feat: add github-actions-workflow-linter skill and cloud-finops-advisor#2195
feat: add github-actions-workflow-linter skill and cloud-finops-advisor#2195Venchoes wants to merge 4 commits into
Conversation
🔒 PR Risk Scan ResultsScanned 4 changed file(s).
|
🔍 Vally Lint Results
Summary
Full linter output |
There was a problem hiding this comment.
Pull request overview
This pull request adds two new Copilot resources to the Awesome Copilot repository: a new skill for linting CI workflow YAML (GitHub Actions / GitLab CI) with a security/best-practice focus, and a new agent for FinOps-style cloud cost analysis and optimization, plus the corresponding documentation index updates.
Changes:
- Added
github-actions-workflow-linterskill describing checks for action pinning, secret handling, permissions, deprecated commands, and pipeline hygiene. - Added
cloud-finops-advisoragent defining a structured FinOps approach (Inform → Optimize → Operate) and a standardized findings/report format. - Registered both additions in the generated docs tables (
docs/README.skills.md,docs/README.agents.md).
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| skills/github-actions-workflow-linter/SKILL.md | New skill definition and guidance for reviewing/linting CI workflow YAML with security best practices. |
| agents/cloud-finops-advisor.agent.md | New FinOps-focused agent definition for cloud cost analysis and optimization across AWS/GCP/Azure. |
| docs/README.skills.md | Adds the new skill to the skills documentation index table. |
| docs/README.agents.md | Adds the new agent to the agents documentation index table. |
| @@ -0,0 +1,86 @@ | |||
| --- | |||
| name: github-actions-workflow-linter | |||
| description: Lints GitHub Actions / GitLab CI workflow YAML files for unpinned actions, unsafe secret usage, deprecated commands, and security anti-patterns. Use this skill whenever a user asks to review, audit, lint, or harden a CI/CD workflow file, or mentions ".github/workflows", "GitHub Actions", "GitLab CI", "pipeline security", or "workflow YAML". | |||
| | [Caveman Mode](../agents/caveman-mode.agent.md)<br />[](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fcaveman-mode.agent.md)<br />[](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fcaveman-mode.agent.md) | Terse, low-token responses. Minimal words, no fluff. Full capabilities preserved. Use when: optimize token usage, low-token mode, concise output, caveman mode, reduce verbosity, token-efficient, brief responses. | | | ||
| | [CentOS Linux Expert](../agents/centos-linux-expert.agent.md)<br />[](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fcentos-linux-expert.agent.md)<br />[](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fcentos-linux-expert.agent.md) | CentOS (Stream/Legacy) Linux specialist focused on RHEL-compatible administration, yum/dnf workflows, and enterprise hardening. | | | ||
| | [Clojure Interactive Programming](../agents/clojure-interactive-programming.agent.md)<br />[](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fclojure-interactive-programming.agent.md)<br />[](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fclojure-interactive-programming.agent.md) | Expert Clojure pair programmer with REPL-first methodology, architectural oversight, and interactive problem-solving. Enforces quality standards, prevents workarounds, and develops solutions incrementally through live REPL evaluation before file modifications. | | | ||
| | [Cloud Finops Advisor](../agents/cloud-finops-advisor.agent.md)<br />[](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fcloud-finops-advisor.agent.md)<br />[](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fcloud-finops-advisor.agent.md) | A FinOps-focused persona that analyzes AWS/GCP/Azure billing exports, infrastructure-as-code, and cloud resource configurations to identify waste, right-sizing opportunities, and cost-aware architectural improvements. Use this agent when the user wants to reduce cloud spend, understand a cloud bill, evaluate Reserved Instance / Savings Plan / Committed Use strategies, or redesign infrastructure to be more cost-efficient. | | |
aaronpowell
left a comment
There was a problem hiding this comment.
