Building CI Pipelines Purpose CI/CD pipelines automate testing, building, and deploying software. This skill provides patterns for constructing robust, secure, and efficient pipelines across GitHub Actions, GitLab CI, Argo Workflows, and Jenkins. Focus areas: supply chain security (SLSA), monorepo optimization, caching, and parallelization. When to Use This Skill Invoke when: - Setting up continuous integration for new projects - Implementing automated testing workflows - Building container images with security provenance - Optimizing slow CI pipelines (especially monorepos) - Implementing SL…

, version):\n self.warnings.append(\n f\"Action '{action}' uses mutable major version - \"\n f\"consider pinning to commit SHA or full version\"\n )\n\n # Branch name\n if version in ['main', 'master', 'develop']:\n self.warnings.append(\n f\"Action '{action}' pinned to branch '{version}' - \"\n f\"this is mutable and less secure\"\n )\n\n def _validate_secrets(self):\n \"\"\"Validate secret usage.\"\"\"\n workflow_str = str(self.workflow)\n\n # Check for hardcoded secrets (common patterns)\n secret_patterns = [\n r'password[\"\\s]*:[\"\\s]*[^$]',\n r'api[_-]?key[\"\\s]*:[\"\\s]*[^$]',\n r'token[\"\\s]*:[\"\\s]*[^$]',\n ]\n\n for pattern in secret_patterns:\n if re.search(pattern, workflow_str, re.IGNORECASE):\n self.warnings.append(\n f\"Possible hardcoded secret detected (pattern: {pattern}) - \"\n f\"use ${{{{ secrets.SECRET_NAME }}}}\"\n )\n\n def print_results(self):\n \"\"\"Print validation results.\"\"\"\n print(f\"\\nValidating: {self.workflow_path}\")\n print(\"=\" * 60)\n\n if self.errors:\n print(f\"\\n❌ ERRORS ({len(self.errors)}):\")\n for error in self.errors:\n print(f\" - {error}\")\n\n if self.warnings:\n print(f\"\\n⚠️ WARNINGS ({len(self.warnings)}):\")\n for warning in self.warnings:\n print(f\" - {warning}\")\n\n if not self.errors and not self.warnings:\n print(\"\\n✅ Workflow is valid!\")\n\n print(\"\\n\" + \"=\" * 60)\n\n if self.errors:\n print(\"❌ VALIDATION FAILED\")\n return False\n else:\n print(\"✅ VALIDATION PASSED\")\n return True\n\n\ndef main():\n if len(sys.argv) != 2:\n print(\"Usage: python validate_workflow.py \u003cworkflow-file>\")\n print(\"Example: python validate_workflow.py .github/workflows/ci.yml\")\n sys.exit(1)\n\n workflow_path = sys.argv[1]\n validator = WorkflowValidator(workflow_path)\n\n is_valid = validator.validate()\n validator.print_results()\n\n sys.exit(0 if is_valid else 1)\n\n\nif __name__ == \"__main__\":\n main()\n","content_type":"text/x-python; charset=utf-8","language":"python","size":9111,"content_sha256":"7a574b3df1dcd883b462f458a2705ddf954e9ff694978ce6ee1439cddbdf36e9"}],"content_json":{"type":"doc","content":[{"type":"heading","attrs":{"level":1},"content":[{"text":"Building CI Pipelines","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Purpose","type":"text"}]},{"type":"paragraph","content":[{"text":"CI/CD pipelines automate testing, building, and deploying software. This skill provides patterns for constructing robust, secure, and efficient pipelines across GitHub Actions, GitLab CI, Argo Workflows, and Jenkins. Focus areas: supply chain security (SLSA), monorepo optimization, caching, and parallelization.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"When to Use This Skill","type":"text"}]},{"type":"paragraph","content":[{"text":"Invoke when:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Setting up continuous integration for new projects","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Implementing automated testing workflows","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Building container images with security provenance","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Optimizing slow CI pipelines (especially monorepos)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Implementing SLSA supply chain security","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Configuring multi-platform builds","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Setting up GitOps automation","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Migrating from legacy CI systems","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Platform Selection","type":"text"}]},{"type":"paragraph","content":[{"text":"GitHub-hosted","type":"text","marks":[{"type":"strong"}]},{"text":" → GitHub Actions (SLSA native, 10K+ actions, OIDC) ","type":"text"},{"text":"GitLab-hosted","type":"text","marks":[{"type":"strong"}]},{"text":" → GitLab CI (parent-child