zhongwei/gh-josiahsiegel-claude-code-marketplace-plugins-git-master
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Zhongwei Li
2025-11-30 08:29:08 +08:00
commit 139e230a67
10 changed files with 4284 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

330
skills/git-2-49-features.md Normal file
View File

@@ -0,0 +1,330 @@
---
name: git-2-49-features
description: Git 2.49+ features including git-backfill, path-walk API, and performance improvements
---
# Git 2.49+ Features (2025)
## git-backfill Command (New in 2.49)
**What:** Efficiently download missing objects in partial clones using the path-walk API.
**Why:** Dramatically improves delta compression when fetching objects from partial clones, resulting in smaller downloads and better performance.
### Basic Usage
```bash
# Check if you have a partial clone
git config extensions.partialClone
# Download missing objects in background
git backfill
# Download with custom batch size
git backfill --batch-size=1000
# Respect sparse-checkout patterns (only fetch needed files)
git backfill --sparse
# Check progress
git backfill --verbose
```
### When to Use
**Scenario 1: After cloning with --filter=blob:none**
```bash
# Clone without blobs
git clone --filter=blob:none https://github.com/large/repo.git
cd repo
# Later, prefetch all missing objects efficiently
git backfill
```
**Scenario 2: Sparse-checkout + Partial clone**
```bash
# Clone with both optimizations
git clone --filter=blob:none --sparse https://github.com/monorepo.git
cd monorepo
git sparse-checkout set src/api
# Fetch only needed objects
git backfill --sparse
```
**Scenario 3: CI/CD Optimization**
```bash
# In CI pipeline - fetch only what's needed
git clone --filter=blob:none --depth=1 repo
git backfill --sparse
# Much faster than full clone
```
### Performance Comparison
**Traditional partial clone fetch:**
```bash
git fetch --unshallow
# Downloads 500MB in random order
# Poor delta compression
```
**With git-backfill:**
```bash
git backfill
# Downloads 150MB with optimized delta compression (70% reduction)
# Groups objects by path for better compression
```
## Path-Walk API (New in 2.49)
**What:** Internal API that groups together objects appearing at the same path, enabling much better delta compression.
**How it works:** Instead of processing objects in commit order, path-walk processes them by filesystem path, allowing Git to find better delta bases.
**Benefits:**
- 50-70% better compression in partial clone scenarios
- Faster object transfers
- Reduced network usage
- Optimized packfile generation
**You benefit automatically when using:**
- `git backfill`
- `git repack` (improved in 2.49)
- Server-side object transfers
### Enable Path-Walk Optimizations
```bash
# For repack operations
git config pack.useBitmaps true
git config pack.writeBitmaps true
# Repack with path-walk optimizations
git repack -a -d -f
# Check improvement
git count-objects -v
```
## Performance Improvements with zlib-ng
**What:** Git 2.49 includes improved performance through zlib-ng integration for compression/decompression.
**Benefits:**
- 20-30% faster compression
- 10-15% faster decompression
- Lower CPU usage during pack operations
- Transparent - no configuration needed
**Automatically improves:**
- `git clone`
- `git fetch`
- `git push`
- `git gc`
- `git repack`
## New Name-Hashing Algorithm
**What:** Improved algorithm for selecting object pairs during delta compression.
**Results:**
- More efficient packfiles
- Better compression ratios (5-10% improvement)