We already have several contributions for GitHub Actions across skills, instructions, and agents. Please review whether your changes can be incorporated in those rather than another standalone skill.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
| - Confirm that secrets are only referenced inside `${{ secrets.NAME }}` expressions and never hardcoded as plaintext values. | ||
|
|
||
| ### 3. Permissions | ||
| - Flag workflows/jobs missing an explicit `permissions:` block (GitHub defaults to broad read/write `GITHUB_TOKEN` permissions unless restricted at the org level). |
| | [Caveman Mode](../agents/caveman-mode.agent.md)<br />[](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fcaveman-mode.agent.md)<br />[](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fcaveman-mode.agent.md) | Terse, low-token responses. Minimal words, no fluff. Full capabilities preserved. Use when: optimize token usage, low-token mode, concise output, caveman mode, reduce verbosity, token-efficient, brief responses. | | | ||
| | [CentOS Linux Expert](../agents/centos-linux-expert.agent.md)<br />[](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fcentos-linux-expert.agent.md)<br />[](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fcentos-linux-expert.agent.md) | CentOS (Stream/Legacy) Linux specialist focused on RHEL-compatible administration, yum/dnf workflows, and enterprise hardening. | | | ||
| | [Clojure Interactive Programming](../agents/clojure-interactive-programming.agent.md)<br />[](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fclojure-interactive-programming.agent.md)<br />[](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fclojure-interactive-programming.agent.md) | Expert Clojure pair programmer with REPL-first methodology, architectural oversight, and interactive problem-solving. Enforces quality standards, prevents workarounds, and develops solutions incrementally through live REPL evaluation before file modifications. | | | ||
| | [Cloud Finops Advisor](../agents/cloud-finops-advisor.agent.md)<br />[](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fcloud-finops-advisor.agent.md)<br />[](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fcloud-finops-advisor.agent.md) | A FinOps-focused persona that analyzes AWS/GCP/Azure billing exports, infrastructure-as-code, and cloud resource configurations to identify waste, right-sizing opportunities, and cost-aware architectural improvements. Use this agent when the user wants to reduce cloud spend, understand a cloud bill, evaluate Reserved Instance / Savings Plan / Committed Use strategies, or redesign infrastructure to be more cost-efficient. | | |
| @@ -0,0 +1,86 @@ | |||
| --- | |||
| name: github-actions-workflow-linter | |||
| description: Lints GitHub Actions / GitLab CI workflow YAML files for unpinned actions, unsafe secret usage, deprecated commands, and security anti-patterns. Use this skill whenever a user asks to review, audit, lint, or harden a CI/CD workflow file, or mentions ".github/workflows", "GitHub Actions", "GitLab CI", "pipeline security", or "workflow YAML". | |||
| | [Caveman Mode](../agents/caveman-mode.agent.md)<br />[](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fcaveman-mode.agent.md)<br />[](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fcaveman-mode.agent.md) | Terse, low-token responses. Minimal words, no fluff. Full capabilities preserved. Use when: optimize token usage, low-token mode, concise output, caveman mode, reduce verbosity, token-efficient, brief responses. | | | ||
| | [CentOS Linux Expert](../agents/centos-linux-expert.agent.md)<br />[](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fcentos-linux-expert.agent.md)<br />[](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fcentos-linux-expert.agent.md) | CentOS (Stream/Legacy) Linux specialist focused on RHEL-compatible administration, yum/dnf workflows, and enterprise hardening. | | | ||
| | [Clojure Interactive Programming](../agents/clojure-interactive-programming.agent.md)<br />[](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fclojure-interactive-programming.agent.md)<br />[](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fclojure-interactive-programming.agent.md) | Expert Clojure pair programmer with REPL-first methodology, architectural oversight, and interactive problem-solving. Enforces quality standards, prevents workarounds, and develops solutions incrementally through live REPL evaluation before file modifications. | | | ||
| | [Cloud Finops Advisor](../agents/cloud-finops-advisor.agent.md)<br />[](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fcloud-finops-advisor.agent.md)<br />[](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fcloud-finops-advisor.agent.md) | A FinOps-focused persona that analyzes AWS/GCP/Azure billing exports, infrastructure-as-code, and cloud resource configurations to identify waste, right-sizing opportunities, and cost-aware architectural improvements. Use this agent when the user wants to reduce cloud spend, understand a cloud bill, evaluate Reserved Instance / Savings Plan / Committed Use strategies, or redesign infrastructure to be more cost-efficient. | | |
Pull Request Checklist
npm startand verified thatREADME.mdis up to date.mainbranch for this pull request.Description
This PR adds two related contributions covering DevOps CI/CD security and cloud cost management, both aligned with the course's Full Cycle Development practices.
🧰 Skill:
github-actions-workflow-linterTeaches Copilot to perform a security- and best-practice-focused lint pass over CI/CD workflow definitions (primarily GitHub Actions
.yml/.yamlfiles under.github/workflows/, with secondary support for GitLab CI.gitlab-ci.yml). The skill automatically activates whenever a user asks to review, audit, harden, or fix a workflow file, or when the active file matches a workflow path.It checks for:
@v4,@main) instead of a full commit SHA, treating unpinned third-party actions as Critical severity due to supply-chain risk.run:shell commands instead of passed viaenv:, and flags unsafepull_request_target+ secrets combinations that enable privilege escalation.permissions:blocks (e.g.write-all), recommending least-privilege scoping.::set-output,::set-env, etc.) and outdated runner images/action versions.timeout-minutes, missing dependency caching, self-hosted runners exposed to fork PRs, and missingconcurrency:groups on deploy workflows.Output is a structured, severity-ranked report (Critical/High/Medium/Low) with concrete fixed YAML snippets for each finding, or Copilot can apply fixes directly when asked.
🎭 Agent:
cloud-finops-advisorA FinOps-focused persona that turns Copilot Chat into a specialist for cloud cost analysis and optimization across AWS, GCP, and Azure. Structures its work around the FinOps Foundation's Inform → Optimize → Operate phases.
Core responsibilities:
Recommendations are always output as a prioritized, quantified action list (quick wins vs. structural changes vs. governance), and the agent never fabricates dollar figures without real billing data — it uses clearly marked placeholders instead.
Why together
Both contributions target the DevOps/Cloud practices covered in the course (CI/CD pipeline security and cloud cost management under a Full Cycle Development approach), and are submitted together as a themed bundle per the CONTRIBUTING.md guidance encouraging Skill + Agent pairs.
Type of Contribution
Additional Notes
Tested both in GitHub Copilot Chat:
uses:references, hardcoded secrets inrun:steps, and missingpermissions:blocks — the skill correctly flagged all seeded issues with accurate severity and suggested concrete fixes.Both files passed
npm run skill:validateandnpm run buildlocally, withREADME.mdregenerated accordingly.