pipelines, built-in security) ","type":"text"},{"text":"Kubernetes","type":"text","marks":[{"type":"strong"}]},{"text":" → Argo Workflows (DAG-based, event-driven) ","type":"text"},{"text":"Legacy","type":"text","marks":[{"type":"strong"}]},{"text":" → Jenkins (migrate when possible)","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Platform Comparison","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Feature","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"GitHub Actions","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"GitLab CI","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Argo","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Jenkins","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Ease of Use","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"⭐⭐⭐⭐⭐","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"⭐⭐⭐⭐","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"⭐⭐⭐","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"⭐⭐","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"SLSA","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Native","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Manual","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Good","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Manual","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Monorepo","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Good","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Excellent","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Manual","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Plugins","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Quick Start Patterns","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pattern 1: Basic CI (Lint → Test → Build)","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"yaml"},"content":[{"text":"# GitHub Actions\nname: CI\non: [push, pull_request]\n\njobs:\n lint:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n - run: npm run lint\n\n test:\n needs: lint\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n - run: npm test\n\n build:\n needs: test\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n - run: npm run build","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pattern 2: Matrix Strategy (Multi-Platform)","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"yaml"},"content":[{"text":"test:\n runs-on: ${{ matrix.os }}\n strategy:\n matrix:\n os: [ubuntu-latest, windows-latest, macos-latest]\n node-version: [18, 20, 22]\n steps:\n - uses: actions/checkout@v4\n - uses: actions/setup-node@v4\n with:\n node-version: ${{ matrix.node-version }}\n - run: npm test","type":"text"}]},{"type":"paragraph","content":[{"text":"9 jobs (3 OS × 3 versions) in parallel: 5 min vs 45 min sequential.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pattern 3: Monorepo Affected (Turborepo)","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"yaml"},"content":[{"text":"build:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n with:\n fetch-depth: 0 # Required for affected detection\n\n - uses: actions/setup-node@v4\n with:\n node-version: 20\n\n - name: Build affected\n run: npx turbo run build --filter='...[origin/main]'\n env:\n TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}\n TURBO_TEAM: ${{ vars.TURBO_TEAM }}","type":"text"}]},{"type":"paragraph","content":[{"text":"60-80% CI time reduction for monorepos.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pattern 4: SLSA Level 3 Provenance","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"yaml"},"content":[{"text":"name: SLSA Build\non:\n push:\n tags: ['v*']\n\npermissions:\n id-token: write\n contents: read\n packages: write\n\njobs:\n build:\n runs-on: ubuntu-latest\n outputs:\n digest: ${{ steps.build.outputs.digest }}\n steps:\n - uses: actions/checkout@v4\n - name: Build container\n id: build\n uses: docker/build-push-action@v5\n with:\n push: true\n tags: ghcr.io/${{ github.repository }}:${{ github.sha }}\n\n provenance:\n needs: build\n permissions:\n id-token: write\n actions: read\n packages: write\n uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]\n with:\n image: ghcr.io/${{ github.repository }}\n digest: ${{ needs.build.outputs.digest }}\n registry-username: ${{ github.actor }}\n secrets:\n registry-password: ${{ secrets.GITHUB_TOKEN }}","type":"text"}]},{"type":"paragraph","content":[{"text":"Verification:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"cosign verify-attestation --type slsaprovenance \\\n --certificate-identity-regexp \"^https://github.com/slsa-framework\" \\\n --certificate-oidc-issuer https://token.actions.githubusercontent.com \\\n ghcr.io/myorg/myapp@sha256:abcd...","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pattern 5: OIDC Federation (No Credentials)","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"yaml"},"content":[{"text":"deploy:\n runs-on: ubuntu-latest\n permissions:\n id-token: write\n contents: read\n steps:\n - uses: actions/checkout@v4\n\n - name: Configure AWS credentials\n uses: aws-actions/configure-aws-credentials@v4\n with:\n role-to-assume: arn:aws:iam::123456789012:role/GitHubActionsRole\n aws-region: us-east-1\n\n - name: Deploy\n run: aws s3 sync ./dist s3://my-bucket","type":"text"}]},{"type":"paragraph","content":[{"text":"Benefits: No stored credentials, 1-hour lifetime, full audit trail.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pattern 6: Security Scanning","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"yaml"},"content":[{"text":"security:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n with:\n fetch-depth: 0\n\n - name: Gitleaks (secret detection)\n uses: gitleaks/gitleaks-action@v2\n\n - name: Snyk (vulnerability scan)\n uses: snyk/actions/node@master\n env:\n SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}\n\n - name: SBOM generation\n uses: anchore/sbom-action@v0\n with:\n format: spdx-json\n output-file: sbom.spdx.json","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Caching","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Automatic Dependency Caching","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"yaml"},"content":[{"text":"- uses: actions/setup-node@v4\n with:\n node-version: 20\n cache: 'npm' # Auto-caches ~/.npm\n- run: npm ci","type":"text"}]},{"type":"paragraph","content":[{"text":"Supported: npm, yarn, pnpm, pip, poetry, cargo, go","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Manual Cache Control","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"yaml"},"content":[{"text":"- uses: actions/cache@v4\n with:\n path: |\n ~/.cargo/bin\n ~/.cargo/registry\n target/\n key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}\n restore-keys: |\n ${{ runner.os }}-cargo-","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Multi-Layer Caching (Nx)","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"yaml"},"content":[{"text":"- name: Nx Cloud (build outputs)\n run: npx nx affected -t build\n env:\n NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}\n\n- name: Vite Cache\n uses: actions/cache@v4\n with:\n path: '**/node_modules/.vite'\n key: vite-${{ hashFiles('package-lock.json') }}\n\n- name: TypeScript Cache\n uses: actions/cache@v4\n with:\n path: '**/tsconfig.tsbuildinfo'\n key: tsc-${{ hashFiles('tsconfig.json') }}","type":"text"}]},{"type":"paragraph","content":[{"text":"Result: 70-90% build time reduction.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Parallelization","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Job-Level Parallelization","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"yaml"},"content":[{"text":"jobs:\n unit-tests:\n steps:\n - run: npm run test:unit\n\n integration-tests:\n steps:\n - run: npm run test:integration\n\n e2e-tests:\n steps:\n - run: npm run test:e2e","type":"text"}]},{"type":"paragraph","content":[{"text":"All three run simultaneously.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Test Sharding","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"yaml"},"content":[{"text":"test:\n strategy:\n matrix:\n shard: [1, 2, 3, 4]\n steps:\n - run: npm test -- --shard=${{ matrix.shard }}/4","type":"text"}]},{"type":"paragraph","content":[{"text":"20min test suite → 5min (4x speedup).","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Language Examples","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Python","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"yaml"},"content":[{"text":"test:\n strategy:\n matrix:\n python-version: ['3.10', '3.11', '3.12']\n steps:\n - uses: actions/setup-python@v5\n with:\n python-version: ${{ matrix.python-version }}\n - run: pipx install poetry\n - run: poetry install\n - run: poetry run ruff check .\n - run: poetry run mypy .