Github Workflow Automation

1---2name: github-workflow-automation3description: "Patterns for automating GitHub workflows with AI assistance, inspired by [Gemini CLI](https://github.com/google-gemini/gemini-cli) and modern DevOps practices."4risk: critical5source: community6date_added: "2026-02-27"7---8 9# 🔧 GitHub Workflow Automation10 11> Patterns for automating GitHub workflows with AI assistance, inspired by [Gemini CLI](https://github.com/google-gemini/gemini-cli) and modern DevOps practices.12 13## When to Use This Skill14 15Use this skill when:16 17- Automating PR reviews with AI18- Setting up issue triage automation19- Creating GitHub Actions workflows20- Integrating AI into CI/CD pipelines21- Automating Git operations (rebases, cherry-picks)22 23---24 25## 1. Automated PR Review26 27### 1.1 PR Review Action28 29```yaml30# .github/workflows/ai-review.yml31name: AI Code Review32 33on:34  pull_request:35    types: [opened, synchronize]36 37jobs:38  review:39    runs-on: ubuntu-latest40    permissions:41      contents: read42      pull-requests: write43 44    steps:45      - uses: actions/checkout@v446        with:47          fetch-depth: 048 49      - name: Get changed files50        id: changed51        run: |52          files=$(git diff --name-only origin/${{ github.base_ref }}...HEAD)53          echo "files<<EOF" >> $GITHUB_OUTPUT54          echo "$files" >> $GITHUB_OUTPUT55          echo "EOF" >> $GITHUB_OUTPUT56 57      - name: Get diff58        id: diff59        run: |60          diff=$(git diff origin/${{ github.base_ref }}...HEAD)61          echo "diff<<EOF" >> $GITHUB_OUTPUT62          echo "$diff" >> $GITHUB_OUTPUT63          echo "EOF" >> $GITHUB_OUTPUT64 65      - name: AI Review66        uses: actions/github-script@v767        with:68          script: |69            const { Anthropic } = require('@anthropic-ai/sdk');70            const client = new Anthropic({ apiKey: process.env.ANTHROPIC_API_KEY });71 72            const response = await client.messages.create({73              model: "claude-3-sonnet-20240229",74              max_tokens: 4096,75              messages: [{76                role: "user",77                content: `Review this PR diff and provide feedback:78                79                Changed files: ${{ steps.changed.outputs.files }}80                81                Diff:82                ${{ steps.diff.outputs.diff }}83                84                Provide:85                1. Summary of changes86                2. Potential issues or bugs87                3. Suggestions for improvement88                4. Security concerns if any89                90                Format as GitHub markdown.`91              }]92            });93 94            await github.rest.pulls.createReview({95              owner: context.repo.owner,96              repo: context.repo.repo,97              pull_number: context.issue.number,98              body: response.content[0].text,99              event: 'COMMENT'100            });101        env:102          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}103```104 105### 1.2 Review Comment Patterns106 107````markdown108# AI Review Structure109 110## 📋 Summary111 112Brief description of what this PR does.113 114## ✅ What looks good115 116- Well-structured code117- Good test coverage118- Clear naming conventions119 120## ⚠️ Potential Issues121 1221. **Line 42**: Possible null pointer exception123   ```javascript124   // Current125   user.profile.name;126   // Suggested127   user?.profile?.name ?? "Unknown";128   ```129````130 1312. **Line 78**: Consider error handling132   ```javascript133   // Add try-catch or .catch()134   ```135 136## 💡 Suggestions137 138- Consider extracting the validation logic into a separate function139- Add JSDoc comments for public methods140 141## 🔒 Security Notes142 143- No sensitive data exposure detected144- API key handling looks correct145 146````147 148### 1.3 Focused Reviews149 150```yaml151# Review only specific file types152- name: Filter code files153  run: |154    files=$(git diff --name-only origin/${{ github.base_ref }}...HEAD | \155            grep -E '\.