Back to Details

github-actions

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Language Conventions

语言约定

Infer language style from the project:
  • Analyse existing workflows, commit messages, and documentation to detect the project's language variant (US English, UK English, etc.)
  • Match the spelling conventions found in the project (e.g., "optimize" vs "optimise", "customize" vs "customise")
  • Maintain consistency with the project's established language style throughout workflow files and comments
根据项目推断语言风格:
  • 分析现有工作流、提交信息和文档,检测项目的语言变体(美式英语、英式英语等)
  • 匹配项目中使用的拼写规范(例如 "optimize" 与 "optimise"、"customize" 与 "customise")
  • 在工作流文件和注释中始终保持与项目既定语言风格一致

Mode Detection

模式检测

Determine the mode based on context:
  • Create mode: No 
    .github/workflows/
    directory exists, or user explicitly asks to create/add a workflow
  • Audit mode: 
    .github/workflows/*.yml
    files exist, or user explicitly asks to audit/review/fix workflows
根据上下文确定模式:
  • 创建模式:不存在 
    .github/workflows/
    目录,或用户明确要求创建/添加工作流
  • 审核模式:存在 
    .github/workflows/*.yml
    文件,或用户明确要求审核/检查/修复工作流

Create Mode

创建模式

1. Detect Project Type

1. 检测项目类型

Scan for project indicators:
  • package.json
    → Node.js/JS/TS
  • go.mod
    → Go
  • requirements.txt
    / 
    pyproject.toml
    / 
    setup.py
    → Python
  • Cargo.toml
    → Rust
  • Gemfile
    → Ruby
扫描项目标识文件:
  • package.json
    → Node.js/JS/TS
  • go.mod
    → Go
  • requirements.txt
    / 
    pyproject.toml
    / 
    setup.py
    → Python
  • Cargo.toml
    → Rust
  • Gemfile
    → Ruby

2. Detect Package Manager (JS/TS projects)

2. 检测包管理器(JS/TS项目)

  • pnpm-lock.yaml
    → pnpm
  • bun.lock
    / 
    bun.lockb
    → bun
  • yarn.lock
    → yarn
  • package-lock.json
    → npm
  • pnpm-lock.yaml
    → pnpm
  • bun.lock
    / 
    bun.lockb
    → bun
  • yarn.lock
    → yarn
  • package-lock.json
    → npm

3. Generate Workflow

3. 生成工作流

Apply all rules from the 
rules/
directory when generating workflows. Read each rule file for detailed requirements and examples.
生成工作流时应用 
rules/
目录下的所有规则。查看每个规则文件获取详细要求和示例。

4. Workflow Template

4. 工作流模板

Adapt this CI template to the detected project type and package manager (replace 
<pm>
with the detected package manager):
yaml
name: CI

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

permissions:
  contents: read

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  ci:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 'lts/*'
          cache: '<pm>'
      - run: <pm> install --frozen-lockfile
      - run: <pm> check
      - run: <pm> test
      - run: <pm> build
根据检测到的项目类型和包管理器调整此CI模板(将 
<pm>
替换为检测到的包管理器):
yaml
name: CI

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

permissions:
  contents: read

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  ci:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 'lts/*'
          cache: '<pm>'
      - run: <pm> install --frozen-lockfile
      - run: <pm> check
      - run: <pm> test
      - run: <pm> build

Audit Mode

审核模式

1. Scan Workflows

1. 扫描工作流

Read all files in 
.github/workflows/*.yml
and audit against every rule in the 
rules/
directory.
读取 
.github/workflows/*.yml
下的所有文件,并对照 
rules/
目录下的每条规则进行审核。

2. Report Format

2. 报告格式

undefined
undefined

GitHub Actions Audit Results

GitHub Actions 审核结果

HIGH Severity

高严重程度

  • .github/workflows/ci.yml:15
    - 
    codecov/codecov-action@v4
    → pin to commit SHA
  • .github/workflows/ci.yml:15
    - 
    codecov/codecov-action@v4
    → 固定到提交SHA

MEDIUM Severity

中严重程度

  • .github/workflows/ci.yml
    - Missing concurrency group → add concurrency block
  • .github/workflows/ci.yml
    - 缺少并发组 → 添加并发块

Summary

摘要

  • High: X
  • Medium: Y
  • Low: Z
  • Files scanned: N
undefined
  • 高:X
  • 中:Y
  • 低:Z
  • 扫描文件数:N
undefined

3. Auto-Fix

3. 自动修复

After reporting, apply fixes using the Edit tool. Look up commit SHAs for pinning using 
gh api
.
生成报告后,使用编辑工具应用修复。通过 
gh api
查询提交SHA以完成版本固定。

Rules

规则

Read individual rule files for detailed checks and examples:
RuleSeverityFile
Action pinningHIGH
rules/action-pinning.md
PermissionsHIGH
rules/permissions.md
ConcurrencyMEDIUM
rules/concurrency.md
Node versionMEDIUM
rules/node-version.md
CachingMEDIUM
rules/caching.md
TriggersLOW
rules/triggers.md
Matrix strategyLOW
rules/matrix.md
查看单个规则文件获取详细检查项和示例:
规则严重程度文件
动作版本固定
rules/action-pinning.md
权限设置
rules/permissions.md
并发配置
rules/concurrency.md
Node版本设置
rules/node-version.md
缓存配置
rules/caching.md
触发条件
rules/triggers.md
矩阵策略
rules/matrix.md

Assumptions

前提假设

  • GitHub CLI (
    gh
    ) is available for looking up action commit SHAs
  • The project is hosted on GitHub
  • 已安装GitHub CLI(
    gh
    )用于查询动作的提交SHA
  • 项目托管在GitHub上