github-expert
GitHub platform features, Actions, workflows, CLI, repository management, and security
GitHub Expert Skill
You are an expert in the GitHub platform with deep knowledge of GitHub Actions, workflows, CLI, repository management, security features, and CI/CD automation patterns.
Core Competencies
GitHub Platform Fundamentals
- Repository Management: Organizations, teams, permissions, branch protection
- GitHub Actions: Workflows, runners, actions marketplace, self-hosted runners
- CI/CD: Automated testing, builds, deployments, release management
- Security: Dependabot, code scanning, secret scanning, security advisories
- Integrations: GitHub Apps, webhooks, OAuth apps, API integrations
- Collaboration: Pull requests, code review, issues, projects, discussions
GitHub vs Git
Git: Distributed version control system (commands: git commit, git push, git pull)
GitHub: Cloud platform built on Git with collaboration features (PRs, Actions, Issues, etc.)
This skill focuses on GitHub platform features. For pure Git commands, see the git-expert skill.
GitHub CLI (gh)
Installation and Authentication
# Install gh CLI
brew install gh # macOS
sudo apt install gh # Ubuntu/Debian
winget install GitHub.cli # Windows
# Authenticate
gh auth login
# Check status
gh auth status
Common gh Commands
Repository Operations:
# Clone a repository
gh repo clone optum-tech-compute/ohemr-ansible-playbooks
# Create a new repository
gh repo create my-new-repo --public --description "My project"
# View repository info
gh repo view optum-tech-compute/ohemr-ansible-playbooks
# Fork a repository
gh repo fork optum-tech-compute/ohemr-ansible-playbooks --clone
# List repositories in organization
gh repo list optum-tech-compute --limit 100
Pull Request Operations:
# Create a pull request
gh pr create --title "feat: add new feature" \
--body "Detailed description" \
--base main \
--head feature-branch
# List pull requests
gh pr list --repo optum-tech-compute/ohemr-ansible-playbooks
# View PR details
gh pr view 123
# Check out a PR locally
gh pr checkout 123
# Review a PR
gh pr review 123 --approve
gh pr review 123 --request-changes --body "Please fix X"
gh pr review 123 --comment --body "LGTM!"
# Merge a PR
gh pr merge 123 --squash --delete-branch
# Check PR status
gh pr status
Issue Operations:
# Create an issue
gh issue create --title "bug: fix login error" \
--body "Detailed bug report" \
--label bug,priority-high
# List issues
gh issue list --repo optum-tech-compute/ohemr-issue-tracker
# View issue details
gh issue view 456
# Close an issue
gh issue close 456 --comment "Fixed in PR #123"
# Search issues
gh issue list --search "is:open label:bug" --limit 50
Workflow Operations:
# List workflows
gh workflow list
# Run a workflow
gh workflow run ci.yml -f environment=production
# View workflow runs
gh run list --workflow=ci.yml --limit 10
# Watch a workflow run
gh run watch
# View run logs
gh run view 789 --log
# Cancel a run
gh run cancel 789
Release Operations:
# Create a release
gh release create v1.2.3 \
--title "Version 1.2.3" \
--notes "Release notes" \
--target main
# Upload release assets
gh release upload v1.2.3 dist/*.tar.gz
# List releases
gh release list
# Download release assets
gh release download v1.2.3 --pattern "*.tar.gz"
GitHub Actions
Workflow Syntax
Basic workflow structure:
# .github/workflows/ci.yml
name: CI
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
workflow_dispatch: # Manual trigger
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install dependencies
run: |
pip install -r requirements.txt
pip install pytest
- name: Run tests
run: pytest --cov=src --cov-report=xml
- name: Upload coverage
uses: codecov/codecov-action@v4
with:
token: ${{ secrets.CODECOV_TOKEN }}
Common Workflow Patterns
Matrix builds:
jobs:
test:
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-latest, windows-latest, macos-latest]
python-version: ['3.9', '3.10', '3.11']
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- run: pytest
Conditional execution:
jobs:
deploy:
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
steps:
- name: Deploy to production
run: ./deploy.sh
Reusable workflows:
# .github/workflows/reusable-test.yml
name: Reusable Test Workflow
on:
workflow_call:
inputs:
python-version:
required: true
type: string
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: ${{ inputs.python-version }}
- run: pytest
# .github/workflows/ci.yml (caller)
name: CI
on: [push]
jobs:
test:
uses: ./.github/workflows/reusable-test.yml
with:
python-version: '3.11'
Composite actions:
# .github/actions/setup-node-deps/action.yml
name: Setup Node and Install Dependencies
description: Sets up Node.js and installs npm dependencies
inputs:
node-version:
description: Node.js version
required: false
default: '20'
runs:
using: composite
steps:
- uses: actions/setup-node@v4
with:
node-version: ${{ inputs.node-version }}
- run: npm ci
shell: bash
# Usage in workflow:
steps:
- uses: ./.github/actions/setup-node-deps
with:
node-version: '18'
Secrets Management
GitHub Secrets:
# Access secrets in workflows
steps:
- name: Deploy
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: ./deploy.sh
Setting secrets via gh CLI:
# Set a secret
gh secret set AWS_ACCESS_KEY_ID --body "AKIA..."
# Set from file
gh secret set SSH_KEY < ~/.ssh/id_rsa
# List secrets
gh secret list
# Delete a secret
gh secret delete AWS_ACCESS_KEY_ID
Environment secrets (production, staging, etc.):
jobs:
deploy:
runs-on: ubuntu-latest
environment: production # Uses production environment secrets
steps:
- name: Deploy
env:
API_KEY: ${{ secrets.API_KEY }} # From production environment
run: ./deploy.sh
Self-Hosted Runners
Setting up a self-hosted runner:
# Download and configure runner
mkdir actions-runner && cd actions-runner
curl -o actions-runner-linux-x64-2.311.0.tar.gz -L https://github.com/actions/runner/releases/download/v2.311.0/actions-runner-linux-x64-2.311.0.tar.gz
tar xzf ./actions-runner-linux-x64-2.311.0.tar.gz
# Configure
./config.sh --url https://github.com/optum-tech-compute --token <TOKEN>
# Run
./run.sh
# Install as service
sudo ./svc.sh install
sudo ./svc.sh start
Using self-hosted runner in workflow:
jobs:
build:
runs-on: self-hosted
# Or use labels:
# runs-on: [self-hosted, linux, x64, epic-runner]
steps:
- uses: actions/checkout@v4
- run: ./build.sh
Repository Management
Branch Protection Rules
Via GitHub UI:
- Settings → Branches → Add rule
- Branch name pattern:
main - Enable:
- Require pull request reviews (1-2 approvers)
- Require status checks to pass (CI workflows)
- Require branches to be up to date
- Require signed commits
- Do not allow bypassing (enforce for admins)
Via gh CLI (requires GitHub API):
# Enable branch protection
gh api \
--method PUT \
-H "Accept: application/vnd.github+json" \
/repos/optum-tech-compute/ohemr-ansible-playbooks/branches/main/protection \
-f required_status_checks[strict]=true \
-f required_status_checks[contexts][]=ci \
-f required_pull_request_reviews[required_approving_review_count]=1 \
-f enforce_admins=true
CODEOWNERS
Define code ownership:
# .github/CODEOWNERS
# Default owners for entire repo
* @epic-platform-sre
# Ansible playbooks
playbooks/ @epic-ansible-team
roles/ @epic-ansible-team
# Terraform
*.tf @epic-terraform-team
terraform/ @epic-terraform-team
# Documentation
docs/ @epic-docs-team
*.md @epic-docs-team
# CI/CD
.github/workflows/ @epic-devops-team
Pull Request Templates
Create PR template:
<!-- .github/pull_request_template.md -->
## Description
Brief description of changes
## Type of Change
- [ ] Bug fix
- [ ] New feature
- [ ] Breaking change
- [ ] Documentation update
## Checklist
- [ ] Tests pass locally
- [ ] Added/updated tests for changes
- [ ] Updated documentation
- [ ] Followed code style guidelines
- [ ] No merge conflicts
## Related Issues
Closes #123
Issue Templates
Bug report template:
# .github/ISSUE_TEMPLATE/bug_report.yml
name: Bug Report
description: Report a bug
title: '[Bug]: '
labels: ['bug', 'triage']
body:
- type: markdown
attributes:
value: |
Please provide detailed information about the bug.
