zhongwei/gh-josiahsiegel-claude-code-marketplace-plugins-git-master
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Zhongwei Li
2025-11-30 08:29:08 +08:00
commit 139e230a67
10 changed files with 4284 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
.claude-plugin/plugin.json Normal file
View File

@@ -0,0 +1,15 @@
{
"name": "git-master",
"description": "Complete Git expertise for ALL operations with 2025 features. PROACTIVELY activate for: (1) ANY Git task (basic/advanced/dangerous), (2) Git 2.51+ features (stash import/export, path-walk repacking, git-backfill for partial clones, reftables 50-80% faster, sparse-checkout, worktrees), (3) Windows/Git Bash compatibility (MINGW/MSYS2 path conversion, MSYS_NO_PATHCONV, cygpath utilities, shell detection with $MSYSTEM), (4) Security (signed commits GPG/SSH, zero-trust workflows, GitHub secret scanning with AI, CodeQL, Gitleaks), (5) Trunk-Based Development with < 1 day branches (Google/Microsoft scale), (6) GitHub CLI 2.x (Copilot CLI integration, model evaluations, triangular workflows, OAuth clipboard), (7) GitHub Actions 2025 (1 vCPU runners, immutable releases, Node24), (8) Repository management and optimization, (9) Modern workflows (monorepo, parallel development), (10) Branch strategies (Gitflow, Feature Branch, TBD), (11) Conflict resolution, (12) History rewriting/recovery with safety guardrails, (13) Platform operations (GitHub/GitLab/Azure DevOps/Bitbucket). Provides: Git 2.51 stash import/export for sharing stashes between machines, path-walk repacking for smaller pack files, Git Bash/MINGW path conversion handling (MSYS_NO_PATHCONV, MSYS2_ARG_CONV_EXCL, cygpath), shell detection ($MSYSTEM, uname -s, $OSTYPE), Git 2.49 git-backfill for efficient partial clone downloads, reftables migration, sparse-checkout for monorepos (90% space reduction), worktrees for parallel development with path handling guidance, GitHub Copilot CLI (replacing gh-copilot extension), gh models eval for prompt evaluations, zero-trust security patterns with continuous monitoring, signed commits (GPG and SSH), GitHub Actions 2025 features (1 vCPU runners, immutable releases), CodeQL with Copilot Autofix, complete command reference, automatic backups before destructive operations, safety guardrails, reflog recovery, emergency procedures, cross-platform path compatibility. Ensures modern, secure, efficient Git workflows following 2025 industry standards with comprehensive Windows/Git Bash support.",
"version": "1.5.0",
"author": {
"name": "Josiah Siegel",
"email": "JosiahSiegel@users.noreply.github.com"
},
"skills": [
"./skills"
],
"commands": [
"./commands"
]
}

3
README.md Normal file
View File

@@ -0,0 +1,3 @@
# git-master
Complete Git expertise for ALL operations with 2025 features. PROACTIVELY activate for: (1) ANY Git task (basic/advanced/dangerous), (2) Git 2.51+ features (stash import/export, path-walk repacking, git-backfill for partial clones, reftables 50-80% faster, sparse-checkout, worktrees), (3) Windows/Git Bash compatibility (MINGW/MSYS2 path conversion, MSYS_NO_PATHCONV, cygpath utilities, shell detection with $MSYSTEM), (4) Security (signed commits GPG/SSH, zero-trust workflows, GitHub secret scanning with AI, CodeQL, Gitleaks), (5) Trunk-Based Development with < 1 day branches (Google/Microsoft scale), (6) GitHub CLI 2.x (Copilot CLI integration, model evaluations, triangular workflows, OAuth clipboard), (7) GitHub Actions 2025 (1 vCPU runners, immutable releases, Node24), (8) Repository management and optimization, (9) Modern workflows (monorepo, parallel development), (10) Branch strategies (Gitflow, Feature Branch, TBD), (11) Conflict resolution, (12) History rewriting/recovery with safety guardrails, (13) Platform operations (GitHub/GitLab/Azure DevOps/Bitbucket). Provides: Git 2.51 stash import/export for sharing stashes between machines, path-walk repacking for smaller pack files, Git Bash/MINGW path conversion handling (MSYS_NO_PATHCONV, MSYS2_ARG_CONV_EXCL, cygpath), shell detection ($MSYSTEM, uname -s, $OSTYPE), Git 2.49 git-backfill for efficient partial clone downloads, reftables migration, sparse-checkout for monorepos (90% space reduction), worktrees for parallel development with path handling guidance, GitHub Copilot CLI (replacing gh-copilot extension), gh models eval for prompt evaluations, zero-trust security patterns with continuous monitoring, signed commits (GPG and SSH), GitHub Actions 2025 features (1 vCPU runners, immutable releases), CodeQL with Copilot Autofix, complete command reference, automatic backups before destructive operations, safety guardrails, reflog recovery, emergency procedures, cross-platform path compatibility. Ensures modern, secure, efficient Git workflows following 2025 industry standards with comprehensive Windows/Git Bash support.

96
commands/git-safe-rebase.md Normal file
View File

@@ -0,0 +1,96 @@
---
description: Perform interactive rebase with safety guardrails
---
## 🚨 CRITICAL GUIDELINES
### Windows File Path Requirements
**MANDATORY: Always Use Backslashes on Windows for File Paths**
When using Edit or Write tools on Windows, you MUST use backslashes (`\`) in file paths, NOT forward slashes (`/`).
**Examples:**
- ❌ WRONG: `D:/repos/project/file.tsx`
- ✅ CORRECT: `D:\repos\project\file.tsx`
This applies to:
- Edit tool file_path parameter
- Write tool file_path parameter
- All file operations on Windows systems
### Documentation Guidelines
**NEVER create new documentation files unless explicitly requested by the user.**
- **Priority**: Update existing README.md files rather than creating new documentation
- **Repository cleanliness**: Keep repository root clean - only README.md unless user requests otherwise
- **Style**: Documentation should be concise, direct, and professional - avoid AI-generated tone
- **User preference**: Only create additional .md files when user specifically asks for documentation
---
You are an expert Git operator helping the user safely perform an interactive rebase.
# Task
Guide the user through a safe interactive rebase with proper backups and recovery instructions.
# Safety Protocol
1. **Create backup branch**:
```bash
git branch backup-before-rebase-$(date +%Y%m%d-%H%M%S)
```
2. **Show what will be rebased**:
```bash
git log --oneline --graph <base>..<current-branch>
```
3. **Warn about risks**:
- "⚠️ Interactive rebase will rewrite commit history"
- "⚠️ If this branch has been pushed and others are working on it, DO NOT proceed"
- "⚠️ All commits will get new hashes"
4. **Ask for confirmation**:
- "Has this branch been pushed to a shared remote? (y/n)"
- If yes: "⚠️ WARNING: Other team members working on this branch will have problems!"
- "Do you want to proceed? (yes/NO)"
5. **Perform rebase**:
```bash
git rebase -i <base>
```
6. **Provide recovery instructions**:
```
If something goes wrong:
- Abort: git rebase --abort
- Recover: git reset --hard backup-before-rebase-XXXXXXXX
```
7. **After successful rebase**:
- "Rebase completed successfully"
- "If you need to push: git push --force-with-lease (only if you're sure!)"
- "To delete backup: git branch -d backup-before-rebase-XXXXXXXX"
# Rebase Commands Reference
Interactive rebase commands you can use:
- `p, pick` = use commit
- `r, reword` = use commit, but edit message
- `e, edit` = use commit, but stop for amending
- `s, squash` = combine with previous commit
- `f, fixup` = like squash, but discard message
- `d, drop` = remove commit
# Safety Rules
- ALWAYS create backup branch first
- ALWAYS warn if branch has been pushed
- ALWAYS ask for explicit confirmation
- ALWAYS provide recovery instructions
- NEVER rebase shared/public branches without team coordination

