GitHub Actions Failure Owner Audit

v1.2.0

Audit failing GitHub Actions runs by actor ownership to expose who/workflow combinations generate the most CI noise and wasted minutes.

⭐ 0· 283·2 current·2 all-time

byDaniel Lummis@daniellummis

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name and description describe auditing GitHub Actions run JSONs; the skill only requires bash and python3 to parse local JSON exports and an optional owner-map file. Nothing in the files requests unrelated cloud credentials or services.

✓

Instruction Scope

SKILL.md and the script consistently instruct collecting GitHub Actions run JSONs (via gh api or local exports) and then running the bundled script. The script reads files matched by RUN_GLOB and an optional OWNER_MAP_FILE and applies regex filters — all behavior is consistent with the stated audit purpose. Note: RUN_GLOB/OWNER_MAP_FILE are user-controllable, so the tool will read any files the user points it at (expected for a file-processing tool).

✓

Install Mechanism

No install spec; skill is instruction-only with an included script. This is low-risk: nothing is downloaded or written during install.

✓

Credentials

No required environment variables or credentials are declared. The script uses user-provided environment variables (RUN_GLOB, OWNER_MAP_FILE, filters) appropriate for configuring a local audit. It does not attempt to read other environment variables or secret files.

✓

Persistence & Privilege

The skill is not always-enabled and does not request permanent presence or modify other skills or system-wide configs. It runs only when invoked by the user/agent.

Assessment

This skill appears to do what it says: parse GitHub Actions run JSON exports and report owner/actor hotspots. Before running: 1) Export runs yourself via 'gh api' (which will use your existing gh auth) rather than pointing RUN_GLOB at unexpected locations. 2) Confirm RUN_GLOB and OWNER_MAP_FILE point only to intended JSON files (the script will read any path you provide). 3) Review the included scripts if you need to ensure no local-sensitive paths are referenced in your environment. 4) Try with the provided fixtures first to verify output and behavior (the README shows this). If you need autonomous agent invocation, consider the risks of letting an agent run file-processing tools without restrictions, but the skill itself does not request extra credentials or network exfiltration.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binsbash, python3

latestvk971v8tdpdhwcks3ckh5xxg2kx82fx8z

283downloads

0stars

3versions

Updated 1mo ago

v1.2.0

MIT-0

GitHub Actions Failure Owner Audit

Use this skill to attribute GitHub Actions failures to owners (actors) so teams can route CI stabilization work by impact instead of guesswork.

What this skill does

Reads one or more GitHub Actions run JSON exports (gh api output or per-run JSON files)
Focuses on failure-like conclusions by default (failure, cancelled, timed_out, action_required, startup_failure)
Groups by repository + actor (or repository + actor + workflow)
Scores hotspots by failed run counts and total failed runtime minutes
Supports text and JSON output for triage meetings and automation

Inputs

Optional:

RUN_GLOB (default: artifacts/github-actions-runs/*.json)
TOP_N (default: 20)
OUTPUT_FORMAT (text or json, default: text)
GROUP_BY (actor, actor-workflow, owner, or owner-workflow, default: actor)
OWNER_MAP_FILE (optional JSON mapping file to map actor regex → owner/team)
WARN_FAILURE_RUNS (default: 3)
CRITICAL_FAILURE_RUNS (default: 6)
WARN_FAILURE_MINUTES (default: 30)
CRITICAL_FAILURE_MINUTES (default: 90)
FAIL_ON_CRITICAL (0 or 1, default: 0)
REPO_MATCH / REPO_EXCLUDE (regex, optional)
WORKFLOW_MATCH / WORKFLOW_EXCLUDE (regex, optional)
BRANCH_MATCH / BRANCH_EXCLUDE (regex, optional)
ACTOR_MATCH / ACTOR_EXCLUDE (regex, optional)
CONCLUSION_MATCH / CONCLUSION_EXCLUDE (regex, optional)

Collect run JSON

Single repository paginated export:

gh api repos/<owner>/<repo>/actions/runs --paginate \
  > artifacts/github-actions-runs/<owner>-<repo>.json

Run

Default ownership triage:

RUN_GLOB='artifacts/github-actions-runs/*.json' \
bash skills/github-actions-failure-owner-audit/scripts/failure-owner-audit.sh

Workflow-scoped ownership triage with stricter thresholds:

RUN_GLOB='artifacts/github-actions-runs/*.json' \
GROUP_BY='actor-workflow' \
WARN_FAILURE_RUNS=2 \
CRITICAL_FAILURE_RUNS=4 \
WARN_FAILURE_MINUTES=20 \
CRITICAL_FAILURE_MINUTES=60 \
bash skills/github-actions-failure-owner-audit/scripts/failure-owner-audit.sh

JSON output for dashboards/alerts:

RUN_GLOB='artifacts/github-actions-runs/*.json' \
OUTPUT_FORMAT='json' \
FAIL_ON_CRITICAL=1 \
bash skills/github-actions-failure-owner-audit/scripts/failure-owner-audit.sh

Filter to a repo and release branches only:

RUN_GLOB='artifacts/github-actions-runs/*.json' \
REPO_MATCH='^flowcreatebot/' \
BRANCH_MATCH='^(main|release/)' \
ACTOR_EXCLUDE='(dependabot|renovate)' \
bash skills/github-actions-failure-owner-audit/scripts/failure-owner-audit.sh

Run with bundled fixtures:

RUN_GLOB='skills/github-actions-failure-owner-audit/fixtures/*.json' \
bash skills/github-actions-failure-owner-audit/scripts/failure-owner-audit.sh

Owner/team mapping (first matching regex wins):

{
  "^dependabot\\[bot]$": "automation",
  "^renovate\\[bot]$": "automation",
  "^alice$": "platform"
}

RUN_GLOB='artifacts/github-actions-runs/*.json' \
GROUP_BY='owner-workflow' \
OWNER_MAP_FILE='skills/github-actions-failure-owner-audit/examples/owner-map.sample.json' \
bash skills/github-actions-failure-owner-audit/scripts/failure-owner-audit.sh

Output contract

Exit 0 in reporting mode (default)
Exit 1 if FAIL_ON_CRITICAL=1 and at least one ownership group is critical
In text mode: prints summary and top ownership hotspots
In json mode: prints summary, top groups, all groups, and critical groups

Comments

Loading comments...