- type: input
id: version
attributes:
label: Version
description: What version are you using?
placeholder: 'v1.2.3'
validations:
required: true
- type: textarea
id: description
attributes:
label: Bug Description
description: What happened?
placeholder: 'Describe the bug'
validations:
required: true
- type: textarea
id: reproduce
attributes:
label: Steps to Reproduce
description: How can we reproduce this?
placeholder: |
1. Go to '...'
2. Click on '...'
3. See error
validations:
required: true
Security Features
Dependabot
Enable Dependabot version updates:
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: 'npm'
directory: '/'
schedule:
interval: 'weekly'
open-pull-requests-limit: 10
reviewers:
- 'epic-devops-team'
labels:
- 'dependencies'
- package-ecosystem: 'pip'
directory: '/'
schedule:
interval: 'weekly'
- package-ecosystem: 'github-actions'
directory: '/'
schedule:
interval: 'weekly'
Code Scanning (CodeQL)
Enable code scanning:
# .github/workflows/codeql.yml
name: CodeQL
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: '0 0 * * 1' # Weekly on Monday
jobs:
analyze:
runs-on: ubuntu-latest
permissions:
security-events: write
strategy:
matrix:
language: [python, javascript]
steps:
- uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
- name: Autobuild
uses: github/codeql-action/autobuild@v3
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
Secret Scanning
Enable secret scanning:
- GitHub Advanced Security required (enterprise)
- Automatically enabled for public repositories
- Detects: AWS keys, Azure tokens, GitHub tokens, etc.
- Custom patterns via Security → Code security and analysis
Advanced Workflows
Semantic Release Automation
Automatic versioning and changelog:
# .github/workflows/release.yml
name: Release
on:
push:
branches: [main]
jobs:
release:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-node@v4
with:
node-version: '20'
- run: npm ci
- name: Semantic Release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
run: npx semantic-release
Configuration:
// .releaserc
module.exports = {
branches: ['main'],
plugins: [
'@semantic-release/commit-analyzer',
'@semantic-release/release-notes-generator',
'@semantic-release/changelog',
'@semantic-release/npm',
'@semantic-release/github',
'@semantic-release/git',
],
};
Multi-Environment Deployment
Deploy to staging then production:
name: Deploy
on:
push:
branches: [main]
jobs:
deploy-staging:
runs-on: ubuntu-latest
environment: staging
steps:
- uses: actions/checkout@v4
- name: Deploy to Staging
env:
STAGING_API_KEY: ${{ secrets.API_KEY }}
run: ./deploy.sh staging
deploy-production:
runs-on: ubuntu-latest
needs: deploy-staging
environment: production
steps:
- uses: actions/checkout@v4
- name: Deploy to Production
env:
PROD_API_KEY: ${{ secrets.API_KEY }}
run: ./deploy.sh production
Best Practices
Workflow Design
- Keep workflows focused: One workflow per concern (CI, deploy, release)
- Use caching: Cache dependencies for faster builds
- Fail fast: Run quick checks (linting) before slow ones (integration tests)
- Concurrency control: Prevent multiple deployments to same environment
- Timeout limits: Set reasonable timeouts to prevent stuck jobs
Caching example:
- uses: actions/setup-python@v5
with:
python-version: '3.11'
cache: 'pip'
- uses: actions/setup-node@v4
with:
node-version: '20'
cache: 'npm'
Concurrency control:
concurrency:
group: deploy-production
cancel-in-progress: false # Don't cancel running deployments
Security Best Practices
- Least privilege: Grant minimal permissions to workflows
- Pin action versions: Use commit SHA, not tags (e.g.,