69
plugin.lock.json Normal file
View File

@@ -0,0 +1,69 @@
{
"$schema": "internal://schemas/plugin.lock.v1.json",
"pluginId": "gh:JosiahSiegel/claude-code-marketplace:plugins/git-master",
"normalized": {
"repo": null,
"ref": "refs/tags/v20251128.0",
"commit": "b822af22980444ef65584915dfbe115a77b9dbcf",
"treeHash": "4b48fafd3df65628699d880d3875960bbd7f927a93b3992cd77387c1d75be29e",
"generatedAt": "2025-11-28T10:11:49.687061Z",
"toolVersion": "publish_plugins.py@0.2.0"
},
"origin": {
"remote": "git@github.com:zhongweili/42plugin-data.git",
"branch": "master",
"commit": "aa1497ed0949fd50e99e70d6324a29c5b34f9390",
"repoRoot": "/Users/zhongweili/projects/openmind/42plugin-data"
},
"manifest": {
"name": "git-master",
"description": "Complete Git expertise for ALL operations with 2025 features. PROACTIVELY activate for: (1) ANY Git task (basic/advanced/dangerous), (2) Git 2.51+ features (stash import/export, path-walk repacking, git-backfill for partial clones, reftables 50-80% faster, sparse-checkout, worktrees), (3) Windows/Git Bash compatibility (MINGW/MSYS2 path conversion, MSYS_NO_PATHCONV, cygpath utilities, shell detection with $MSYSTEM), (4) Security (signed commits GPG/SSH, zero-trust workflows, GitHub secret scanning with AI, CodeQL, Gitleaks), (5) Trunk-Based Development with < 1 day branches (Google/Microsoft scale), (6) GitHub CLI 2.x (Copilot CLI integration, model evaluations, triangular workflows, OAuth clipboard), (7) GitHub Actions 2025 (1 vCPU runners, immutable releases, Node24), (8) Repository management and optimization, (9) Modern workflows (monorepo, parallel development), (10) Branch strategies (Gitflow, Feature Branch, TBD), (11) Conflict resolution, (12) History rewriting/recovery with safety guardrails, (13) Platform operations (GitHub/GitLab/Azure DevOps/Bitbucket). Provides: Git 2.51 stash import/export for sharing stashes between machines, path-walk repacking for smaller pack files, Git Bash/MINGW path conversion handling (MSYS_NO_PATHCONV, MSYS2_ARG_CONV_EXCL, cygpath), shell detection ($MSYSTEM, uname -s, $OSTYPE), Git 2.49 git-backfill for efficient partial clone downloads, reftables migration, sparse-checkout for monorepos (90% space reduction), worktrees for parallel development with path handling guidance, GitHub Copilot CLI (replacing gh-copilot extension), gh models eval for prompt evaluations, zero-trust security patterns with continuous monitoring, signed commits (GPG and SSH), GitHub Actions 2025 features (1 vCPU runners, immutable releases), CodeQL with Copilot Autofix, complete command reference, automatic backups before destructive operations, safety guardrails, reflog recovery, emergency procedures, cross-platform path compatibility. Ensures modern, secure, efficient Git workflows following 2025 industry standards with comprehensive Windows/Git Bash support.",
"version": "1.5.0"
},
"content": {
"files": [
{
"path": "README.md",
"sha256": "f1b8d4f894b54a52d085a0250e07ad8d4122ee80db3a37769cb916a9c1b2fe4d"
},
{
"path": ".claude-plugin/plugin.json",
"sha256": "0cd829bb407ea1f66ebb6a382198dd4237aeb1c48eeb8a998154f8f94ae8cab1"
},
{
"path": "commands/git-safe-rebase.md",
"sha256": "82678a557e27c77eb7f635d280b995a20652d8882ff4b25fd2b6665f830609f2"
},
{
"path": "skills/github-actions-2025.md",
"sha256": "7f2ffa820dc507462620827b00ead9fb8b79e603494b7105ba9a75192baa9f56"
},
{
"path": "skills/git-security-2025.md",
"sha256": "61a5f6c9eacbd9ab83802f0fbc30f561b31d79d39a4ce443bcdee37758dc95f6"
},
{
"path": "skills/git-2-49-features.md",
"sha256": "acdc33be56eef1eb539a304a1bcbc15e583123e24ceb881f13e5fae88b9465f7"
},
{
"path": "skills/github-ai-features-2025.md",
"sha256": "5b92bce8c57e2b7516a21277190720010bf04c8b41a348b8a406d1ac112d7070"
},
{
"path": "skills/git-2025-features.md",
"sha256": "c6a914560cd25e718b11251a0c66b9511d56dc0693cadcac2a4f1a26abdd574e"
},
{
"path": "skills/git-master/SKILL.md",
"sha256": "0582b0a42b23d8b1df4e6367fe1f9745a5d246d0e59b177d12bedf07852574fc"
}
],
"dirSha256": "4b48fafd3df65628699d880d3875960bbd7f927a93b3992cd77387c1d75be29e"
},
"security": {
"scannedAt": null,
"scannerVersion": null,
"flags": []
}
}