- Faster repack operations
**Automatic - no action needed.**
## Rust Bindings for libgit
**What:** Git 2.49 added Rust bindings (libgit-sys and libgit-rs) for Git's internal libraries.
**Relevance:** Future Git tooling and performance improvements will leverage Rust for memory safety and performance.
**For developers:** You can now build Git tools in Rust using official bindings.
## Promisor Remote Enhancements
**What:** Servers can now advertise promisor remote information to clients.
**Benefits:**
- Better handling of large files in partial clones
- Improved lazy fetching
- More efficient missing object retrieval
**Configuration:**
```bash
# View promisor remote info
git config remote.origin.promisor
git config extensions.partialClone
# Verify promisor packfiles
ls -lah .git/objects/pack/*.promisor
```
## Git 2.49 Workflow Examples
### Example 1: Ultra-Efficient Monorepo Clone
```bash
# Clone large monorepo with maximum efficiency
git clone --filter=blob:none --sparse https://github.com/company/monorepo.git
cd monorepo
# Only checkout your team's service
git sparse-checkout set --cone services/api
# Fetch needed objects with path-walk optimization
git backfill --sparse
# Result: 95% smaller than full clone, 70% faster download
```
### Example 2: CI/CD Pipeline Optimization
```yaml
# .github/workflows/ci.yml
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Checkout with optimizations
run: |
git clone --filter=blob:none --depth=1 --sparse ${{ github.repositoryUrl }}
cd repo
git sparse-checkout set src tests
git backfill --sparse
- name: Run tests
run: npm test
# 80% faster than full clone in CI
```
### Example 3: Working with Huge History
```bash
# Clone repository with massive history
git clone --filter=blob:none https://github.com/project/with-long-history.git
cd with-long-history
# Work on recent code only (objects fetched on demand)
git checkout -b feature/new-feature
# When you need full history
git backfill
# Repack for optimal storage
git repack -a -d -f # Uses path-walk API
```
## Deprecated Features (Removal in Git 3.0)
**⚠️ Now Officially Deprecated:**
- `.git/branches/` directory (use remotes instead)
- `.git/remotes/` directory (use git remote commands)
**Migration:**
```bash
# If you have old-style remotes, convert them
# Check for deprecated directories
ls -la .git/branches .git/remotes 2>/dev/null
# Use modern remote configuration
git remote add origin https://github.com/user/repo.git
git config remote.origin.fetch '+refs/heads/*:refs/remotes/origin/*'
```
## Meson Build System
**What:** Continued development on Meson as alternative build system for Git.
**Why:** Faster builds, better cross-platform support.
**Status:** Experimental - use `make` for production.
## netrc Support Re-enabled
**What:** HTTP transport now supports .netrc for authentication.
**Usage:**
```bash
# ~/.netrc
machine github.com
login your-username
password your-token
# Git will now use these credentials automatically
git clone https://github.com/private/repo.git
```
## Best Practices with Git 2.49
1. **Use git-backfill for partial clones:**
```bash
git backfill --sparse # Better than git fetch --unshallow
```
2. **Combine optimizations:**
```bash
git clone --filter=blob:none --sparse <url>
git sparse-checkout set --cone <paths>
git backfill --sparse
```
3. **Regular maintenance:**
```bash
git backfill # Fill in missing objects
git repack -a -d -f # Optimize with path-walk
git prune # Clean up
```
4. **Monitor partial clone status:**
```bash
# Check promisor remotes
git config extensions.partialClone
# List missing objects
git rev-list --objects --all --missing=print | grep "^?"
```
5. **Migrate deprecated features:**
```bash
# Move away from .git/branches and .git/remotes
# Use git remote commands instead
```
## Troubleshooting
**git-backfill not found:**
```bash
# Verify Git version
git --version # Must be 2.49+
# Update Git
brew upgrade git # macOS
apt update && apt install git # Ubuntu
```
**Promisor remote issues:**
```bash
# Reset promisor configuration
git config --unset extensions.partialClone
git config --unset remote.origin.promisor
# Re-enable
git config extensions.partialClone origin
git config remote.origin.promisor true
```
**Poor delta compression:**
```bash
# Force repack with path-walk optimization
git repack -a -d -f --depth=250 --window=250
```
## Resources
- [Git 2.49 Release Notes](https://github.blog/open-source/git/highlights-from-git-2-49/)
- [Path-Walk API Documentation](https://git-scm.com/docs/api-path-walk)
- [Partial Clone Documentation](https://git-scm.com/docs/partial-clone)

459
skills/git-2025-features.md Normal file
View File

@@ -0,0 +1,459 @@
---
name: git-2025-features
description: Git 2.49+ features including reftables, sparse-checkout, partial clone, git-backfill, and worktrees
---
**📌 NOTE:** For detailed Git 2.49+ features (git-backfill, path-walk API, zlib-ng), see git-2-49-features.md skill.
## 🚨 CRITICAL GUIDELINES
### Windows File Path Requirements
**MANDATORY: Always Use Backslashes on Windows for File Paths**
When using Edit or Write tools on Windows, you MUST use backslashes (`\`) in file paths, NOT forward slashes (`/`).