(ts|tsx|js|jsx|py|go)$' || true)156    echo "code_files=$files" >> $GITHUB_OUTPUT157 158# Review with context159- name: AI Review with context160  run: |161    # Include relevant context files162    context=""163    for file in ${{ steps.changed.outputs.files }}; do164      if [[ -f "$file" ]]; then165        context+="=== $file ===\n$(cat $file)\n\n"166      fi167    done168 169    # Send to AI with full file context170````171 172---173 174## 2. Issue Triage Automation175 176### 2.1 Auto-label Issues177 178```yaml179# .github/workflows/issue-triage.yml180name: Issue Triage181 182on:183  issues:184    types: [opened]185 186jobs:187  triage:188    runs-on: ubuntu-latest189    permissions:190      issues: write191 192    steps:193      - name: Analyze issue194        uses: actions/github-script@v7195        with:196          script: |197            const issue = context.payload.issue;198 199            // Call AI to analyze200            const analysis = await analyzeIssue(issue.title, issue.body);201 202            // Apply labels203            const labels = [];204 205            if (analysis.type === 'bug') {206              labels.push('bug');207              if (analysis.severity === 'high') labels.push('priority: high');208            } else if (analysis.type === 'feature') {209              labels.push('enhancement');210            } else if (analysis.type === 'question') {211              labels.push('question');212            }213 214            if (analysis.area) {215              labels.push(`area: ${analysis.area}`);216            }217 218            await github.rest.issues.addLabels({219              owner: context.repo.owner,220              repo: context.repo.repo,221              issue_number: issue.number,222              labels: labels223            });224 225            // Add initial response226            if (analysis.type === 'bug' && !analysis.hasReproSteps) {227              await github.rest.issues.createComment({228                owner: context.repo.owner,229                repo: context.repo.repo,230                issue_number: issue.number,231                body: `Thanks for reporting this issue!232 233To help us investigate, could you please provide:234- Steps to reproduce the issue235- Expected behavior236- Actual behavior237- Environment (OS, version, etc.)238 239This will help us resolve your issue faster. 🙏`240              });241            }242```243 244### 2.2 Issue Analysis Prompt245 246```typescript247const TRIAGE_PROMPT = `248Analyze this GitHub issue and classify it:249 250Title: {title}251Body: {body}252 253Return JSON with:254{255  "type": "bug" | "feature" | "question" | "docs" | "other",256  "severity": "low" | "medium" | "high" | "critical",257  "area": "frontend" | "backend" | "api" | "docs" | "ci" | "other",258  "summary": "one-line summary",259  "hasReproSteps": boolean,260  "isFirstContribution": boolean,261  "suggestedLabels": ["label1", "label2"],262  "suggestedAssignees": ["username"] // based on area expertise263}264`;265```266 267### 2.3 Stale Issue Management268 269```yaml270# .github/workflows/stale.yml271name: Manage Stale Issues272 273on:274  schedule:275    - cron: "0 0 * * *" # Daily276 277jobs:278  stale:279    runs-on: ubuntu-latest280    steps:281      - uses: actions/stale@v9282        with:283          stale-issue-message: |284            This issue has been automatically marked as stale because it has not had 285            recent activity. It will be closed in 14 days if no further activity occurs.286 287            If this issue is still relevant:288            - Add a comment with an update289            - Remove the `stale` label290 291            Thank you for your contributions! 🙏292 293          stale-pr-message: |294            This PR has been automatically marked as stale. Please update it or it 295            will be closed in 14 days.296 297          days-before-stale: 60298          days-before-close: 14299          stale-issue-label: "stale"300          stale-pr-label: "stale"301          exempt-issue-labels: "pinned,security,in-progress"302          exempt-pr-labels: "pinned,security"303```304 305---306 307## 3. CI/CD Integration308 309### 3.1 Smart Test Selection310 311```yaml312# .github/workflows/smart-tests.yml313name: Smart Test Selection314 315on:316  pull_request:317 318jobs:319  analyze:320    runs-on: ubuntu-latest321    outputs:322      test_suites: ${{ steps.analyze.outputs.suites }}323 324    steps:325      - uses: actions/checkout@v4326        with:327          fetch-depth: 0328 329      - name: Analyze changes330        id: analyze331        run: |332          # Get changed files333          changed=$(git diff --name-only origin/${{ github.base_ref }}...HEAD)334 335          # Determine which test suites to run336          suites="[]"337 338          if echo "$changed" | grep -q "^src/api/"; then339            suites=$(echo $suites | jq '. + ["api"]')340          fi341 342          if echo "$changed" | grep -q "^src/frontend/"; then343            suites=$(echo $suites | jq '. + ["frontend"]')344          fi345 346          if echo "$changed" | grep -q "^src/database/"; then347            suites=$(echo $suites | jq '. + ["database", "api"]')348          fi349 350          # If nothing