330
skills/git-2-49-features.md Normal file
View File

@@ -0,0 +1,330 @@
---
name: git-2-49-features
description: Git 2.49+ features including git-backfill, path-walk API, and performance improvements
---
# Git 2.49+ Features (2025)
## git-backfill Command (New in 2.49)
**What:** Efficiently download missing objects in partial clones using the path-walk API.
**Why:** Dramatically improves delta compression when fetching objects from partial clones, resulting in smaller downloads and better performance.
### Basic Usage
```bash
# Check if you have a partial clone
git config extensions.partialClone
# Download missing objects in background
git backfill
# Download with custom batch size
git backfill --batch-size=1000
# Respect sparse-checkout patterns (only fetch needed files)
git backfill --sparse
# Check progress
git backfill --verbose
```
### When to Use
**Scenario 1: After cloning with --filter=blob:none**
```bash
# Clone without blobs
git clone --filter=blob:none https://github.com/large/repo.git
cd repo
# Later, prefetch all missing objects efficiently
git backfill
```
**Scenario 2: Sparse-checkout + Partial clone**
```bash
# Clone with both optimizations
git clone --filter=blob:none --sparse https://github.com/monorepo.git
cd monorepo
git sparse-checkout set src/api
# Fetch only needed objects
git backfill --sparse
```
**Scenario 3: CI/CD Optimization**
```bash
# In CI pipeline - fetch only what's needed
git clone --filter=blob:none --depth=1 repo
git backfill --sparse
# Much faster than full clone
```
### Performance Comparison
**Traditional partial clone fetch:**
```bash
git fetch --unshallow
# Downloads 500MB in random order
# Poor delta compression
```
**With git-backfill:**
```bash
git backfill
# Downloads 150MB with optimized delta compression (70% reduction)
# Groups objects by path for better compression
```
## Path-Walk API (New in 2.49)
**What:** Internal API that groups together objects appearing at the same path, enabling much better delta compression.
**How it works:** Instead of processing objects in commit order, path-walk processes them by filesystem path, allowing Git to find better delta bases.
**Benefits:**
- 50-70% better compression in partial clone scenarios
- Faster object transfers
- Reduced network usage
- Optimized packfile generation
**You benefit automatically when using:**
- `git backfill`
- `git repack` (improved in 2.49)
- Server-side object transfers
### Enable Path-Walk Optimizations
```bash
# For repack operations
git config pack.useBitmaps true
git config pack.writeBitmaps true
# Repack with path-walk optimizations
git repack -a -d -f
# Check improvement
git count-objects -v
```
## Performance Improvements with zlib-ng
**What:** Git 2.49 includes improved performance through zlib-ng integration for compression/decompression.
**Benefits:**
- 20-30% faster compression
- 10-15% faster decompression
- Lower CPU usage during pack operations
- Transparent - no configuration needed
**Automatically improves:**
- `git clone`
- `git fetch`
- `git push`
- `git gc`
- `git repack`
## New Name-Hashing Algorithm
**What:** Improved algorithm for selecting object pairs during delta compression.
**Results:**
- More efficient packfiles
- Better compression ratios (5-10% improvement)
- Faster repack operations
**Automatic - no action needed.**
## Rust Bindings for libgit
**What:** Git 2.49 added Rust bindings (libgit-sys and libgit-rs) for Git's internal libraries.
**Relevance:** Future Git tooling and performance improvements will leverage Rust for memory safety and performance.
**For developers:** You can now build Git tools in Rust using official bindings.
## Promisor Remote Enhancements
**What:** Servers can now advertise promisor remote information to clients.
**Benefits:**
- Better handling of large files in partial clones
- Improved lazy fetching
- More efficient missing object retrieval
**Configuration:**
```bash
# View promisor remote info
git config remote.origin.promisor
git config extensions.partialClone
# Verify promisor packfiles
ls -lah .git/objects/pack/*.promisor
```
## Git 2.49 Workflow Examples
### Example 1: Ultra-Efficient Monorepo Clone
```bash
# Clone large monorepo with maximum efficiency
git clone --filter=blob:none --sparse https://github.com/company/monorepo.git
cd monorepo
# Only checkout your team's service
git sparse-checkout set --cone services/api
# Fetch needed objects with path-walk optimization
git backfill --sparse
# Result: 95% smaller than full clone, 70% faster download
```
### Example 2: CI/CD Pipeline Optimization
```yaml
# .github/workflows/ci.yml
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Checkout with optimizations
run: |
git clone --filter=blob:none --depth=1 --sparse ${{ github.repositoryUrl }}
cd repo
git sparse-checkout set src tests
git backfill --sparse
- name: Run tests
run: npm test
# 80% faster than full clone in CI
```
### Example 3: Working with Huge History
```bash
# Clone repository with massive history
git clone --filter=blob:none https://github.com/project/with-long-history.git
cd with-long-history
# Work on recent code only (objects fetched on demand)
git checkout -b feature/new-feature
# When you need full history
git backfill
# Repack for optimal storage
git repack -a -d -f # Uses path-walk API
```
## Deprecated Features (Removal in Git 3.0)
**⚠️ Now Officially Deprecated:**
- `.git/branches/` directory (use remotes instead)
- `.git/remotes/` directory (use git remote commands)
**Migration:**
```bash
# If you have old-style remotes, convert them
# Check for deprecated directories
ls -la .git/branches .git/remotes 2>/dev/null
# Use modern remote configuration
git remote add origin https://github.com/user/repo.git
git config remote.origin.fetch '+refs/heads/*:refs/remotes/origin/*'
```
## Meson Build System
**What:** Continued development on Meson as alternative build system for Git.
**Why:** Faster builds, better cross-platform support.
**Status:** Experimental - use `make` for production.
## netrc Support Re-enabled
**What:** HTTP transport now supports .netrc for authentication.
**Usage:**
```bash
# ~/.netrc
machine github.com
login your-username
password your-token
# Git will now use these credentials automatically
git clone https://github.com/private/repo.git
```
## Best Practices with Git 2.49
1. **Use git-backfill for partial clones:**
```bash
git backfill --sparse # Better than git fetch --unshallow
```
2. **Combine optimizations:**
```bash
git clone --filter=blob:none --sparse <url>
git sparse-checkout set --cone <paths>
git backfill --sparse
```
3. **Regular maintenance:**
```bash
git backfill # Fill in missing objects
git repack -a -d -f # Optimize with path-walk
git prune # Clean up
```
4. **Monitor partial clone status:**
```bash
# Check promisor remotes
git config extensions.partialClone
# List missing objects
git rev-list --objects --all --missing=print | grep "^?"
```
5. **Migrate deprecated features:**
```bash
# Move away from .git/branches and .git/remotes
# Use git remote commands instead
```
## Troubleshooting
**git-backfill not found:**
```bash
# Verify Git version
git --version # Must be 2.49+
# Update Git
brew upgrade git # macOS
apt update && apt install git # Ubuntu
```
**Promisor remote issues:**
```bash
# Reset promisor configuration
git config --unset extensions.partialClone
git config --unset remote.origin.promisor
# Re-enable
git config extensions.partialClone origin
git config remote.origin.promisor true
```
**Poor delta compression:**
```bash
# Force repack with path-walk optimization
git repack -a -d -f --depth=250 --window=250
```
## Resources
- [Git 2.49 Release Notes](https://github.blog/open-source/git/highlights-from-git-2-49/)
- [Path-Walk API Documentation](https://git-scm.com/docs/api-path-walk)
- [Partial Clone Documentation](https://git-scm.com/docs/partial-clone)