**Examples:**
- ❌ WRONG: `D:/repos/project/file.tsx`
- ✅ CORRECT: `D:\repos\project\file.tsx`
This applies to:
- Edit tool file_path parameter
- Write tool file_path parameter
- All file operations on Windows systems
### Documentation Guidelines
**NEVER create new documentation files unless explicitly requested by the user.**
- **Priority**: Update existing README.md files rather than creating new documentation
- **Repository cleanliness**: Keep repository root clean - only README.md unless user requests otherwise
- **Style**: Documentation should be concise, direct, and professional - avoid AI-generated tone
- **User preference**: Only create additional .md files when user specifically asks for documentation
---
# Git 2025 Features - Advanced Capabilities
## Git 2.49 (March 2025) - Latest
**Major additions:** git-backfill, path-walk API, zlib-ng performance, improved delta compression.
**See git-2-49-features.md for complete coverage.**
## Git 2.48-2.49 Features
### Reftables Migration (Completed in 2.48)
**What:** New reference storage format replacing loose ref files and packed-refs.
**Benefits:**
- Faster ref operations (50-80% improvement)
- Atomic ref updates
- Better scalability for repositories with many refs
- Reflogs fully migratable (completed in 2.48)
**Migration:**
```bash
# Check current ref storage format
git config core.refStorage
# Migrate to reftables
git refs migrate --ref-storage=reftables
# Verify migration
git fsck --full
git log --oneline -5
# Roll back if needed (before critical operations)
git refs migrate --ref-storage=files
```
**When to use:**
- Repositories with 10,000+ refs
- High-frequency branch operations
- CI/CD systems creating many temporary refs
- Monorepos with extensive branching
### Performance Milestones (2.48-2.49)
**Git 2.48:**
- Memory leak free status achieved
- Stable memory usage in long-running operations
**Git 2.49:**
- zlib-ng integration: 20-30% faster compression
- Path-walk API: 50-70% better delta compression
- New name-hashing algorithm for optimal packfiles
Benefits automatically in:
- Large repository clones
- Extended rebase sessions
- Bulk operations (filter-repo, GC, repack)
## Sparse-Checkout (Enhanced in 2.48)
**What:** Check out only a subset of files from repository.
**Use cases:**
- Monorepos (work on one service)
- Large repositories (reduce disk usage)
- Build systems (fetch only needed files)
**Cone Mode (Default - Recommended):**
```bash
# Clone with sparse-checkout
git clone --filter=blob:none --sparse <repo-url>
cd <repo>
# Initialize sparse-checkout in cone mode
git sparse-checkout init --cone
# Add directories to checkout
git sparse-checkout set src/api src/shared docs
# Add more directories
git sparse-checkout add tests/integration
# View current patterns
git sparse-checkout list
# Check what would be matched
git sparse-checkout check-rules src/api/users.ts
# Disable sparse-checkout
git sparse-checkout disable
```
**Advanced Patterns (Non-Cone Mode):**
```bash
# Enable pattern mode
git sparse-checkout init --no-cone
# Add patterns (one per line)
git sparse-checkout set \
"*.md" \
"src/api/*" \
"!src/api/legacy/*"
