name: cicd-master description: | CI/CD pipeline advisor for GitHub Actions workflows, deployment scripts, and server task scheduling. Use when: (1) editing or reviewing .github/workflows/*.yml files, (2) working on deployment scripts in bin/, (3) questions about cron jobs or systemd services on local servers, (4) Docker image build/push pipelines, (5) security hardening for CI/CD (secrets, permissions, attestations). This skill provides advice and reviews - it does not execute server commands.
CI/CD Master
Advisory guidance for robust and secure CI/CD pipelines in the SAPPHIRE project.
Role: Review, advise, and suggest improvements. Does not execute server commands directly or indirectly.
Project CI/CD Architecture
Developer → GitHub Actions → Docker Hub → AWS Server → Local Hydromet Servers
│
├── build_test.yml (on push/PR)
│ └── Test builds, unit tests
│
└── deploy_main.yml (on merge to main)
└── Build, sign, push images with attestations
GitHub Actions Security Checklist
When reviewing or editing workflow files, verify:
- Pinned action versions (
@v4not@main) - Minimal
permissions:scope (preferreadoverwrite) - Secrets via
${{ secrets.* }}never hardcoded - No command injection via
${{ github.event.* }}inrun: - Timeout set for long-running jobs (
timeout-minutes:) - Concurrency controls for expensive jobs
Current Security Features
| Feature | Status | Purpose |
|---|---|---|
| SLSA Provenance | Enabled | Supply chain attestation |
| SBOM Generation | Enabled | Software Bill of Materials |
| Cosign Signing | Enabled | Image signature verification |
| Non-root User | In images | Container security |
| Pinned Actions | Yes | Reproducible builds |
Workflow Best Practices
Job Dependencies
jobs:
test:
runs-on: ubuntu-latest
build:
needs: test # Only runs if test passes
Disk Space for Large Builds
ML image builds (~4GB) need disk cleanup:
- name: Free disk space
run: |
sudo rm -rf /usr/share/dotnet
sudo rm -rf /opt/ghc
sudo rm -rf /usr/local/share/boost
sudo rm -rf /usr/local/lib/android
Supply Chain Security
- uses: docker/build-push-action@v6
with:
provenance: true
sbom: true
Deployment Script Review (bin/)
When reviewing scripts in bin/, check for:
- Proper error handling (
set -eor equivalent) - No hardcoded credentials (use environment variables)
- Logging for debugging
- Idempotency (safe to run multiple times)
- Clear documentation of prerequisites
Task Scheduling Guidance
Cron Syntax Reference
┌───────────── minute (0-59)
│ ┌───────────── hour (0-23)
│ │ ┌───────────── day of month (1-31)
│ │ │ ┌───────────── month (1-12)
│ │ │ │ ┌───────────── day of week (0-6, Sun=0)
│ │ │ │ │
* * * * *
# Examples
0 6 * * * # Daily at 6:00 AM
0 */6 * * * # Every 6 hours
0 6 1 * * # First day of month at 6:00 AM
Systemd Timers (recommended over cron)
- More reliable with
Persistent=true(runs missed jobs) - Better logging via
journalctl - Dependency management with other services
Common Issues & Solutions
| Issue | Solution |
|---|---|
| Build timeout | Add timeout-minutes: 60 |
| ML build fails | Add disk cleanup step |
| Docker rate limits | Use authenticated pulls |
| Workflow not triggering | Check on: triggers and branch rules |