459
skills/git-2025-features.md Normal file
View File

@@ -0,0 +1,459 @@
---
name: git-2025-features
description: Git 2.49+ features including reftables, sparse-checkout, partial clone, git-backfill, and worktrees
---
**📌 NOTE:** For detailed Git 2.49+ features (git-backfill, path-walk API, zlib-ng), see git-2-49-features.md skill.
## 🚨 CRITICAL GUIDELINES
### Windows File Path Requirements
**MANDATORY: Always Use Backslashes on Windows for File Paths**
When using Edit or Write tools on Windows, you MUST use backslashes (`\`) in file paths, NOT forward slashes (`/`).
**Examples:**
- ❌ WRONG: `D:/repos/project/file.tsx`
- ✅ CORRECT: `D:\repos\project\file.tsx`
This applies to:
- Edit tool file_path parameter
- Write tool file_path parameter
- All file operations on Windows systems
### Documentation Guidelines
**NEVER create new documentation files unless explicitly requested by the user.**
- **Priority**: Update existing README.md files rather than creating new documentation
- **Repository cleanliness**: Keep repository root clean - only README.md unless user requests otherwise
- **Style**: Documentation should be concise, direct, and professional - avoid AI-generated tone
- **User preference**: Only create additional .md files when user specifically asks for documentation
---
# Git 2025 Features - Advanced Capabilities
## Git 2.49 (March 2025) - Latest
**Major additions:** git-backfill, path-walk API, zlib-ng performance, improved delta compression.
**See git-2-49-features.md for complete coverage.**
## Git 2.48-2.49 Features
### Reftables Migration (Completed in 2.48)
**What:** New reference storage format replacing loose ref files and packed-refs.
**Benefits:**
- Faster ref operations (50-80% improvement)
- Atomic ref updates
- Better scalability for repositories with many refs
- Reflogs fully migratable (completed in 2.48)
**Migration:**
```bash
# Check current ref storage format
git config core.refStorage
# Migrate to reftables
git refs migrate --ref-storage=reftables
# Verify migration
git fsck --full
git log --oneline -5
# Roll back if needed (before critical operations)
git refs migrate --ref-storage=files
```
**When to use:**
- Repositories with 10,000+ refs
- High-frequency branch operations
- CI/CD systems creating many temporary refs
- Monorepos with extensive branching
### Performance Milestones (2.48-2.49)
**Git 2.48:**
- Memory leak free status achieved
- Stable memory usage in long-running operations
**Git 2.49:**
- zlib-ng integration: 20-30% faster compression
- Path-walk API: 50-70% better delta compression
- New name-hashing algorithm for optimal packfiles
Benefits automatically in:
- Large repository clones
- Extended rebase sessions
- Bulk operations (filter-repo, GC, repack)
## Sparse-Checkout (Enhanced in 2.48)
**What:** Check out only a subset of files from repository.
**Use cases:**
- Monorepos (work on one service)
- Large repositories (reduce disk usage)
- Build systems (fetch only needed files)
**Cone Mode (Default - Recommended):**
```bash
# Clone with sparse-checkout
git clone --filter=blob:none --sparse <repo-url>
cd <repo>
# Initialize sparse-checkout in cone mode
git sparse-checkout init --cone
# Add directories to checkout
git sparse-checkout set src/api src/shared docs
# Add more directories
git sparse-checkout add tests/integration
# View current patterns
git sparse-checkout list
# Check what would be matched
git sparse-checkout check-rules src/api/users.ts
# Disable sparse-checkout
git sparse-checkout disable
```
**Advanced Patterns (Non-Cone Mode):**
```bash
# Enable pattern mode
git sparse-checkout init --no-cone
# Add patterns (one per line)
git sparse-checkout set \
"*.md" \
"src/api/*" \
"!src/api/legacy/*"
# Read patterns from file
git sparse-checkout set --stdin < patterns.txt
```
**Reapply Rules:**
```bash
# After merge/rebase that materialized unwanted files
git sparse-checkout reapply
```
## Partial Clone
**What:** Clone repository without downloading all objects initially.
**Filters:**
1. **blob:none** - Defer all blobs (fastest, smallest)
2. **tree:0** - Defer all trees and blobs
3. **blob:limit=1m** - Defer blobs larger than 1MB
**Usage:**
```bash
# Clone without blobs (fetch on demand)
git clone --filter=blob:none <repo-url>
# Clone without large files
git clone --filter=blob:limit=10m <repo-url>
# Combine with sparse-checkout
git clone --filter=blob:none --sparse <repo-url>
cd <repo>
git sparse-checkout set src/api
# Convert existing repository to partial clone
git config extensions.partialClone origin
git config remote.origin.promisor true
git fetch --filter=blob:none
# Prefetch all missing objects
git fetch --unshallow
```
**Combine Partial Clone + Sparse-Checkout:**
```bash
# Ultimate efficiency: Only objects for specific directories
git clone --filter=blob:none --sparse <repo-url>
cd <repo>
git sparse-checkout set --cone src/api
git checkout main
# Result: Only have objects for src/api
```
**Check promisor objects:**
```bash
# Verify partial clone status
git config extensions.partialClone
# See promisor packfiles
ls -lah .git/objects/pack/*.promisor
# Force fetch specific object
git rev-list --objects --missing=print HEAD | grep "^?"
```
## Git Worktrees
**What:** Multiple working directories from one repository.
**Benefits:**
- Work on multiple branches simultaneously
- No need to stash/commit before switching
- Parallel work (review PR while coding)
- Shared .git (one fetch updates all)
**Basic Operations:**
```bash
# List worktrees
git worktree list
# Create worktree for existing branch
git worktree add ../project-feature feature-branch
# Create worktree with new branch
git worktree add -b new-feature ../project-new-feature
# Create worktree from remote branch
git worktree add ../project-fix origin/fix-bug
# Remove worktree
git worktree remove ../project-feature
# Clean up stale worktree references
git worktree prune
```
**Advanced Patterns:**
```bash
# Worktree for PR review while coding
git worktree add ../myproject-pr-123 origin/pull/123/head
cd ../myproject-pr-123
# Review PR in separate directory
cd -
# Continue coding in main worktree
# Worktree for hotfix
git worktree add --detach ../myproject-hotfix v1.2.3
cd ../myproject-hotfix
# Make hotfix
git switch -c hotfix/security-patch
git commit -am "fix: patch vulnerability"
git push -u origin hotfix/security-patch
# Worktree organization
mkdir -p ~/worktrees/myproject
git worktree add ~/worktrees/myproject/feature-a -b feature-a
git worktree add ~/worktrees/myproject/feature-b -b feature-b
git worktree add ~/worktrees/myproject/pr-review origin/pull/42/head
```
**Best Practices:**
1. **Organize directory structure:**
```bash
~/projects/
myproject/ # Main worktree
myproject-feature/ # Feature worktree
myproject-review/ # Review worktree
```
2. **Clean up regularly:**
```bash
# Remove merged worktrees
git worktree list | grep feature | while read wt branch commit; do
if git branch --merged | grep -q "$branch"; then
git worktree remove "$wt"
fi
done
```
3. **Shared configuration:**
- .git/config applies to all worktrees
- .git/info/exclude applies to all worktrees
- Each worktree has own index and HEAD
## Scalar (Large Repository Tool)
**What:** Tool for optimizing very large repositories (Microsoft-developed).
```bash
# Install scalar (comes with Git 2.47+)
scalar register <path>
# Clone with scalar optimizations
scalar clone --branch main <repo-url>
# Enables automatically:
# - Sparse-checkout (cone mode)
# - Partial clone (blob:none)
# - Multi-pack-index
# - Commit-graph
# - Background maintenance
# Unregister
scalar unregister <path>
# Delete repository
scalar delete <path>
```
## Git Backfill (Experimental)
**What:** Background process to fetch missing objects in partial clone.
```bash
# Fetch missing blobs in background
git backfill
# Configure batch size
git backfill --min-batch-size=1000
# Respect sparse-checkout patterns
git backfill --sparse
```
## Performance Comparison
**Traditional Clone:**
```bash
git clone large-repo
# Size: 5GB, Time: 10 minutes
```
**Sparse-Checkout:**
```bash
git clone --sparse large-repo
git sparse-checkout set src/api
# Size: 500MB, Time: 3 minutes
```
**Partial Clone:**
```bash
git clone --filter=blob:none large-repo
# Size: 100MB, Time: 1 minute
```
**Partial Clone + Sparse-Checkout:**
```bash
git clone --filter=blob:none --sparse large-repo
git sparse-checkout set src/api
# Size: 50MB, Time: 30 seconds
```
## When to Use Each Feature
**Sparse-Checkout:**
- ✓ Monorepos
- ✓ Working on specific services/modules
- ✓ Limited disk space
- ✗ Need entire codebase often
**Partial Clone:**
- ✓ CI/CD pipelines
- ✓ Large repositories
- ✓ Good network connectivity
- ✗ Offline work frequently
**Worktrees:**
- ✓ Parallel development
- ✓ PR reviews during work
- ✓ Multiple branch testing
- ✗ Low disk space
**Combine All:**
- ✓ Massive monorepos (Google scale)
- ✓ Multiple simultaneous tasks
- ✓ Minimal local storage
- ✓ Fast network connection
## Troubleshooting
**Sparse-checkout not working:**
```bash
# Verify configuration
git config core.sparseCheckout
git config core.sparseCheckoutCone
# Re-apply patterns
git sparse-checkout reapply
# Check patterns
git sparse-checkout list
```
**Missing objects in partial clone:**
```bash
# Fetch specific object
git fetch origin <commit>
# Fetch all missing
git fetch --unshallow
# Verify promisor config
git config extensions.partialClone
```
**Worktree issues:**
```bash
# Locked worktree
git worktree unlock <path>
# Corrupted worktree
git worktree remove --force <path>
git worktree prune
# Branch already checked out
git checkout --ignore-other-worktrees <branch>
```
## Migration Guide
**From traditional to optimized workflow:**
```bash
# 1. Current large clone
cd large-project
du -sh .git # 5GB
# 2. Create optimized new clone
cd ..
git clone --filter=blob:none --sparse large-project-new
cd large-project-new
git sparse-checkout set src/api src/shared
# 3. Verify size
du -sh .git # 50MB
# 4. Switch workflow
cd ../large-project-new
# 5. Delete old clone when comfortable
rm -rf ../large-project
```
## Resources
- [Git Partial Clone Documentation](https://git-scm.com/docs/partial-clone)
- [Git Sparse-Checkout Guide](https://github.blog/open-source/git/bring-your-monorepo-down-to-size-with-sparse-checkout/)
- [Git Worktree Best Practices](https://git-scm.com/docs/git-worktree)
- [Scalar Documentation](https://github.com/microsoft/scalar)