# Read patterns from file
git sparse-checkout set --stdin < patterns.txt
```
**Reapply Rules:**
```bash
# After merge/rebase that materialized unwanted files
git sparse-checkout reapply
```
## Partial Clone
**What:** Clone repository without downloading all objects initially.
**Filters:**
1. **blob:none** - Defer all blobs (fastest, smallest)
2. **tree:0** - Defer all trees and blobs
3. **blob:limit=1m** - Defer blobs larger than 1MB
**Usage:**
```bash
# Clone without blobs (fetch on demand)
git clone --filter=blob:none <repo-url>
# Clone without large files
git clone --filter=blob:limit=10m <repo-url>
# Combine with sparse-checkout
git clone --filter=blob:none --sparse <repo-url>
cd <repo>
git sparse-checkout set src/api
# Convert existing repository to partial clone
git config extensions.partialClone origin
git config remote.origin.promisor true
git fetch --filter=blob:none
# Prefetch all missing objects
git fetch --unshallow
```
**Combine Partial Clone + Sparse-Checkout:**
```bash
# Ultimate efficiency: Only objects for specific directories
git clone --filter=blob:none --sparse <repo-url>
cd <repo>
git sparse-checkout set --cone src/api
git checkout main
# Result: Only have objects for src/api
```
**Check promisor objects:**
```bash
# Verify partial clone status
git config extensions.partialClone
# See promisor packfiles
ls -lah .git/objects/pack/*.promisor
# Force fetch specific object
git rev-list --objects --missing=print HEAD | grep "^?"
```
## Git Worktrees
**What:** Multiple working directories from one repository.
**Benefits:**
- Work on multiple branches simultaneously
- No need to stash/commit before switching
- Parallel work (review PR while coding)
- Shared .git (one fetch updates all)
**Basic Operations:**
```bash
# List worktrees
git worktree list
# Create worktree for existing branch
git worktree add ../project-feature feature-branch
# Create worktree with new branch
git worktree add -b new-feature ../project-new-feature
# Create worktree from remote branch
git worktree add ../project-fix origin/fix-bug
# Remove worktree
git worktree remove ../project-feature
# Clean up stale worktree references
git worktree prune
```
**Advanced Patterns:**
```bash
# Worktree for PR review while coding
git worktree add ../myproject-pr-123 origin/pull/123/head
cd ../myproject-pr-123
# Review PR in separate directory
cd -
# Continue coding in main worktree
# Worktree for hotfix
git worktree add --detach ../myproject-hotfix v1.2.3
cd ../myproject-hotfix
# Make hotfix
git switch -c hotfix/security-patch
git commit -am "fix: patch vulnerability"
git push -u origin hotfix/security-patch
# Worktree organization
mkdir -p ~/worktrees/myproject
git worktree add ~/worktrees/myproject/feature-a -b feature-a
git worktree add ~/worktrees/myproject/feature-b -b feature-b
git worktree add ~/worktrees/myproject/pr-review origin/pull/42/head
```
**Best Practices:**
1. **Organize directory structure:**
```bash
~/projects/
myproject/ # Main worktree
myproject-feature/ # Feature worktree
myproject-review/ # Review worktree
```
2. **Clean up regularly:**
```bash
# Remove merged worktrees
git worktree list | grep feature | while read wt branch commit; do
if git branch --merged | grep -q "$branch"; then
git worktree remove "$wt"