specific, run all351          if [ "$suites" = "[]" ]; then352            suites='["all"]'353          fi354 355          echo "suites=$suites" >> $GITHUB_OUTPUT356 357  test:358    needs: analyze359    runs-on: ubuntu-latest360    strategy:361      matrix:362        suite: ${{ fromJson(needs.analyze.outputs.test_suites) }}363 364    steps:365      - uses: actions/checkout@v4366 367      - name: Run tests368        run: |369          if [ "${{ matrix.suite }}" = "all" ]; then370            npm test371          else372            npm test -- --suite ${{ matrix.suite }}373          fi374```375 376### 3.2 Deployment with AI Validation377 378```yaml379# .github/workflows/deploy.yml380name: Deploy with AI Validation381 382on:383  push:384    branches: [main]385 386jobs:387  validate:388    runs-on: ubuntu-latest389    steps:390      - uses: actions/checkout@v4391 392      - name: Get deployment changes393        id: changes394        run: |395          # Get commits since last deployment396          last_deploy=$(git describe --tags --abbrev=0 2>/dev/null || echo "")397          if [ -n "$last_deploy" ]; then398            changes=$(git log --oneline $last_deploy..HEAD)399          else400            changes=$(git log --oneline -10)401          fi402          echo "changes<<EOF" >> $GITHUB_OUTPUT403          echo "$changes" >> $GITHUB_OUTPUT404          echo "EOF" >> $GITHUB_OUTPUT405 406      - name: AI Risk Assessment407        id: assess408        uses: actions/github-script@v7409        with:410          script: |411            // Analyze changes for deployment risk412            const prompt = `413            Analyze these changes for deployment risk:414 415            ${process.env.CHANGES}416 417            Return JSON:418            {419              "riskLevel": "low" | "medium" | "high",420              "concerns": ["concern1", "concern2"],421              "recommendations": ["rec1", "rec2"],422              "requiresManualApproval": boolean423            }424            `;425 426            // Call AI and parse response427            const analysis = await callAI(prompt);428 429            if (analysis.riskLevel === 'high') {430              core.setFailed('High-risk deployment detected. Manual review required.');431            }432 433            return analysis;434        env:435          CHANGES: ${{ steps.changes.outputs.changes }}436 437  deploy:438    needs: validate439    runs-on: ubuntu-latest440    environment: production441    steps:442      - name: Deploy443        run: |444          echo "Deploying to production..."445          # Deployment commands here446```447 448### 3.3 Rollback Automation449 450```yaml451# .github/workflows/rollback.yml452name: Automated Rollback453 454on:455  workflow_dispatch:456    inputs:457      reason:458        description: "Reason for rollback"459        required: true460 461jobs:462  rollback:463    runs-on: ubuntu-latest464    steps:465      - uses: actions/checkout@v4466        with:467          fetch-depth: 0468 469      - name: Find last stable version470        id: stable471        run: |472          # Find last successful deployment473          stable=$(git tag -l 'v*' --sort=-version:refname | head -1)474          echo "version=$stable" >> $GITHUB_OUTPUT475 476      - name: Rollback477        run: |478          git checkout ${{ steps.stable.outputs.version }}479          # Deploy stable version480          npm run deploy481 482      - name: Notify team483        uses: slackapi/slack-github-action@v1484        with:485          payload: |486            {487              "text": "🔄 Production rolled back to ${{ steps.stable.outputs.version }}",488              "blocks": [489                {490                  "type": "section",491                  "text": {492                    "type": "mrkdwn",493                    "text": "*Rollback executed*\n• Version: `${{ steps.stable.outputs.version }}`\n• Reason: ${{ inputs.reason }}\n• Triggered by: ${{ github.actor }}"494                  }495                }496              ]497            }498```499 500---501 502## 4. Git Operations503 504### 4.1 Automated Rebasing505 506```yaml507# .github/workflows/auto-rebase.yml508name: Auto Rebase509 510on:511  issue_comment:512    types: [created]513 514jobs:515  rebase:516    if: github.event.issue.pull_request && contains(github.event.comment.body, '/rebase')517    runs-on: ubuntu-latest518 519    steps:520      - uses: actions/checkout@v4521        with:522          fetch-depth: 0523          token: ${{ secrets.GITHUB_TOKEN }}524 525      - name: Setup Git526        run: |527          git config user.name "github-actions[bot]"528          git config user.email "github-actions[bot]@users.noreply.github.com"529 