1746
skills/git-master/SKILL.md Normal file
View File

File diff suppressed because it is too large Load Diff

697
skills/git-security-2025.md Normal file
View File

@@ -0,0 +1,697 @@
---
name: git-security-2025
description: Git security best practices for 2025 including signed commits, zero-trust workflows, secret scanning, and verification
---
## 🚨 CRITICAL GUIDELINES
### Windows File Path Requirements
**MANDATORY: Always Use Backslashes on Windows for File Paths**
When using Edit or Write tools on Windows, you MUST use backslashes (`\`) in file paths, NOT forward slashes (`/`).
**Examples:**
- ❌ WRONG: `D:/repos/project/file.tsx`
- ✅ CORRECT: `D:\repos\project\file.tsx`
This applies to:
- Edit tool file_path parameter
- Write tool file_path parameter
- All file operations on Windows systems
### Documentation Guidelines
**NEVER create new documentation files unless explicitly requested by the user.**
- **Priority**: Update existing README.md files rather than creating new documentation
- **Repository cleanliness**: Keep repository root clean - only README.md unless user requests otherwise
- **Style**: Documentation should be concise, direct, and professional - avoid AI-generated tone
- **User preference**: Only create additional .md files when user specifically asks for documentation
---
# Git Security Best Practices 2025
## Zero-Trust Security Model (2025 Standard)
**What:** Every developer identity must be authenticated and authorized explicitly. All Git operations are logged, signed, and continuously monitored.
**Core Principles:**
1. **Never trust, always verify** - Every commit verified
2. **Least privilege access** - Minimal permissions required
3. **Continuous monitoring** - All operations logged and audited
4. **Assume breach** - Defense in depth strategies
### Implementing Zero-Trust for Git
**1. Mandatory Signed Commits:**
```bash
# Global requirement
git config --global commit.gpgsign true
git config --global tag.gpgsign true
# Enforce via branch protection (GitHub/GitLab/Azure DevOps)
# Repository Settings → Branches → Require signed commits
```
**2. Identity Verification:**
```bash
# Every commit must verify identity
git log --show-signature -10
# Reject unsigned commits in CI/CD
# .github/workflows/verify.yml
- name: Verify all commits are signed
run: |
git log --pretty="%H" origin/main..HEAD | while read commit; do
if ! git verify-commit "$commit" 2>/dev/null; then
echo "ERROR: Unsigned commit $commit"
exit 1
fi
done
```
**3. Continuous Audit Logging:**
```bash
# Enable Git audit trail
git config --global alias.audit 'log --all --pretty="%H|%an|%ae|%ad|%s|%GK" --date=iso'
# Export audit log
git audit > git-audit.log
# Monitor for suspicious activity
git log --author="*" --since="24 hours ago" --pretty=format:"%an %ae %s"
```
**4. Least Privilege Access:**
```yaml
# GitHub branch protection (zero-trust model)
branches:
main:
protection_rules:
required_pull_request_reviews: true
dismiss_stale_reviews: true
require_code_owner_reviews: true
required_approving_review_count: 2
require_signed_commits: true
enforce_admins: true
restrictions:
users: [] # No direct push
teams: ["security-team"]
```
**5. Continuous Monitoring:**
```bash
# Monitor all repository changes
# .github/workflows/security-monitor.yml
name: Security Monitoring
on: [push, pull_request]
jobs:
monitor:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Check for unsigned commits
run: git verify-commit HEAD || echo "::warning::Unsigned commit detected"
- name: Scan for secrets
run: gitleaks detect --exit-code 1
- name: Check commit author
run: |
AUTHOR=$(git log -1 --format='%an <%ae>')
echo "Commit by: $AUTHOR"
# Log to SIEM/security monitoring
```
## Signed Commits (Mandatory in 2025)
**Why:** Cryptographically verify commit authorship, prevent impersonation, ensure audit trail.
**Industry Trend:** Signed commits increasingly required in 2025 workflows.
### GPG Signing (Traditional)
**Setup:**
```bash
# Generate GPG key
gpg --full-generate-key
# Choose: RSA and RSA, 4096 bits, expires in 2y
# List keys
gpg --list-secret-keys --keyid-format=long
# Example output:
# sec rsa4096/ABC123DEF456 2025-01-15 [SC] [expires: 2027-01-15]
# uid [ultimate] Your Name <your.email@example.com>
# ssb rsa4096/GHI789JKL012 2025-01-15 [E] [expires: 2027-01-15]
# Configure Git
git config --global user.signingkey ABC123DEF456
git config --global commit.gpgsign true
git config --global tag.gpgsign true
# Export public key for GitHub/GitLab
gpg --armor --export ABC123DEF456
# Copy output and add to GitHub/GitLab/Bitbucket
# Sign commits
git commit -S -m "feat: add authentication"
# Verify signatures
git log --show-signature
git verify-commit HEAD
git verify-tag v1.0.0
```
**Troubleshooting:**
```bash
# GPG agent not running
export GPG_TTY=$(tty)
echo 'export GPG_TTY=$(tty)' >> ~/.bashrc
# Cache passphrase longer
echo 'default-cache-ttl 34560000' >> ~/.gnupg/gpg-agent.conf
echo 'max-cache-ttl 34560000' >> ~/.gnupg/gpg-agent.conf
gpg-connect-agent reloadagent /bye
# Test signing
echo "test" | gpg --clearsign
```
### SSH Signing (Modern Alternative - 2023+)
**Why SSH:** Simpler, reuse existing SSH keys, no GPG required.
**Setup:**
```bash
# Check if SSH key exists
ls -la ~/.ssh/id_ed25519.pub
# Generate if needed
ssh-keygen -t ed25519 -C "your.email@example.com"
# Configure Git to use SSH signing
git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519.pub
git config --global commit.gpgsign true
# Add public key to GitHub
cat ~/.ssh/id_ed25519.pub
# GitHub Settings → SSH and GPG keys → New SSH key → Key type: Signing Key
# Sign commits (automatic with commit.gpgsign=true)
git commit -m "feat: add feature"
# Verify
git log --show-signature
```
**Configure allowed signers file (for verification):**
```bash
# Create allowed signers file
echo "your.email@example.com $(cat ~/.ssh/id_ed25519.pub)" > ~/.ssh/allowed_signers
# Configure Git
git config --global gpg.ssh.allowedSignersFile ~/.ssh/allowed_signers
# Verify commits
git verify-commit HEAD
```
## Secret Scanning & Prevention
### GitHub Secret Scanning (Push Protection)
**Enable in repository:**
- Settings → Code security → Secret scanning → Enable
- Enable push protection (blocks secrets at push time)
**AI-powered detection (2025):**
- AWS credentials
- Azure service principals
- Google Cloud keys
- GitHub tokens
- Database connection strings
- API keys (OpenAI, Stripe, Anthropic, etc.)
- Private keys
- OAuth tokens
- Custom patterns
**Example blocked push:**
```bash
$ git push
remote: error: GH013: Repository rule violations found for refs/heads/main.
remote:
remote: - Push cannot contain secrets
remote:
remote: Resolve the following violations before pushing again
remote:
remote: — AWS Access Key
remote: locations:
remote: - config.py:12
remote:
remote: (Disable push protection: https://github.com/settings/security_analysis)
remote:
To github.com:user/repo.git
! [remote rejected] main -> main (push declined due to repository rule violations)
```
**Fix:**
```bash
# Remove secret from file
# Use environment variable instead
echo "AWS_ACCESS_KEY=your_key" >> .env
echo ".env" >> .gitignore
# Remove from history if already committed
git rm --cached config.py
git commit -m "Remove secrets"
# If in history, use filter-repo
git filter-repo --path config.py --invert-paths
git push --force
```
### Gitleaks (Local Scanning)
**Install:**
```bash
# macOS
brew install gitleaks
# Linux
wget https://github.com/gitleaks/gitleaks/releases/download/v8.18.0/gitleaks_8.18.0_linux_x64.tar.gz
tar -xzf gitleaks_8.18.0_linux_x64.tar.gz
sudo mv gitleaks /usr/local/bin/
# Windows
choco install gitleaks
