GitHub Actions Manual Trigger Audit
Use this skill to detect workflows that rely too heavily on manual triggers (workflow_dispatch / repository_dispatch) instead of automated CI events.
What this skill does
- - Reads GitHub Actions run JSON exports
- Groups runs by repository + workflow (+ branch)
- Measures manual-trigger share vs total run volume
- Tracks recent manual-trigger streaks (latest N runs)
- Scores severity (
ok, warn, critical) for operational risk gating - Emits text or JSON output for automation
Inputs
Optional:
- -
RUN_GLOB (default: artifacts/github-actions/*.json) - INLINECODE7� (default:
20) - INLINECODE9� (
text or json, default: text) - INLINECODE13� (
workflow or workflow-branch, default: workflow) - INLINECODE17� (comma-separated, default:
workflow_dispatch,repository_dispatch) - INLINECODE19� (latest runs inspected for streak, default:
5) - INLINECODE21� (minimum runs required, default:
5) - INLINECODE23� (0..1, default:
0.35) - INLINECODE25� (0..1, default:
0.65) - INLINECODE27� (default:
5) - INLINECODE29� (default:
12) - INLINECODE31� (default:
3) - INLINECODE33� (default:
5) - INLINECODE35� /
WORKFLOW_EXCLUDE (regex, optional) - INLINECODE37� /
BRANCH_EXCLUDE (regex, optional) - INLINECODE39� /
EVENT_EXCLUDE (regex, optional) - INLINECODE41� /
REPO_EXCLUDE (regex, optional) - INLINECODE43� (
0 or 1, default: 0)
Collect run JSON
CODEBLOCK0
Run
Text report:
CODEBLOCK1
JSON output + fail gate:
CODEBLOCK2
Run against bundled fixtures:
CODEBLOCK3
Output contract
- - Exit
0 in report mode (default) - Exit
1 when FAIL_ON_CRITICAL=1 and one or more groups are critical - Text mode prints summary + ranked workflow groups
- JSON mode prints summary + ranked groups + critical groups
GitHub Actions 手动触发审计
使用此技能检测过度依赖手动触发(workflowdispatch / repositorydispatch)而非自动化CI事件的工作流。
该技能的功能
- - 读取GitHub Actions运行JSON导出文件
- 按仓库 + 工作流(+ 分支)对运行进行分组
- 衡量手动触发占比与总运行量
- 追踪近期手动触发连续次数(最近N次运行)
- 为操作风险门控评分严重程度(ok、warn、critical)
- 输出文本或JSON格式结果供自动化使用
输入参数
可选参数:
- - RUNGLOB(默认值:artifacts/github-actions/*.json)
- TOPN(默认值:20)
- OUTPUTFORMAT(text 或 json,默认值:text)
- GROUPBY(workflow 或 workflow-branch,默认值:workflow)
- MANUALEVENTS(逗号分隔,默认值:workflowdispatch,repositorydispatch)
- RECENTWINDOW(检查连续次数的最近运行数,默认值:5)
- MINRUNS(所需最小运行次数,默认值:5)
- WARNMANUALRATIO(0..1,默认值:0.35)
- CRITICALMANUALRATIO(0..1,默认值:0.65)
- WARNMANUALRUNS(默认值:5)
- CRITICALMANUALRUNS(默认值:12)
- WARNRECENTMANUALSTREAK(默认值:3)
- CRITICALRECENTMANUALSTREAK(默认值:5)
- WORKFLOWMATCH / WORKFLOWEXCLUDE(正则表达式,可选)
- BRANCHMATCH / BRANCHEXCLUDE(正则表达式,可选)
- EVENTMATCH / EVENTEXCLUDE(正则表达式,可选)
- REPOMATCH / REPOEXCLUDE(正则表达式,可选)
- FAILON_CRITICAL(0 或 1,默认值:0)
收集运行JSON
bash
gh run view --json databaseId,workflowName,event,headBranch,conclusion,createdAt,updatedAt,url,repository \
> artifacts/github-actions/run-.json
运行
文本报告:
bash
RUN_GLOB=artifacts/github-actions/*.json \
bash skills/github-actions-manual-trigger-audit/scripts/manual-trigger-audit.sh
JSON输出 + 失败门控:
bash
RUN_GLOB=artifacts/github-actions/*.json \
OUTPUT_FORMAT=json \
FAILONCRITICAL=1 \
bash skills/github-actions-manual-trigger-audit/scripts/manual-trigger-audit.sh
针对捆绑测试数据运行:
bash
RUN_GLOB=skills/github-actions-manual-trigger-audit/fixtures/*.json \
bash skills/github-actions-manual-trigger-audit/scripts/manual-trigger-audit.sh
输出约定
- - 报告模式下退出码为 0(默认)
- 当 FAILONCRITICAL=1 且一个或多个分组为严重级别时,退出码为 1
- 文本模式打印摘要 + 排名工作流分组
- JSON模式打印摘要 + 排名分组 + 严重分组