530      - name: Rebase PR531        run: |532          # Fetch PR branch533          gh pr checkout ${{ github.event.issue.number }}534 535          # Rebase onto main536          git fetch origin main537          git rebase origin/main538 539          # Force push540          git push --force-with-lease541        env:542          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}543 544      - name: Comment result545        uses: actions/github-script@v7546        with:547          script: |548            github.rest.issues.createComment({549              owner: context.repo.owner,550              repo: context.repo.repo,551              issue_number: context.issue.number,552              body: '✅ Successfully rebased onto main!'553            })554```555 556### 4.2 Smart Cherry-Pick557 558```typescript559// AI-assisted cherry-pick that handles conflicts560async function smartCherryPick(commitHash: string, targetBranch: string) {561  // Get commit info562  const commitInfo = await exec(`git show ${commitHash} --stat`);563 564  // Check for potential conflicts565  const targetDiff = await exec(566    `git diff ${targetBranch}...HEAD -- ${affectedFiles}`567  );568 569  // AI analysis570  const analysis = await ai.analyze(`571    I need to cherry-pick this commit to ${targetBranch}:572    573    ${commitInfo}574    575    Current state of affected files on ${targetBranch}:576    ${targetDiff}577    578    Will there be conflicts? If so, suggest resolution strategy.579  `);580 581  if (analysis.willConflict) {582    // Create branch for manual resolution583    await exec(584      `git checkout -b cherry-pick-${commitHash.slice(0, 7)} ${targetBranch}`585    );586    const result = await exec(`git cherry-pick ${commitHash}`, {587      allowFail: true,588    });589 590    if (result.failed) {591      // AI-assisted conflict resolution592      const conflicts = await getConflicts();593      for (const conflict of conflicts) {594        const resolution = await ai.resolveConflict(conflict);595        await applyResolution(conflict.file, resolution);596      }597    }598  } else {599    await exec(`git checkout ${targetBranch}`);600    await exec(`git cherry-pick ${commitHash}`);601  }602}603```604 605### 4.3 Branch Cleanup606 607```yaml608# .github/workflows/branch-cleanup.yml609name: Branch Cleanup610 611on:612  schedule:613    - cron: '0 0 * * 0'  # Weekly614  workflow_dispatch:615 616jobs:617  cleanup:618    runs-on: ubuntu-latest619    steps:620      - uses: actions/checkout@v4621        with:622          fetch-depth: 0623 624      - name: Find stale branches625        id: stale626        run: |627          # Branches not updated in 30 days628          stale=$(git for-each-ref --sort=-committerdate refs/remotes/origin \629            --format='%(refname:short) %(committerdate:relative)' | \630            grep -E '[3-9][0-9]+ days|[0-9]+ months|[0-9]+ years' | \631            grep -v 'origin/main\|origin/develop' | \632            cut -d' ' -f1 | sed 's|origin/||')633 634          echo "branches<<EOF" >> $GITHUB_OUTPUT635          echo "$stale" >> $GITHUB_OUTPUT636          echo "EOF" >> $GITHUB_OUTPUT637 638      - name: Create cleanup PR639        if: steps.stale.outputs.branches != ''640        uses: actions/github-script@v7641        with:642          script: |643            const branches = `${{ steps.stale.outputs.branches }}`.split('\n').filter(Boolean);644 645            const body = `## 🧹 Stale Branch Cleanup646 647The following branches haven't been updated in over 30 days:648 649${branches.map(b => `- \`${b}\``).join('\n')}650 651### Actions:652- [ ] Review each branch653- [ ] Delete branches that are no longer needed654- Comment \`/keep branch-name\` to preserve specific branches655`;656 657            await github.rest.issues.create({658              owner: context.repo.owner,659              repo: context.repo.repo,660              title: 'Stale Branch Cleanup',661              body: body,662              labels: ['housekeeping']663            });664```665 666---667 668## 5. On-Demand Assistance669 670### 5.1 @mention Bot671 672```yaml673# .github/workflows/mention-bot.yml674name: AI Mention Bot675 676on:677  issue_comment:678    types: [created]679  pull_request_review_comment:680    types: [created]681 682jobs:683  respond:684    if: contains(github.event.comment.body, '@ai-helper')685    runs-on: ubuntu-latest686 687    steps:688      - uses: actions/checkout@v4689 690      - name: Extract question691        id: question692        run: |693          # Extract text after @ai-helper694          question=$(echo "${{ github.event.comment.body }}" | sed 's/.