\n - run: poetry run pytest --cov","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Rust","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"yaml"},"content":[{"text":"test:\n strategy:\n matrix:\n os: [ubuntu-latest, windows-latest, macos-latest]\n rust: [stable, nightly]\n steps:\n - uses: dtolnay/rust-toolchain@master\n with:\n toolchain: ${{ matrix.rust }}\n components: rustfmt, clippy\n - uses: Swatinem/rust-cache@v2\n - run: cargo fmt -- --check\n - run: cargo clippy -- -D warnings\n - run: cargo test","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Go","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"yaml"},"content":[{"text":"test:\n steps:\n - uses: actions/setup-go@v5\n with:\n go-version: '1.23'\n cache: true\n - run: go mod verify\n - uses: golangci/golangci-lint-action@v4\n - run: go test -v -race -coverprofile=coverage.txt ./...","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"TypeScript","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"yaml"},"content":[{"text":"test:\n strategy:\n matrix:\n node-version: [18, 20, 22]\n steps:\n - uses: pnpm/action-setup@v3\n with:\n version: 8\n - uses: actions/setup-node@v4\n with:\n node-version: ${{ matrix.node-version }}\n cache: 'pnpm'\n - run: pnpm install --frozen-lockfile\n - run: pnpm run lint\n - run: pnpm run type-check\n - run: pnpm test","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Best Practices","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Security","type":"text"}]},{"type":"paragraph","content":[{"text":"DO:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Use OIDC instead of long-lived credentials","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Pin actions to commit SHA: ","type":"text"},{"text":"actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Restrict permissions: ","type":"text"},{"text":"permissions: { contents: read }","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Scan secrets (Gitleaks) on every commit","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Generate SLSA provenance for releases","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"DON'T:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Expose secrets in logs","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Use ","type":"text"},{"text":"pull_request_target","type":"text","marks":[{"type":"code_inline"}]},{"text":" without validation","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Trust unverified third-party actions","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Performance","type":"text"}]},{"type":"paragraph","content":[{"text":"DO:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Use affected detection for monorepos","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Cache dependencies and build outputs","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Parallelize independent jobs","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Fail fast: ","type":"text"},{"text":"strategy.fail-fast: true","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Use remote caching (Turborepo/Nx Cloud)","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"DON'T:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Rebuild everything on every commit","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Run long tests in PR checks","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Use generic cache keys","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Debugging","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"yaml"},"content":[{"text":"# Enable debug logging\nenv:\n ACTIONS_STEP_DEBUG: true\n ACTIONS_RUNNER_DEBUG: true\n\n# SSH into runner\n- uses: mxschmitt/action-tmate@v3","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Advanced Patterns","type":"text"}]},{"type":"paragraph","content":[{"text":"For detailed guides, see references:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"github-actions-patterns.md","type":"text","marks":[{"type":"strong"}]},{"text":" - Reusable workflows, composite actions, matrix strategies, OIDC setup","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"gitlab-ci-patterns.md","type":"text","marks":[{"type":"strong"}]},{"text":" - Parent-child pipelines, dynamic generation, runner configuration","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"argo-workflows-guide.md","type":"text","marks":[{"type":"strong"}]},{"text":" - DAG templates, artifact passing, event-driven triggers","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"slsa-security-framework.md","type":"text","marks":[{"type":"strong"}]},{"text":" - SLSA Levels 1-4, provenance generation, cosign verification","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"monorepo-ci-strategies.md","type":"text","marks":[{"type":"strong"}]},{"text":" - Turborepo/Nx/Bazel