fi
done
```
3. **Shared configuration:**
- .git/config applies to all worktrees
- .git/info/exclude applies to all worktrees
- Each worktree has own index and HEAD
## Scalar (Large Repository Tool)
**What:** Tool for optimizing very large repositories (Microsoft-developed).
```bash
# Install scalar (comes with Git 2.47+)
scalar register <path>
# Clone with scalar optimizations
scalar clone --branch main <repo-url>
# Enables automatically:
# - Sparse-checkout (cone mode)
# - Partial clone (blob:none)
# - Multi-pack-index
# - Commit-graph
# - Background maintenance
# Unregister
scalar unregister <path>
# Delete repository
scalar delete <path>
```
## Git Backfill (Experimental)
**What:** Background process to fetch missing objects in partial clone.
```bash
# Fetch missing blobs in background
git backfill
# Configure batch size
git backfill --min-batch-size=1000
# Respect sparse-checkout patterns
git backfill --sparse
```
## Performance Comparison
**Traditional Clone:**
```bash
git clone large-repo
# Size: 5GB, Time: 10 minutes
```
**Sparse-Checkout:**
```bash
git clone --sparse large-repo
git sparse-checkout set src/api
# Size: 500MB, Time: 3 minutes
```
**Partial Clone:**
```bash
git clone --filter=blob:none large-repo
# Size: 100MB, Time: 1 minute
```
**Partial Clone + Sparse-Checkout:**
```bash
git clone --filter=blob:none --sparse large-repo
git sparse-checkout set src/api
# Size: 50MB, Time: 30 seconds
```
## When to Use Each Feature
**Sparse-Checkout:**
- ✓ Monorepos
- ✓ Working on specific services/modules
- ✓ Limited disk space
- ✗ Need entire codebase often
**Partial Clone:**
- ✓ CI/CD pipelines
- ✓ Large repositories
- ✓ Good network connectivity
- ✗ Offline work frequently
**Worktrees:**
- ✓ Parallel development
- ✓ PR reviews during work
- ✓ Multiple branch testing
- ✗ Low disk space
**Combine All:**
- ✓ Massive monorepos (Google scale)
- ✓ Multiple simultaneous tasks
- ✓ Minimal local storage
- ✓ Fast network connection
## Troubleshooting
**Sparse-checkout not working:**
```bash
# Verify configuration
git config core.sparseCheckout
git config core.sparseCheckoutCone
# Re-apply patterns
git sparse-checkout reapply
# Check patterns
git sparse-checkout list
```
**Missing objects in partial clone:**
```bash
# Fetch specific object
git fetch origin <commit>
# Fetch all missing
git fetch --unshallow
# Verify promisor config
git config extensions.partialClone
```
**Worktree issues:**
```bash
# Locked worktree
git worktree unlock <path>
# Corrupted worktree
git worktree remove --force <path>
git worktree prune
# Branch already checked out
git checkout --ignore-other-worktrees <branch>
```
## Migration Guide
**From traditional to optimized workflow:**
```bash
# 1. Current large clone
cd large-project
du -sh .git # 5GB
# 2. Create optimized new clone
cd ..
git clone --filter=blob:none --sparse large-project-new
cd large-project-new
git sparse-checkout set src/api src/shared
# 3. Verify size
du -sh .git # 50MB
# 4. Switch workflow
cd ../large-project-new
# 5. Delete old clone when comfortable
rm -rf ../large-project
```
## Resources
- [Git Partial Clone Documentation](https://git-scm.com/docs/partial-clone)
- [Git Sparse-Checkout Guide](https://github.blog/open-source/git/bring-your-monorepo-down-to-size-with-sparse-checkout/)
- [Git Worktree Best Practices](https://git-scm.com/docs/git-worktree)
- [Scalar Documentation](https://github.com/microsoft/scalar)

1746
skills/git-master/SKILL.md Normal file
View File

File diff suppressed because it is too large Load Diff

697
skills/git-security-2025.md Normal file
View File

@@ -0,0 +1,697 @@
---
name: git-security-2025
description: Git security best practices for 2025 including signed commits, zero-trust workflows, secret scanning, and verification
---
## 🚨 CRITICAL GUIDELINES
### Windows File Path Requirements
**MANDATORY: Always Use Backslashes on Windows for File Paths**
When using Edit or Write tools on Windows, you MUST use backslashes (`\`) in file paths, NOT forward slashes (`/`).
**Examples:**
- ❌ WRONG: `D:/repos/project/file.tsx`
- ✅ CORRECT: `D:\repos\project\file.tsx`
This applies to:
- Edit tool file_path parameter
- Write tool file_path parameter
- All file operations on Windows systems
### Documentation Guidelines
**NEVER create new documentation files unless explicitly requested by the user.**
- **Priority**: Update existing README.md files rather than creating new documentation
- **Repository cleanliness**: Keep repository root clean - only README.md unless user requests otherwise
- **Style**: Documentation should be concise, direct, and professional - avoid AI-generated tone
- **User preference**: Only create additional .md files when user specifically asks for documentation
---
# Git Security Best Practices 2025
## Zero-Trust Security Model (2025 Standard)
**What:** Every developer identity must be authenticated and authorized explicitly. All Git operations are logged, signed, and continuously monitored.
