GitHub Actions Deploy Risk Audit

v1.0.0

Audit deployment workflow risk from GitHub Actions runs by scoring failure rate, unresolved failure streaks, and time since last successful deploy.

⭐ 0· 278·0 current·0 all-time

byDaniel Lummis@daniellummis

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for daniellummis/github-actions-deploy-risk-audit.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "GitHub Actions Deploy Risk Audit" (daniellummis/github-actions-deploy-risk-audit) from ClawHub.
Skill page: https://clawhub.ai/daniellummis/github-actions-deploy-risk-audit
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: bash, python3
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install github-actions-deploy-risk-audit

ClawHub CLI

Package manager switcher

npx clawhub@latest install github-actions-deploy-risk-audit

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

medium confidence

✓

Purpose & Capability

Name/description match the provided script: it ingests GitHub Actions run JSON exports, filters/group them, and computes risk scores. Required binaries (bash, python3) are proportional to the task.

ℹ

Instruction Scope

SKILL.md shows how to collect run JSON using the 'gh' CLI, but 'gh' is not listed as a required binary; the script itself only reads local JSON files. The instructions and script operate on local artifacts (RUN_GLOB) and emit text/JSON; they do not access other system credentials or external endpoints. Be aware outputs include sample run URLs from the JSON payloads (which might expose internal URLs if sent to external logs).

✓

Install Mechanism

No install spec (instruction-only with an included script) — nothing is downloaded or extracted. The skill will run locally with bash and python3; that is low-risk from an install perspective.

✓

Credentials

The skill requests no secrets, no config paths, and only uses optional environment variables for filtering and formatting. The set of environment inputs shown in SKILL.md is reasonable and optional; no unrelated credentials are requested.

✓

Persistence & Privilege

always is false and the skill does not request persistent system presence or modify other skills. It runs on-demand and does not appear to alter agent configuration or store credentials.

Assessment

This skill appears to do what it says: parse local GitHub Actions run JSON files and compute risk scores. Before installing or running it: (1) Confirm where RUN_GLOB points — avoid matching sensitive or unrelated files; (2) The SKILL.md examples use the GitHub CLI ('gh') to collect run JSON, but 'gh' is not declared as required — install/authorize 'gh' yourself if you plan to use those collection steps; (3) Output can include run URLs from the JSON payloads — be careful not to send output to untrusted external systems if those URLs are sensitive; (4) The script accepts user-provided regex patterns (for workflows, repos, branches) so ensure patterns are trusted and avoid pathological regexes if supplied programmatically; (5) I reviewed the majority of the script but the provided file contents were truncated in the manifest — if you need higher assurance, inspect the complete scripts/deploy-risk-audit.sh file before use.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binsbash, python3

latestvk97ehaj0zx3qewt0ydhwkpmar182drwd

278downloads

0stars

1versions

Updated 1mo ago

v1.0.0

MIT-0

GitHub Actions Deploy Risk Audit

Use this skill to rank deployment workflows that are currently risky to trust for production releases.

What this skill does

Reads GitHub Actions run JSON exports
Filters to deployment/release workflows (configurable regex)
Groups by repository + workflow + branch
Scores risk using:
- failure rate
- unresolved trailing failure streak
- days since last successful run
Flags warning/critical groups based on configurable score thresholds
Emits text or JSON output for CI dashboards and release gates

Inputs

Optional:

RUN_GLOB (default: artifacts/github-actions/*.json)
TOP_N (default: 20)
OUTPUT_FORMAT (text or json, default: text)
MIN_RUNS (default: 2)
DEPLOY_WORKFLOW_MATCH (default: (?i)(deploy|release|ship|production))
BRANCH_MATCH (regex, optional)
BRANCH_EXCLUDE (regex, optional)
REPO_MATCH (regex, optional)
REPO_EXCLUDE (regex, optional)
FAIL_WARN_PERCENT (default: 20)
FAIL_CRITICAL_PERCENT (default: 40)
STALE_SUCCESS_DAYS (default: 7)
WARN_SCORE (default: 35)
CRITICAL_SCORE (default: 60)
FAIL_ON_CRITICAL (0 or 1, default: 0)

Collect run JSON

gh run view <run-id> --json databaseId,workflowName,event,conclusion,headBranch,headSha,createdAt,updatedAt,startedAt,url,repository \
  > artifacts/github-actions/run-<run-id>.json

Run

Text report:

RUN_GLOB='artifacts/github-actions/*.json' \
DEPLOY_WORKFLOW_MATCH='(?i)(deploy|release)' \
MIN_RUNS=3 \
bash skills/github-actions-deploy-risk-audit/scripts/deploy-risk-audit.sh

JSON output with fail gate:

RUN_GLOB='artifacts/github-actions/*.json' \
OUTPUT_FORMAT=json \
FAIL_ON_CRITICAL=1 \
bash skills/github-actions-deploy-risk-audit/scripts/deploy-risk-audit.sh

Run with bundled fixtures:

RUN_GLOB='skills/github-actions-deploy-risk-audit/fixtures/*.json' \
bash skills/github-actions-deploy-risk-audit/scripts/deploy-risk-audit.sh

Output contract

Exit 0 in report mode (default)
Exit 1 when FAIL_ON_CRITICAL=1 and one or more groups are critical
Text mode prints summary + ranked deploy risk groups
JSON mode prints summary + scored groups + critical group details

Comments

Loading comments...