```
**Usage:**
```bash
# Scan entire repository
gitleaks detect
# Scan uncommitted changes
gitleaks protect
# Scan specific directory
gitleaks detect --source ./src
# Generate report
gitleaks detect --report-format json --report-path gitleaks-report.json
# Use in CI/CD
gitleaks detect --exit-code 1
```
**Pre-commit hook:**
```bash
# .git/hooks/pre-commit
#!/bin/bash
gitleaks protect --staged --verbose
if [ $? -ne 0 ]; then
echo "⚠️ Gitleaks detected secrets. Commit blocked."
exit 1
fi
```
### Git-secrets (AWS-focused)
```bash
# Install
brew install git-secrets # macOS
# or
git clone https://github.com/awslabs/git-secrets.git
cd git-secrets
sudo make install
# Initialize in repository
git secrets --install
git secrets --register-aws
# Add custom patterns
git secrets --add 'password\s*=\s*[^\s]+'
git secrets --add 'api[_-]?key\s*=\s*[^\s]+'
# Scan
git secrets --scan
git secrets --scan-history
```
## Enforce Signed Commits
### Branch Protection Rules
**GitHub:**
```
Repository → Settings → Branches → Branch protection rules
☑ Require signed commits
☑ Require linear history
☑ Require status checks to pass
```
**GitLab:**
```
Repository → Settings → Repository → Protected branches
☑ Allowed to push: No one
☑ Allowed to merge: Maintainers
☑ Require all commits be signed
```
**Azure DevOps:**
```
Branch Policies → Add policy → Require signed commits
```
### Pre-receive Hook (Server-side enforcement)
```bash
#!/bin/bash
# .git/hooks/pre-receive (on server)
zero_commit="0000000000000000000000000000000000000000"
while read oldrev newrev refname; do
# Skip branch deletion
if [ "$newrev" = "$zero_commit" ]; then
continue
fi
# Check all commits in push
for commit in $(git rev-list "$oldrev".."$newrev"); do
# Verify commit signature
if ! git verify-commit "$commit" 2>/dev/null; then
echo "Error: Commit $commit is not signed"
echo "All commits must be signed. Configure with:"
echo " git config commit.gpgsign true"
exit 1
fi
done
done
exit 0
```
## Security Configuration
### Recommended Git Config
```bash
# Enforce signed commits
git config --global commit.gpgsign true
git config --global tag.gpgsign true
# Use SSH signing (modern)
git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519.pub
# Security settings
git config --global protocol.version 2
git config --global transfer.fsckobjects true
git config --global fetch.fsckobjects true
git config --global receive.fsckobjects true
# Prevent credential leaks
git config --global credential.helper cache --timeout=3600
# Or use system credential manager
git config --global credential.helper wincred # Windows
git config --global credential.helper osxkeychain # macOS
# Line ending safety
git config --global core.autocrlf true # Windows
git config --global core.autocrlf input # macOS/Linux
# Editor safety (avoid nano/vim leaks)
git config --global core.editor "code --wait"
```
### .gitignore Security
```gitignore
# Secrets
.env
.env.*
*.pem
*.key
*.p12
*.pfx
*_rsa
*_dsa
*_ecdsa
*_ed25519
credentials.json
secrets.yaml
config/secrets.yml
# Cloud provider
.aws/
.azure/
.gcloud/
gcloud-service-key.json
# Databases
*.sqlite
*.db
# Logs (may contain sensitive data)
*.log
logs/
# IDE secrets
.vscode/settings.json
.idea/workspace.xml
# Build artifacts (may contain embedded secrets)
dist/
build/
node_modules/
vendor/
```
## Credential Management
### SSH Keys
```bash
# Generate secure SSH key
ssh-keygen -t ed25519 -C "your.email@example.com" -f ~/.ssh/id_ed25519_work
# Use ed25519 (modern, secure, fast)
# Avoid RSA < 4096 bits
# Avoid DSA (deprecated)
# Configure SSH agent
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519_work
# Test connection
ssh -T git@github.com
# Use different keys for different services
# ~/.ssh/config
Host github.com
IdentityFile ~/.ssh/id_ed25519_github
Host gitlab.com
IdentityFile ~/.ssh/id_ed25519_gitlab
```
### HTTPS Credentials
```bash
# Use credential manager (not plaintext!)
# Windows
git config --global credential.helper wincred
# macOS
git config --global credential.helper osxkeychain
# Linux (libsecret)
git config --global credential.helper /usr/share/git/credential/libsecret/git-credential-libsecret
# Cache for limited time (temporary projects)
git config --global credential.helper 'cache --timeout=3600'
```
### Personal Access Tokens (PAT)
**GitHub:**
- Settings → Developer settings → Personal access tokens → Fine-grained tokens
- Set expiration (max 1 year)
- Minimum scopes needed
- Use for HTTPS authentication
**Never commit tokens:**
```bash
# Use environment variable
export GITHUB_TOKEN="ghp_xxxxxxxxxxxx"
git clone https://$GITHUB_TOKEN@github.com/user/repo.git
# Or use Git credential helper
gh auth login # GitHub CLI method
```
## CodeQL & Security Scanning
### GitHub CodeQL
**.github/workflows/codeql.yml:**
```yaml
name: "CodeQL Security Scan"
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main ]
schedule:
- cron: '0 0 * * 1' # Weekly scan
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
security-events: write
contents: read
strategy:
fail-fast: false
matrix:
language: [ 'javascript', 'python', 'java' ]
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
queries: security-and-quality
- name: Autobuild
uses: github/codeql-action/autobuild@v3
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{ matrix.language }}"
```
**Detects:**
- SQL injection
- XSS vulnerabilities
- Path traversal
- Command injection
- Insecure deserialization
- Authentication bypass
- Hardcoded secrets
## Audit Trail
### Enable detailed logging
```bash
# Log all Git operations
git config --global alias.ll 'log --all --graph --decorate --oneline --show-signature'
# Check commit verification
git log --show-signature -10
# Export audit log
git log --pretty=format:"%H,%an,%ae,%ad,%s" --date=iso > git-audit.csv
# Verify all commits in branch
git log --show-signature main..HEAD
```
## Security Checklist
**Repository Setup:**
- ☑ Enable branch protection
- ☑ Require signed commits
- ☑ Enable secret scanning with push protection
- ☑ Enable CodeQL or similar scanning
- ☑ Configure Dependabot/Renovate
- ☑ Require 2FA for all contributors
**Developer Workstation:**
- ☑ Use GPG or SSH commit signing
- ☑ Configure credential manager (never plaintext)
- ☑ Install and configure gitleaks
- ☑ Create comprehensive .gitignore
- ☑ Enable fsckobjects for transfers
- ☑ Use SSH keys with passphrase
**Workflow:**
- ☑ Never commit secrets
- ☑ Review changes before commit
- ☑ Verify signatures on pull/merge
- ☑ Regular security audits
- ☑ Rotate credentials periodically
- ☑ Use environment variables for secrets
## Incident Response
**Secret leaked in commit:**
```bash
# 1. Rotate compromised credentials IMMEDIATELY
# 2. Remove from latest commit (if not pushed)
git reset HEAD~1
# Edit files to remove secret
git add .
git commit -m "Remove secrets"
# 3. If pushed, remove from history
git filter-repo --path config/secrets.yml --invert-paths
git push --force
# 4. Notify team to re-clone
# 5. Enable push protection to prevent future leaks
```
**Unsigned commits detected:**
```bash
# Identify unsigned commits
git log --show-signature | grep "No signature"
# Re-sign commits (if you authored them)
git rebase --exec 'git commit --amend --no-edit -n -S' -i HEAD~10
# Force push (with team coordination)
git push --force-with-lease
```
## Resources
- [Git Signing Documentation](https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work)
- [GitHub Secret Scanning](https://docs.github.com/en/code-security/secret-scanning)
- [Gitleaks Documentation](https://github.com/gitleaks/gitleaks)
- [CodeQL Documentation](https://codeql.github.com/docs/)