**Core Principles:**
1. **Never trust, always verify** - Every commit verified
2. **Least privilege access** - Minimal permissions required
3. **Continuous monitoring** - All operations logged and audited
4. **Assume breach** - Defense in depth strategies
### Implementing Zero-Trust for Git
**1. Mandatory Signed Commits:**
```bash
# Global requirement
git config --global commit.gpgsign true
git config --global tag.gpgsign true
# Enforce via branch protection (GitHub/GitLab/Azure DevOps)
# Repository Settings → Branches → Require signed commits
```
**2. Identity Verification:**
```bash
# Every commit must verify identity
git log --show-signature -10
# Reject unsigned commits in CI/CD
# .github/workflows/verify.yml
- name: Verify all commits are signed
run: |
git log --pretty="%H" origin/main..HEAD | while read commit; do
if ! git verify-commit "$commit" 2>/dev/null; then
echo "ERROR: Unsigned commit $commit"
exit 1
fi
done
```
**3. Continuous Audit Logging:**
```bash
# Enable Git audit trail
git config --global alias.audit 'log --all --pretty="%H|%an|%ae|%ad|%s|%GK" --date=iso'
# Export audit log
git audit > git-audit.log
# Monitor for suspicious activity
git log --author="*" --since="24 hours ago" --pretty=format:"%an %ae %s"
```
**4. Least Privilege Access:**
```yaml
# GitHub branch protection (zero-trust model)
branches:
main:
protection_rules:
required_pull_request_reviews: true
dismiss_stale_reviews: true
require_code_owner_reviews: true
required_approving_review_count: 2
require_signed_commits: true
enforce_admins: true
restrictions:
users: [] # No direct push
teams: ["security-team"]
```
**5. Continuous Monitoring:**
```bash
# Monitor all repository changes
# .github/workflows/security-monitor.yml
name: Security Monitoring
on: [push, pull_request]
jobs:
monitor:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Check for unsigned commits
run: git verify-commit HEAD || echo "::warning::Unsigned commit detected"
- name: Scan for secrets
run: gitleaks detect --exit-code 1
- name: Check commit author
run: |
AUTHOR=$(git log -1 --format='%an <%ae>')
echo "Commit by: $AUTHOR"
# Log to SIEM/security monitoring
```
## Signed Commits (Mandatory in 2025)
**Why:** Cryptographically verify commit authorship, prevent impersonation, ensure audit trail.
**Industry Trend:** Signed commits increasingly required in 2025 workflows.
### GPG Signing (Traditional)
**Setup:**
```bash
# Generate GPG key
gpg --full-generate-key
# Choose: RSA and RSA, 4096 bits, expires in 2y
# List keys
gpg --list-secret-keys --keyid-format=long
# Example output:
# sec rsa4096/ABC123DEF456 2025-01-15 [SC] [expires: 2027-01-15]
# uid [ultimate] Your Name <your.email@example.com>
# ssb rsa4096/GHI789JKL012 2025-01-15 [E] [expires: 2027-01-15]
# Configure Git
git config --global user.signingkey ABC123DEF456
git config --global commit.gpgsign true
git config --global tag.gpgsign true
# Export public key for GitHub/GitLab
gpg --armor --export ABC123DEF456
# Copy output and add to GitHub/GitLab/Bitbucket
# Sign commits
git commit -S -m "feat: add authentication"
# Verify signatures
git log --show-signature
git verify-commit HEAD
git verify-tag v1.0.0
```
**Troubleshooting:**
```bash
# GPG agent not running
export GPG_TTY=$(tty)