*@ai-helper//')695          echo "question=$question" >> $GITHUB_OUTPUT696 697      - name: Get context698        id: context699        run: |700          if [ "${{ github.event.issue.pull_request }}" != "" ]; then701            # It's a PR - get diff702            gh pr diff ${{ github.event.issue.number }} > context.txt703          else704            # It's an issue - get description705            gh issue view ${{ github.event.issue.number }} --json body -q .body > context.txt706          fi707          echo "context=$(cat context.txt)" >> $GITHUB_OUTPUT708        env:709          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}710 711      - name: AI Response712        uses: actions/github-script@v7713        with:714          script: |715            const response = await ai.chat(`716              Context: ${process.env.CONTEXT}717              718              Question: ${process.env.QUESTION}719              720              Provide a helpful, specific answer. Include code examples if relevant.721            `);722 723            await github.rest.issues.createComment({724              owner: context.repo.owner,725              repo: context.repo.repo,726              issue_number: context.issue.number,727              body: response728            });729        env:730          CONTEXT: ${{ steps.context.outputs.context }}731          QUESTION: ${{ steps.question.outputs.question }}732```733 734### 5.2 Command Patterns735 736```markdown737## Available Commands738 739| Command              | Description                 |740| :------------------- | :-------------------------- |741| `@ai-helper explain` | Explain the code in this PR |742| `@ai-helper review`  | Request AI code review      |743| `@ai-helper fix`     | Suggest fixes for issues    |744| `@ai-helper test`    | Generate test cases         |745| `@ai-helper docs`    | Generate documentation      |746| `/rebase`            | Rebase PR onto main         |747| `/update`            | Update PR branch from main  |748| `/approve`           | Mark as approved by bot     |749| `/label bug`         | Add 'bug' label             |750| `/assign @user`      | Assign to user              |751```752 753---754 755## 6. Repository Configuration756 757### 6.1 CODEOWNERS758 759```760# .github/CODEOWNERS761 762# Global owners763* @org/core-team764 765# Frontend766/src/frontend/ @org/frontend-team767*.tsx @org/frontend-team768*.css @org/frontend-team769 770# Backend771/src/api/ @org/backend-team772/src/database/ @org/backend-team773 774# Infrastructure775/.github/ @org/devops-team776/terraform/ @org/devops-team777Dockerfile @org/devops-team778 779# Docs780/docs/ @org/docs-team781*.md @org/docs-team782 783# Security-sensitive784/src/auth/ @org/security-team785/src/crypto/ @org/security-team786```787 788### 6.2 Branch Protection789 790```yaml791# Set up via GitHub API792- name: Configure branch protection793  uses: actions/github-script@v7794  with:795    script: |796      await github.rest.repos.updateBranchProtection({797        owner: context.repo.owner,798        repo: context.repo.repo,799        branch: 'main',800        required_status_checks: {801          strict: true,802          contexts: ['test', 'lint', 'ai-review']803        },804        enforce_admins: true,805        required_pull_request_reviews: {806          required_approving_review_count: 1,807          require_code_owner_reviews: true,808          dismiss_stale_reviews: true809        },810        restrictions: null,811        required_linear_history: true,812        allow_force_pushes: false,813        allow_deletions: false814      });815```816 817---818 819## Best Practices820 821### Security822 823- [ ] Store API keys in GitHub Secrets824- [ ] Use minimal permissions in workflows825- [ ] Validate all inputs826- [ ] Don't expose sensitive data in logs827 828### Performance829 830- [ ] Cache dependencies831- [ ] Use matrix builds for parallel testing832- [ ] Skip unnecessary jobs with path filters833- [ ] Use self-hosted runners for heavy workloads834 835### Reliability836 837- [ ] Add timeouts to jobs838- [ ] Handle rate limits gracefully839- [ ] Implement retry logic840- [ ] Have rollback procedures841 842---843 844## Resources845 846- [Gemini CLI GitHub Action](https://github.com/google-github-actions/run-gemini-cli)847- [GitHub Actions Documentation](https://docs.github.com/en/actions)848- [GitHub REST API](https://docs.github.com/en/rest)849- [CODEOWNERS Syntax](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners)850 851## Limitations852- Use this skill only when the task clearly matches the scope described above.853- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.854- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.