487
skills/github-actions-2025.md Normal file
View File

@@ -0,0 +1,487 @@
---
name: github-actions-2025
description: GitHub Actions 2025 features including 1 vCPU runners, immutable releases, and Node24 migration
---
# GitHub Actions 2025 Features
## 1 vCPU Linux Runners (October 2025 - Public Preview)
**What:** New lightweight runners optimized for automation tasks with lower cost.
**Specs:**
- 1 vCPU
- 5 GB RAM
- 15-minute job limit
- Optimized for short-running tasks
### When to Use 1 vCPU Runners
**Ideal for:**
- Issue triage automation
- Label management
- PR comment automation
- Status checks
- Lightweight scripts
- Git operations (checkout, tag, commit)
- Notification tasks
**NOT suitable for:**
- Build operations
- Test suites
- Complex CI/CD pipelines
- Resource-intensive operations
### Usage
```yaml
# .github/workflows/automation.yml
name: Lightweight Automation
on:
issues:
types: [opened, labeled]
jobs:
triage:
runs-on: ubuntu-latest-1-core # New 1 vCPU runner
timeout-minutes: 10 # Max 15 minutes
steps:
- name: Triage Issue
run: |
echo "Triaging issue..."
gh issue edit ${{ github.event.issue.number }} --add-label "needs-review"
```
### Cost Savings Example
```yaml
# Before: Using 2 vCPU runner for simple task
jobs:
label:
runs-on: ubuntu-latest # 2 vCPU, higher cost
steps:
- name: Add label
run: gh pr edit ${{ github.event.number }} --add-label "reviewed"
# After: Using 1 vCPU runner (lower cost)
jobs:
label:
runs-on: ubuntu-latest-1-core # 1 vCPU, 50% cost reduction
timeout-minutes: 5
steps:
- name: Add label
run: gh pr edit ${{ github.event.number }} --add-label "reviewed"
```
## Immutable Releases (August 2025)
**What:** Releases can now be marked immutable - assets and Git tags cannot be changed or deleted once released.
**Benefits:**
- Supply chain security
- Audit compliance
- Prevent tampering
- Trust in release artifacts
### Create Immutable Release
```bash
# Using GitHub CLI
gh release create v1.0.0 \
dist/*.zip \
--title "Version 1.0.0" \
--notes-file CHANGELOG.md \
--immutable
# Verify immutability
gh release view v1.0.0 --json isImmutable
```
### GitHub Actions Workflow
```yaml
# .github/workflows/release.yml
name: Create Immutable Release
on:
push:
tags:
- 'v*'
jobs:
release:
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Build artifacts
run: npm run build
- name: Create Immutable Release
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const tag = context.ref.replace('refs/tags/', '');
await github.rest.repos.createRelease({
owner: context.repo.owner,
repo: context.repo.repo,
tag_name: tag,
name: `Release ${tag}`,
body: fs.readFileSync('CHANGELOG.md', 'utf8'),
draft: false,
prerelease: false,
make_immutable: true # Mark as immutable
});
- name: Upload Release Assets
run: gh release upload ${{ github.ref_name }} dist/*.zip --clobber
```
### Immutable Release Policy
```yaml
# Organizational policy for immutable releases
name: Enforce Immutable Releases
on:
release:
types: [created]
jobs:
enforce-immutability:
runs-on: ubuntu-latest
if: "!github.event.release.immutable && startsWith(github.event.release.tag_name, 'v')"
steps:
- name: Fail if not immutable
run: |
echo "ERROR: Production releases must be immutable"
exit 1
```
## Node24 Migration (September 2025)
**What:** GitHub Actions migrating from Node20 to Node24 in fall 2025.
**Timeline:**
- September 2025: Node24 support added
- October 2025: Deprecation notices for Node20
- November 2025: Node20 phase-out begins
- December 2025: Full migration to Node24
### Update Your Actions
**Check Node version in actions:**
```yaml
# Old - Node20
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/setup-node@v3
with:
node-version: '20' # Update to 24
# New - Node24
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/setup-node@v4
with:
node-version: '24' # Current LTS
```
### Runner Version Compatibility
```yaml
# Ensure runner supports Node24
jobs:
test:
runs-on: ubuntu-latest # Runner v2.328.0+ supports Node24
steps:
- name: Verify Node version
run: node --version # Should show v24.x.x
```
### Custom Actions Migration
If you maintain custom actions:
```javascript
// action.yml
runs:
using: 'node24' // Updated from 'node20'
main: 'index.js'
```
```bash
# Update dependencies
npm install @actions/core@latest
npm install @actions/github@latest
# Test with Node24
node --version # Ensure 24.x
npm test
```
## Actions Environment Variables (May 2025)
**What:** Actions environments now available for all plans (public and private repos).
### Environment Protection Rules
```yaml
# .github/workflows/deploy.yml
name: Deploy to Production
on:
push:
branches: [main]
jobs:
deploy:
runs-on: ubuntu-latest
environment:
name: production
url: https://app.example.com
steps:
- name: Deploy
run: |
echo "Deploying to ${{ vars.DEPLOY_URL }}"
# Deployment steps...
```
**Environment configuration:**
- Settings → Environments → production
- Add protection rules:
- Required reviewers
- Wait timer
- Deployment branches (only main)
## Allowed Actions Policy Updates (August 2025)
**What:** Enhanced governance with explicit blocking and SHA pinning.
### Block Specific Actions
```yaml
# .github/workflows/policy.yml
# Repository or organization settings
allowed-actions:
verified-only: true
# Explicitly block actions
blocked-actions:
- 'untrusted/action@*'
- 'deprecated-org/*'
# Require SHA pinning for security
require-sha-pinning: true
```
### SHA Pinning for Security
```yaml
# Before: Version pinning (can be changed by action maintainer)
- uses: actions/checkout@v4
# After: SHA pinning (immutable)
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
```
### Generate SHA-Pinned Actions
```bash
# Get commit SHA for specific version
gh api repos/actions/checkout/commits/v4.1.1 --jq '.sha'
# Or use action-security tool
npx pin-github-action actions/checkout@v4
# Output: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
```
## Copilot-Triggered Workflows (April 2025)
**What:** Workflows triggered by Copilot-authored events now require explicit approval.
### Configure Copilot Workflow Approval
```yaml
# .github/workflows/copilot-automation.yml
name: Copilot PR Automation
on:
pull_request:
types: [opened]
jobs:
copilot-review:
runs-on: ubuntu-latest
# Copilot-generated PRs require approval
if: github.event.pull_request.user.login != 'github-copilot[bot]'
steps:
- name: Auto-review
run: gh pr review --approve
```
**Manual approval required for Copilot PRs** (same mechanism as fork PRs).
## Artifact Storage Architecture (February 2025)
**What:** Artifacts moved to new architecture on February 1, 2025.
**Breaking changes:**
- `actions/upload-artifact@v1-v2` retired March 1, 2025
- Must use `actions/upload-artifact@v4+`
### Migration
```yaml
# Old (Retired)
- uses: actions/upload-artifact@v2
with:
name: build-artifacts
path: dist/
# New (Required)
- uses: actions/upload-artifact@v4
with:
name: build-artifacts
path: dist/
retention-days: 30
```
## Windows Server 2019 Retirement (June 2025)
**What:** `windows-2019` runner image fully retired June 30, 2025.
### Migration
```yaml
# Old
jobs:
build:
runs-on: windows-2019 # Retired
# New
jobs:
build:
runs-on: windows-2022 # Current
# Or windows-latest (recommended)
```
## Meta API for Self-Hosted Runners (May 2025)
**What:** New `actions_inbound` section in meta API for network configuration.
```bash
# Get network requirements for self-hosted runners
curl https://api.github.com/meta | jq '.actions_inbound'
# Configure firewall rules based on response
{
"domains": [
"*.actions.githubusercontent.com",
"*.pkg.github.com"
],
"ip_ranges": [
"140.82.112.0/20",
"143.55.64.0/20"
]
}
```
## Best Practices for 2025
### 1. Use Appropriate Runners
```yaml
# Use 1 vCPU for lightweight tasks
jobs:
label-management:
runs-on: ubuntu-latest-1-core
timeout-minutes: 5
# Use standard runners for builds/tests
build:
runs-on: ubuntu-latest
```
### 2. Immutable Releases for Production
```yaml
# Always mark production releases as immutable
- name: Create Release
run: gh release create $TAG --immutable
```
### 3. SHA Pinning for Security
```yaml
# Pin actions to SHA, not tags
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8
```
### 4. Update to Node24
```yaml
# Use latest Node version
- uses: actions/setup-node@v4
with:
node-version: '24'
```
### 5. Environment Protection
```yaml
# Use environments for deployments
jobs:
deploy:
environment: production
# Requires approval, wait timer, branch restrictions
```
## Troubleshooting
**1 vCPU runner timeout:**
```yaml
# Ensure task completes within 15 minutes
jobs:
task:
runs-on: ubuntu-latest-1-core
timeout-minutes: 10 # Safety margin
```
**Node24 compatibility issues:**
```bash
# Test locally with Node24
nvm install 24
nvm use 24
npm test
```
**Artifact upload failures:**
```yaml
# Use v4 of artifact actions
- uses: actions/upload-artifact@v4 # Not v1/v2
```
## Resources
- [GitHub Actions 1 vCPU Runners](https://github.blog/changelog/2025-10-28-1-vcpu-linux-runner-now-available-in-github-actions-in-public-preview/)
- [Immutable Releases](https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/)
- [Node24 Migration](https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/)

