ClawHub

GitHub Actions SHA Rerun Debt Audit

v1.0.0

Audit rerun debt by commit SHA to find commits that repeatedly burn CI minutes across workflows.

0· 258·0 current·0 all-time
byDaniel Lummis@daniellummis

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for daniellummis/github-actions-sha-rerun-debt-audit.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "GitHub Actions SHA Rerun Debt Audit" (daniellummis/github-actions-sha-rerun-debt-audit) from ClawHub.
Skill page: https://clawhub.ai/daniellummis/github-actions-sha-rerun-debt-audit
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: bash, python3
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install daniellummis/github-actions-sha-rerun-debt-audit

ClawHub CLI

Package manager switcher

npx clawhub@latest install github-actions-sha-rerun-debt-audit
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the implementation: the script reads GitHub Actions run JSON files, correlates attempts by run id, aggregates metrics by commit SHA, and emits a ranked report. Required binaries (bash, python3) are reasonable. One inconsistency: SKILL.md shows using the `gh run view` command to collect JSON, but the skill's declared required binaries do not include `gh` (GitHub CLI) nor does it declare any GitHub credentials.
Instruction Scope
Runtime instructions are limited to collecting JSON run exports and running the bundled script against them; the script reads files matched by RUN_GLOB and does local aggregation and reporting. There are no network calls or external endpoints in the shown code. The SKILL.md suggests using `gh run view` (which will contact GitHub and requires authenticated gh), but the script itself only processes local files.
Install Mechanism
No install spec — instruction-only skill with a bundled script. Nothing is downloaded or installed by the skill itself.
Credentials
The skill requests no credentials or environment variables beyond operational parameters (RUN_GLOB, TOP_N, etc.). However, collecting run JSON via `gh run view` (shown in SKILL.md) requires the GitHub CLI and authenticated access to GitHub; those prerequisites are not declared. No other unexpected secrets or config paths are requested by the script.
Persistence & Privilege
The skill is not always-enabled, does not request elevated persistence, and does not modify other skills or system-wide config. It only reads files matched by RUN_GLOB and writes output/exit codes.
Assessment
This skill appears to do exactly what it claims: analyze local GitHub Actions run JSON files and report rerun debt by commit SHA. Before installing/running it: (1) Inspect the full script (you were shown a truncated portion) to confirm no unexpected behavior; (2) note that SKILL.md shows using `gh run view` to collect run JSON — running that requires the GitHub CLI and authenticated access (gh stores credentials or uses your environment), so be mindful of what account/permissions are used when collecting artifacts; (3) the skill itself does not exfiltrate data or contact external endpoints in the shown code, but it will process whatever JSON files you point it at — avoid feeding it sensitive files from unknown sources; (4) run it first against the provided fixtures (RUN_GLOB set to fixtures) to validate behavior in a safe context. If you want higher assurance, request the author to explicitly declare the gh dependency and include full source for review.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binsbash, python3
latestvk97bq6qb4bt7g2951npr45v2w582fcaz
258downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
Daniel Lummis@daniellummis
latest
Download

GitHub Actions SHA Rerun Debt Audit

Use this skill to detect commits that trigger repeated GitHub Actions reruns and failed outcomes across multiple workflows.

What this skill does

  • Reads GitHub Actions run JSON exports
  • Correlates attempt history by run id and latest outcome per run
  • Aggregates rerun debt by repository + commit SHA
  • Scores risk using rerun rate, failed-run count, workflow spread, and wasted rerun minutes
  • Emits severity (ok, warn, critical) for CI gates

Inputs

Optional:

  • RUN_GLOB (default: artifacts/github-actions/*.json)
  • TOP_N (default: 20)
  • OUTPUT_FORMAT (text or json, default: text)
  • MIN_RUNS (minimum runs per SHA, default: 3)
  • WARN_RERUN_RATE (0..1, default: 0.25)
  • CRITICAL_RERUN_RATE (0..1, default: 0.45)
  • WARN_FAILED_RUNS (default: 2)
  • CRITICAL_FAILED_RUNS (default: 4)
  • WARN_WASTED_MINUTES (default: 25)
  • CRITICAL_WASTED_MINUTES (default: 75)
  • WARN_WORKFLOWS (distinct workflows affected, default: 2)
  • CRITICAL_WORKFLOWS (default: 4)
  • WORKFLOW_MATCH / WORKFLOW_EXCLUDE (regex, optional)
  • BRANCH_MATCH / BRANCH_EXCLUDE (regex, optional)
  • EVENT_MATCH / EVENT_EXCLUDE (regex, optional)
  • REPO_MATCH / REPO_EXCLUDE (regex, optional)
  • HEAD_SHA_MATCH / HEAD_SHA_EXCLUDE (regex, optional)
  • FAILURE_CONCLUSIONS (comma-separated, default: failure,cancelled,timed_out,startup_failure,action_required)
  • FAIL_ON_CRITICAL (0 or 1, default: 0)

Collect run JSON

gh run view <run-id> --attempt <attempt> \
  --json databaseId,runAttempt,workflowName,event,headBranch,headSha,conclusion,createdAt,updatedAt,runStartedAt,url,repository \
  > artifacts/github-actions/run-<run-id>-attempt-<attempt>.json

Run

Text report:

RUN_GLOB='artifacts/github-actions/*.json' \
bash skills/github-actions-sha-rerun-debt-audit/scripts/sha-rerun-debt-audit.sh

JSON output + fail gate:

RUN_GLOB='artifacts/github-actions/*.json' \
OUTPUT_FORMAT=json \
FAIL_ON_CRITICAL=1 \
bash skills/github-actions-sha-rerun-debt-audit/scripts/sha-rerun-debt-audit.sh

Run against bundled fixtures:

RUN_GLOB='skills/github-actions-sha-rerun-debt-audit/fixtures/*.json' \
bash skills/github-actions-sha-rerun-debt-audit/scripts/sha-rerun-debt-audit.sh

Output contract

  • Exit 0 in report mode (default)
  • Exit 1 when FAIL_ON_CRITICAL=1 and one or more SHA groups are critical
  • Text mode prints summary + ranked SHA risk groups
  • JSON mode prints summary + ranked groups + critical groups

Comments

Loading comments...