affected detection algorithms","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"caching-strategies.md","type":"text","marks":[{"type":"strong"}]},{"text":" - Multi-layer caching, Docker optimization, cache invalidation","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"parallelization-patterns.md","type":"text","marks":[{"type":"strong"}]},{"text":" - Test sharding, job dependencies, DAG design","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"secrets-management.md","type":"text","marks":[{"type":"strong"}]},{"text":" - OIDC for AWS/GCP/Azure, Vault integration, rotation","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Examples","type":"text"}]},{"type":"paragraph","content":[{"text":"Complete runnable workflows:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"examples/github-actions-basic/","type":"text","marks":[{"type":"strong"}]},{"text":" - Starter template (lint/test/build)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"examples/github-actions-monorepo/","type":"text","marks":[{"type":"strong"}]},{"text":" - Turborepo with remote caching","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"examples/github-actions-slsa/","type":"text","marks":[{"type":"strong"}]},{"text":" - SLSA Level 3 provenance","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"examples/gitlab-ci-monorepo/","type":"text","marks":[{"type":"strong"}]},{"text":" - Parent-child dynamic pipeline","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"examples/argo-workflows-dag/","type":"text","marks":[{"type":"strong"}]},{"text":" - Diamond DAG parallelization","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"examples/multi-language-matrix/","type":"text","marks":[{"type":"strong"}]},{"text":" - Cross-platform testing","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Utility Scripts","type":"text"}]},{"type":"paragraph","content":[{"text":"Token-free execution:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"scripts/validate_workflow.py","type":"text","marks":[{"type":"strong"}]},{"text":" - Validate YAML syntax and best practices","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"scripts/generate_github_workflow.py","type":"text","marks":[{"type":"strong"}]},{"text":" - Generate workflow from template","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"scripts/analyze_ci_performance.py","type":"text","marks":[{"type":"strong"}]},{"text":" - CI metrics analysis","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"scripts/setup_oidc_aws.py","type":"text","marks":[{"type":"strong"}]},{"text":" - Automate AWS OIDC setup","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Related Skills","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"testing-strategies","type":"text","marks":[{"type":"strong"}]},{"text":" - Test execution strategies (unit, integration, E2E) ","type":"text"},{"text":"deploying-applications","type":"text","marks":[{"type":"strong"}]},{"text":" - Deployment automation and GitOps ","type":"text"},{"text":"auth-security","type":"text","marks":[{"type":"strong"}]},{"text":" - Secrets management and authentication ","type":"text"},{"text":"observability","type":"text","marks":[{"type":"strong"}]},{"text":" - Pipeline monitoring and alerting","type":"text"}]}]},"metadata":{"date":"2026-06-05","name":"building-ci-pipelines","author":"@skillopedia","source":{"stars":368,"repo_name":"ai-design-components","origin_url":"https://github.com/ancoleman/ai-design-components/blob/HEAD/skills/building-ci-pipelines/SKILL.md","repo_owner":"ancoleman","body_sha256":"06a2fe9de441d60fb2f90c4e7bfb1b1c4aed36b0f4907ec4d87a50a1bea8b954","cluster_key":"4ff8ab8306dbdebf8b2cef37166f333ed085a47640182070ad30f00e7febc179","clean_bundle":{"format":"clean-skill-bundle-v1","source":"ancoleman/ai-design-components/skills/building-ci-pipelines/SKILL.md","attachments":[{"id":"0561ba8f-5b12-5a24-b47f-57fb2bbef3ec","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/0561ba8f-5b12-5a24-b47f-57fb2bbef3ec/attachment.yml","path":"examples/github-actions-basic/.github/workflows/ci.yml","size":2327,"sha256":"985d1e340806f0b0fa9c76b61371925b0db7b1a4e6b92891c8fabb3e78a55078","contentType":"application/yaml; charset=utf-8"},{"id":"f5aa80d5-d7eb-502e-ad61-8c25ea5cc7e5","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/f5aa80d5-d7eb-502e-ad61-8c25ea5cc7e5/attachment.md","path":"examples/github-actions-basic/README.md","size":2440,"sha256":"86d78f666af7f2b586d473e19608c59c9193536132a323d774ffe90