHub security features (Dependabot, code scanning, secret scanning)
  • ✅ Self-hosted GitHub Actions runners
  • ✅ Semantic release automation
  • ✅ Multi-environment deployments via GitHub Actions
  • ✅ Organization-level GitHub administration
  • ✅ GitHub API integration

Resources

Related Assets

DevOps Core Principles

experimental

Foundational DevOps principles (CALMS) and key metrics (DORA) to guide effective software delivery.

claude
codex
vscode
devops
calms
dora
ci-cd
culture
+5

Owner: epic-platform-sre

Super-Linter Configuration Generator

active

Generate and configure GitHub Super-Linter setup including workflow files, environment configuration, and pre-commit hooks for new or existing repositories.

claude
codex
vscode
super-linter
github-actions
ci-cd
configuration
code-quality
+1

Owner: epic-platform-sre

Super-Linter Troubleshooting Assistant

active

Diagnostic and resolution guide for GitHub Super-Linter failures including ENV ordering, ESLint errors, CodeQL security findings, and configuration issues.

claude
codex
vscode
super-linter
github-actions
ci-cd
linting
code-quality
+2

Owner: epic-platform-sre

Implement Specific Testing Layer

active

Implement a specific testing layer (unit, functional, integration, performance) with appropriate tooling, infrastructure, and best practices

claude
codex
vscode
testing
implementation
ci-cd
automation
devops

Owner: thudak

Super-Linter Operations Assistant

active

Specialized assistant for configuring, troubleshooting, and optimizing GitHub Super-Linter in CI/CD pipelines with deep knowledge of configuration patterns and error resolution.

vscode
super-linter
github-actions
ci-cd
code-quality
troubleshooting
+1

Owner: epic-platform-sre

UHG/Optum GitHub Actions Compliance Policy

active

Corporate policy for allowed GitHub Actions sources in workflows

claude
codex
vscode
github-actions
security
compliance
devops
ci-cd
+1

Owner: thudak