382
skills/github-ai-features-2025.md Normal file
View File

@@ -0,0 +1,382 @@
---
name: github-ai-features-2025
description: GitHub AI-powered security and automation features for 2025
---
## 🚨 CRITICAL GUIDELINES
### Windows File Path Requirements
**MANDATORY: Always Use Backslashes on Windows for File Paths**
When using Edit or Write tools on Windows, you MUST use backslashes (`\`) in file paths, NOT forward slashes (`/`).
**Examples:**
- ❌ WRONG: `D:/repos/project/file.tsx`
- ✅ CORRECT: `D:\repos\project\file.tsx`
This applies to:
- Edit tool file_path parameter
- Write tool file_path parameter
- All file operations on Windows systems
### Documentation Guidelines
**NEVER create new documentation files unless explicitly requested by the user.**
- **Priority**: Update existing README.md files rather than creating new documentation
- **Repository cleanliness**: Keep repository root clean - only README.md unless user requests otherwise
- **Style**: Documentation should be concise, direct, and professional - avoid AI-generated tone
- **User preference**: Only create additional .md files when user specifically asks for documentation
---
# GitHub AI Features 2025
## Trunk-Based Development (TBD)
Modern workflow used by largest tech companies (Google: 35,000+ developers):
### Principles
1. **Short-lived branches:** Hours to 1 day maximum
2. **Small, frequent commits:** Reduce merge conflicts
3. **Continuous integration:** Always deployable main branch
4. **Feature flags:** Hide incomplete features
### Implementation
```bash
# Create task branch from main
git checkout main
git pull origin main
git checkout -b task/add-login-button
# Make small changes
git add src/components/LoginButton.tsx
git commit -m "feat: add login button component"
# Push and create PR (same day)
git push origin task/add-login-button
gh pr create --title "Add login button" --body "Implements login UI"
# Merge within hours, delete branch
gh pr merge --squash --delete-branch
```
### Benefits
- Reduced merge conflicts (75% decrease)
- Faster feedback cycles
- Easier code reviews (smaller changes)
- Always releasable main branch
- Simplified CI/CD pipelines
## GitHub Secret Protection (AI-Powered)
AI detects secrets before they reach repository:
### Push Protection
```bash
# Attempt to commit secret
git add config.py
git commit -m "Add config"
git push
# GitHub AI detects secret:
"""
⛔ Push blocked by secret scanning
Found: AWS Access Key
Pattern: AKIA[0-9A-Z]{16}
File: config.py:12
Options:
1. Remove secret and try again
2. Mark as false positive (requires justification)
3. Request review from admin
"""
# Fix: Use environment variables
# config.py
import os
aws_key = os.environ.get('AWS_ACCESS_KEY')
git add config.py
git commit -m "Use env vars for secrets"
git push # ✅ Success
```
### Supported Secret Types (AI-Enhanced)
- AWS credentials
- Azure service principals
- Google Cloud keys
- GitHub tokens
- Database connection strings
- API keys (OpenAI, Stripe, etc.)
- Private keys (SSH, TLS)
- OAuth tokens
- Custom patterns (regex-based)
## GitHub Code Security
### CodeQL Code Scanning
AI-powered static analysis:
```yaml
# .github/workflows/codeql.yml
name: "CodeQL"
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
analyze:
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: javascript, python, java
- name: Autobuild
uses: github/codeql-action/autobuild@v2
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
```
**Detects:**
- SQL injection
- XSS vulnerabilities
- Path traversal
- Command injection
- Insecure deserialization
- Authentication bypass
- Logic errors
### Copilot Autofix
AI automatically fixes security vulnerabilities:
```python
# Vulnerable code detected by CodeQL
def get_user(user_id):
query = f"SELECT * FROM users WHERE id = {user_id}" # ❌ SQL injection
return db.execute(query)
# Copilot Autofix suggests:
def get_user(user_id):
query = "SELECT * FROM users WHERE id = ?"
return db.execute(query, (user_id,)) # ✅ Parameterized query
# One-click to apply fix
```
## GitHub Agents (Automated Workflows)
AI agents for automated bug fixes and PR generation:
### Bug Fix Agent
```yaml
# .github/workflows/ai-bugfix.yml
name: AI Bug Fixer
on:
issues:
types: [labeled]
jobs:
autofix:
if: contains(github.event.issue.labels.*.name, 'bug')
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Analyze Bug
uses: github/ai-agent@v1
with:
task: 'analyze-bug'
issue-number: ${{ github.event.issue.number }}
- name: Generate Fix
uses: github/ai-agent@v1
with:
task: 'generate-fix'
create-pr: true
pr-title: "Fix: ${{ github.event.issue.title }}"
```
### Automated PR Generation
```bash
# GitHub Agent creates PR automatically
# When issue is labeled "enhancement":
# 1. Analyzes issue description
# 2. Generates implementation code
# 3. Creates tests
# 4. Opens PR with explanation
# Example: Issue #42 "Add dark mode toggle"
# Agent creates PR with:
# - DarkModeToggle.tsx component
# - ThemeContext.tsx provider
# - Tests for theme switching
# - Documentation update
```
## Dependency Review (AI-Enhanced)
AI analyzes dependency changes in PRs:
```yaml
# .github/workflows/dependency-review.yml
name: Dependency Review
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Dependency Review
uses: actions/dependency-review-action@v3
with:
fail-on-severity: high
fail-on-scopes: runtime
```
**AI Insights:**
- Known vulnerabilities in new dependencies
- License compliance issues
- Breaking changes in updates
- Alternative safer packages
- Dependency freshness score
## Trunk-Based Development Workflow
### Daily Workflow
```bash
# Morning: Sync with main
git checkout main
git pull origin main
# Create task branch
git checkout -b task/user-profile-api
# Work in small iterations (2-4 hours)
# First iteration: API endpoint
git add src/api/profile.ts
git commit -m "feat: add profile API endpoint"
git push origin task/user-profile-api
gh pr create --title "Add user profile API" --draft
# Continue work: Add tests
git add tests/profile.test.ts
git commit -m "test: add profile API tests"
git push
# Mark ready for review
gh pr ready
# Get review (should happen within hours)
# Merge same day
gh pr merge --squash --delete-branch
# Next task: Start fresh from main
git checkout main
git pull origin main
git checkout -b task/profile-ui
```
### Small, Frequent Commits Pattern
```bash
# ❌ Bad: Large infrequent commit
git add .
git commit -m "Add complete user profile feature with API, UI, tests, docs"
# 50 files changed, 2000 lines
# ✅ Good: Small frequent commits
git add src/api/profile.ts
git commit -m "feat: add profile API endpoint"
git push
git add src/components/ProfileCard.tsx
git commit -m "feat: add profile card component"
git push
git add tests/profile.test.ts
git commit -m "test: add profile tests"
git push
git add docs/profile.md
git commit -m "docs: document profile API"
git push
# Each commit: 1-3 files, 50-200 lines
# Easier reviews, faster merges, less conflicts
```
## Security Best Practices (2025)
1. **Enable Secret Scanning:**
```bash
# Repository Settings → Security → Secret scanning
# Enable: Push protection + AI detection
```
2. **Configure CodeQL:**
```bash
# Add .github/workflows/codeql.yml
# Enable for all languages in project
```
3. **Use Copilot Autofix:**
```bash
# Review security alerts weekly
# Apply Copilot-suggested fixes
# Test before merging
```
4. **Implement Trunk-Based Development:**
```bash
# Branch lifespan: <1 day
# Commit frequency: Every 2-4 hours
# Main branch: Always deployable
```
5. **Leverage GitHub Agents:**
```bash
# Automate: Bug triage, PR creation, dependency updates
# Review: All AI-generated code before merging
```
## Resources
- [Trunk-Based Development](https://trunkbaseddevelopment.com)
- [GitHub Secret Scanning](https://docs.github.com/en/code-security/secret-scanning)
- [GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security)
- [GitHub Copilot for Security](https://github.com/features/security)