CI-CD
Automate builds, tests, and deployments across web, mobile, and backend applications.
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 3 · 1.1k · 11 current installs · 13 all-time installs
byIván@ivangdavila
MIT-0
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name and description (CI/CD automation) match the content: workflow templates, mobile signing, build caching, and deployment patterns are all relevant to CI/CD tasks.
Instruction Scope
The runtime docs instruct use of many CI secrets and file operations (e.g., MATCH_PASSWORD, MATCH_GIT_AUTH, KEYSTORE_BASE64 decoding, KEYSTORE_PASSWORD, SSH_KEY, GITHUB_TOKEN) and recommend storing code signing artifacts in a git-backed Fastlane Match repo. The skill files instruct reading and injecting secrets into CI jobs and decoding/uploading private keys — actions that go beyond simple templating and involve handling sensitive credentials.
Install Mechanism
Instruction-only skill with no install spec and no code files. No downloads or archive extraction are present, which keeps disk-write and remote-install risk low.
Credentials
Registry metadata lists no required environment variables, but the SKILL.md and included templates explicitly reference many secrets and env vars needed for real-world use (match secrets, keystore secrets, SSH credentials, Docker/GHCR auth). The skill therefore under-declares its credential needs, creating a transparency gap about what will be required/used.
Persistence & Privilege
Skill is not always-enabled, has no install steps that modify agent config, and doesn't request persistence or system-wide changes. Autonomous invocation is allowed by default (normal) but not combined here with other elevated privileges.
What to consider before installing
This skill is a coherent CI/CD guide and contains useful templates, but it references many secrets and sensitive actions (mobile code-signing, decoding keystores, SSH deploy keys, registry tokens) while the registry metadata declares no required env vars. Before installing or using it: (1) review every template and workflow it suggests and only copy what you understand; (2) never paste real credentials into example files — use your CI platform's secret store or short-lived OIDC tokens; (3) avoid storing private keys/certificates in plain git unless you understand Fastlane Match's encryption and access controls; (4) because the skill owner is unknown, treat these templates as untrusted third-party guidance and audit any generated workflows for accidental secret leakage or overly broad access (e.g., ensure deploy jobs only run on protected branches); (5) if you need the agent to apply templates automatically, restrict which secrets it can access and consider running in a least-privilege CI environment. If you want a cleaner security posture, ask the skill author to declare required env vars in metadata and to provide guidance for secure secret handling (OIDC, ephemeral tokens) rather than base64-decoding or embedding keys.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.0
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
When to Use
Trigger on: automated deployment, continuous integration, pipeline setup, GitHub Actions, GitLab CI, build failing, deploy automatically, CI configuration, release automation.
Platform Selection
| Stack | Recommended | Why |
|---|---|---|
| Web (Next.js, Nuxt, static) | Vercel, Netlify | Zero-config, auto-deploys, preview URLs |
| Mobile (iOS/Android/Flutter) | Codemagic, Bitrise + Fastlane | Pre-configured signing, app store upload |
| Backend/Docker | GitHub Actions, GitLab CI | Full control, self-hosted runners option |
| Monorepo | Nx/Turborepo + GHA | Affected detection, build caching |
Decision tree: If platform handles deploy automatically (Vercel, Netlify) → skip custom CI. Only add GitHub Actions when you need tests, custom builds, or deploy to your own infra.
Quick Start Templates
For copy-paste workflows, see templates.md.
Common Pipeline Pitfalls
| Mistake | Impact | Fix |
|---|---|---|
Using latest image tags | Builds break randomly | Pin versions: node:20.11.0 |
| Not caching dependencies | +5-10 min per build | Cache node_modules, .next/cache |
| Secrets in workflow files | Leaked in logs/PRs | Use platform secrets, OIDC for cloud |
Missing timeout-minutes | Stuck jobs burn budget | Always set: timeout-minutes: 15 |
No concurrency control | Redundant runs on rapid pushes | Group by branch/PR |
| Building on every push | Wasted resources | Build on push to main, test on PRs |
Mobile-Specific: Code Signing
The #1 pain point. iOS requires certificates + provisioning profiles. Android requires keystores.
The fix: Use Fastlane Match — stores certs/profiles in git repo, syncs across team and CI.
# One-time setup
fastlane match init
fastlane match appstore
# In CI
fastlane match appstore --readonly
For detailed mobile CI/CD patterns (iOS, Android, Flutter), see mobile.md.
Web-Specific: Build Caching
Next.js/Nuxt builds are slow without cache. The No Cache Detected warning = full rebuild.
# GitHub Actions: persist Next.js cache
- uses: actions/cache@v4
with:
path: .next/cache
key: nextjs-${{ hashFiles('**/package-lock.json') }}
For framework-specific configs, see web.md.
Debugging Failed Builds
| Error Pattern | Likely Cause | Check |
|---|---|---|
| Works locally, fails in CI | Environment drift | Node version, env vars, OS |
| Intermittent failures | Flaky tests, resource limits | Retry logic, increase timeout |
ENOENT / file not found | Build order, missing artifact | Check needs: dependencies |
| Exit code 137 | Out of memory | Use larger runner or optimize |
| Certificate/signing errors | Expired or mismatched creds | Regenerate with Match/Fastlane |
What This Doesn't Cover
- Container orchestration (Kubernetes) → see
k8sskill - Server configuration → see
serverskill - Monitoring and observability → see
monitoringskill
Files
4 totalSelect a file
Select a file to preview.
Comments
Loading comments…