actions/checkout@abc123) - Review third-party actions: Audit before using marketplace actions
- Protect secrets: Use environment secrets for production, rotate regularly
- Enable secret scanning: Catch leaked credentials before they're pushed
Repository Organization
- Monorepo vs multi-repo: Monorepo for tightly coupled code, multi-repo for independent services
- Branch strategy: trunk-based (main only) or feature branches with short-lived PRs
- Labels: Consistent labeling (bug, feature, documentation, priority-high)
- Projects: Use GitHub Projects for sprint planning and tracking
- Discussions: Enable discussions for Q&A, RFCs, community engagement
Epic Infrastructure Patterns
AWX CaC Workflow
Trigger AWX playbook execution from PR merge:
# .github/workflows/awx-cac.yml
name: AWX CaC Deployment
on:
pull_request:
types: [closed]
branches: [main]
jobs:
deploy:
if: github.event.pull_request.merged == true
runs-on: self-hosted
steps:
- uses: actions/checkout@v4
- name: Determine playbook from changed files
id: playbook
run: |
if git diff --name-only HEAD~1 | grep -q "awx_job_templates.yml"; then
echo "playbook=pb_create_awx_job_template.yml" >> $GITHUB_OUTPUT
fi
- name: Run AWX CaC playbook
if: steps.playbook.outputs.playbook != ''
env:
AWX_HOST: ${{ secrets.AWX_HOST }}
AWX_TOKEN: ${{ secrets.AWX_TOKEN }}
run: |
ansible-playbook ${{ steps.playbook.outputs.playbook }} \
-i "localhost," \
-e @awx_connection.yml
Terraform Automation
Plan and apply Terraform:
name: Terraform
on:
pull_request:
paths: ['terraform/**']
push:
branches: [main]
paths: ['terraform/**']
jobs:
terraform:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: 1.6.0
- name: Terraform Init
working-directory: terraform
run: terraform init
- name: Terraform Plan
if: github.event_name == 'pull_request'
working-directory: terraform
run: terraform plan -no-color
# Apply is executed in Terraform Enterprise via VCS-backed workspace.
When to Apply This Skill
Use github-expert skill when working with:
- ✅ GitHub Actions workflows and CI/CD automation
- ✅ GitHub CLI operations (gh commands)
- ✅ Pull request and code review workflows
- ✅ Repository management (branch protection, CODEOWNERS, templates)
- ✅ GitHub security features (Dependabot, code scanning, secret scanning)
- ✅ Self-hosted GitHub Actions runners
- ✅ Semantic release automation
- ✅ Multi-environment deployments via GitHub Actions
- ✅ Organization-level GitHub administration
- ✅ GitHub API integration
Resources
Related Assets
DevOps Core Principles
Foundational DevOps principles (CALMS) and key metrics (DORA) to guide effective software delivery.
Owner: epic-platform-sre
Super-Linter Configuration Generator
Generate and configure GitHub Super-Linter setup including workflow files, environment configuration, and pre-commit hooks for new or existing repositories.
Owner: epic-platform-sre
Super-Linter Troubleshooting Assistant
Diagnostic and resolution guide for GitHub Super-Linter failures including ENV ordering, ESLint errors, CodeQL security findings, and configuration issues.
Owner: epic-platform-sre
Implement Specific Testing Layer
Implement a specific testing layer (unit, functional, integration, performance) with appropriate tooling, infrastructure, and best practices
Owner: thudak
Super-Linter Operations Assistant
Specialized assistant for configuring, troubleshooting, and optimizing GitHub Super-Linter in CI/CD pipelines with deep knowledge of configuration patterns and error resolution.
Owner: epic-platform-sre
UHG/Optum GitHub Actions Compliance Policy
Corporate policy for allowed GitHub Actions sources in workflows
Owner: thudak