b7f0c5c3d","contentType":"text/markdown; charset=utf-8"},{"id":"a7c9a506-2e9a-5b76-a3c7-ce77aa972502","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/a7c9a506-2e9a-5b76-a3c7-ce77aa972502/attachment.yml","path":"examples/github-actions-monorepo/.github/workflows/ci.yml","size":4570,"sha256":"b32761f64338a2043667a3634fd4972cb388b721ad1d2a61f8b13d13f40cee76","contentType":"application/yaml; charset=utf-8"},{"id":"ecc92b5d-f6d7-538c-92ce-8e59d644b625","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/ecc92b5d-f6d7-538c-92ce-8e59d644b625/attachment.md","path":"examples/github-actions-monorepo/README.md","size":7150,"sha256":"49476f4d6cb194d9597499c516ea41b59bc27f24ba11f83b5809d16e09992770","contentType":"text/markdown; charset=utf-8"},{"id":"3e2a84af-c564-5f3f-93d8-c20decf91d2f","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/3e2a84af-c564-5f3f-93d8-c20decf91d2f/attachment.json","path":"examples/github-actions-monorepo/turbo.json","size":628,"sha256":"08eb1a04c143d2101de8c14485087d838ba3eb35bdb03dc03cbb148c69f26505","contentType":"application/json; charset=utf-8"},{"id":"d2d0c4e8-5eaa-5cc9-8c6b-66ca7b395806","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/d2d0c4e8-5eaa-5cc9-8c6b-66ca7b395806/attachment.yaml","path":"outputs.yaml","size":10030,"sha256":"46b72c0006e86895591cc07e5570b658b8cfe703bde09b7440f12c56386acd78","contentType":"application/yaml; charset=utf-8"},{"id":"c60751f1-5a37-51b2-a6ea-64b991c04002","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/c60751f1-5a37-51b2-a6ea-64b991c04002/attachment.md","path":"references/caching-strategies.md","size":8980,"sha256":"5e3ac12932fb3f3eb44111f328990672f39c206b9e9fe7f448dc1ca2a6a360f6","contentType":"text/markdown; charset=utf-8"},{"id":"229ae59e-4edc-56e9-a3ea-a2c2aeeafd21","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/229ae59e-4edc-56e9-a3ea-a2c2aeeafd21/attachment.md","path":"references/github-actions-patterns.md","size":16818,"sha256":"b3a60c775c52618cdf52141e745150080e73081e273fb34a257e3446a411d88d","contentType":"text/markdown; charset=utf-8"},{"id":"86c54acf-28fb-5ad1-b937-95971c1c5154","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/86c54acf-28fb-5ad1-b937-95971c1c5154/attachment.md","path":"references/monorepo-ci-strategies.md","size":14958,"sha256":"b39e20e90e19b83462b947d76e2abb194bb686a5b30d3c1ee2ceb5e9f33b2cb9","contentType":"text/markdown; charset=utf-8"},{"id":"9f422874-816c-5cef-b899-4491bbfa3fbc","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/9f422874-816c-5cef-b899-4491bbfa3fbc/attachment.md","path":"references/slsa-security-framework.md","size":14984,"sha256":"88adcf0d474ffaa8d5608f872d1c81505168c3f0ca2f1baf1636439ac1c93074","contentType":"text/markdown; charset=utf-8"},{"id":"7c050186-145f-5cfb-b621-2a5c8ddc6fbb","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/7c050186-145f-5cfb-b621-2a5c8ddc6fbb/attachment.py","path":"scripts/validate_workflow.py","size":9111,"sha256":"7a574b3df1dcd883b462f458a2705ddf954e9ff694978ce6ee1439cddbdf36e9","contentType":"text/x-python; charset=utf-8"}],"bundle_sha256":"1ade4cb41883cfbf2e9b3a7198cf2050188eed80dae47402fe6775d5e510931a","attachment_count":11,"text_attachments":11,"attachment_storage":"skillopedia-attachments-v1","binary_attachments":0,"excluded_attachments":[]},"cluster_size":1,"skill_md_path":"skills/building-ci-pipelines/SKILL.md","import_metadata":{"date":"2026-06-05","author":"@skillopedia","version":"v1","category":"security","category_label":"Security"},"exact_dupes_collapsed_into_this":0},"version":"v1","category":"security","import_tag":"clean-skills-v1","description":"Constructs secure, efficient CI/CD pipelines with supply chain security (SLSA), monorepo optimization, caching strategies, and parallelization patterns for GitHub Actions, GitLab CI, and Argo Workflows. Use when setting up automated testing, building, or deployment workflows."}},"renderedAt":1782989270749}

Building CI Pipelines Purpose CI/CD pipelines automate testing, building, and deploying software. This skill provides patterns for constructing robust, secure, and efficient pipelines across GitHub Actions, GitLab CI, Argo Workflows, and Jenkins. Focus areas: supply chain security (SLSA), monorepo optimization, caching, and parallelization. When to Use This Skill Invoke when: - Setting up continuous integration for new projects - Implementing automated testing workflows - Building container images with security provenance - Optimizing slow CI pipelines (especially monorepos) - Implementing SL…