echo 'export GPG_TTY=$(tty)' >> ~/.bashrc
# Cache passphrase longer
echo 'default-cache-ttl 34560000' >> ~/.gnupg/gpg-agent.conf
echo 'max-cache-ttl 34560000' >> ~/.gnupg/gpg-agent.conf
gpg-connect-agent reloadagent /bye
# Test signing
echo "test" | gpg --clearsign
```
### SSH Signing (Modern Alternative - 2023+)
**Why SSH:** Simpler, reuse existing SSH keys, no GPG required.
**Setup:**
```bash
# Check if SSH key exists
ls -la ~/.ssh/id_ed25519.pub
# Generate if needed
ssh-keygen -t ed25519 -C "your.email@example.com"
# Configure Git to use SSH signing
git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519.pub
git config --global commit.gpgsign true
# Add public key to GitHub
cat ~/.ssh/id_ed25519.pub
# GitHub Settings → SSH and GPG keys → New SSH key → Key type: Signing Key
# Sign commits (automatic with commit.gpgsign=true)
git commit -m "feat: add feature"
# Verify
git log --show-signature
```
**Configure allowed signers file (for verification):**
```bash
# Create allowed signers file
echo "your.email@example.com $(cat ~/.ssh/id_ed25519.pub)" > ~/.ssh/allowed_signers
# Configure Git
git config --global gpg.ssh.allowedSignersFile ~/.ssh/allowed_signers
# Verify commits
git verify-commit HEAD
```
## Secret Scanning & Prevention
### GitHub Secret Scanning (Push Protection)
**Enable in repository:**
- Settings → Code security → Secret scanning → Enable
- Enable push protection (blocks secrets at push time)
**AI-powered detection (2025):**
- AWS credentials
- Azure service principals
- Google Cloud keys
- GitHub tokens
- Database connection strings
- API keys (OpenAI, Stripe, Anthropic, etc.)
- Private keys
- OAuth tokens
- Custom patterns
**Example blocked push:**
```bash
$ git push
remote: error: GH013: Repository rule violations found for refs/heads/main.
remote:
remote: - Push cannot contain secrets
remote:
remote: Resolve the following violations before pushing again
remote:
remote: — AWS Access Key
remote: locations:
remote: - config.py:12
remote:
remote: (Disable push protection: https://github.com/settings/security_analysis)
remote:
To github.com:user/repo.git
! [remote rejected] main -> main (push declined due to repository rule violations)
```
**Fix:**
```bash
# Remove secret from file
# Use environment variable instead
echo "AWS_ACCESS_KEY=your_key" >> .env
echo ".env" >> .gitignore
# Remove from history if already committed
git rm --cached config.py
git commit -m "Remove secrets"
# If in history, use filter-repo
git filter-repo --path config.py --invert-paths
git push --force
```
### Gitleaks (Local Scanning)
**Install:**
```bash
# macOS
brew install gitleaks
# Linux
wget https://github.com/gitleaks/gitleaks/releases/download/v8.18.0/gitleaks_8.18.0_linux_x64.tar.gz
tar -xzf gitleaks_8.18.0_linux_x64.tar.gz
sudo mv gitleaks /usr/local/bin/
# Windows
choco install gitleaks
```
**Usage:**
```bash
# Scan entire repository
gitleaks detect
# Scan uncommitted changes
gitleaks protect
# Scan specific directory
gitleaks detect --source ./src
# Generate report
gitleaks detect --report-format json --report-path gitleaks-report.json
# Use in CI/CD
gitleaks detect --exit-code 1
```
**Pre-commit hook:**
```bash
# .git/hooks/pre-commit
#!/bin/bash
gitleaks protect --staged --verbose
if [ $? -ne 0 ]; then
echo "⚠️ Gitleaks detected secrets. Commit blocked."
exit 1
fi
```
### Git-secrets (AWS-focused)
```bash
# Install
brew install git-secrets # macOS
# or
git clone https://github.com/awslabs/git-secrets.git
cd git-secrets
sudo make install
# Initialize in repository
git secrets --install
git secrets --register-aws
# Add custom patterns
git secrets --add 'password\s*=\s*[^\s]+'
git secrets --add 'api[_-]?key\s*=\s*[^\s]+'
# Scan
git secrets --scan
git secrets --scan-history
```
## Enforce Signed Commits
### Branch Protection Rules
**GitHub:**
```
Repository → Settings → Branches → Branch protection rules
☑ Require signed commits
☑ Require linear history
☑ Require status checks to pass
```
**GitLab:**
```
Repository → Settings → Repository → Protected branches
☑ Allowed to push: No one
☑ Allowed to merge: Maintainers
☑ Require all commits be signed
```
**Azure DevOps:**
```
Branch Policies → Add policy → Require signed commits
```
### Pre-receive Hook (Server-side enforcement)
```bash
#!/bin/bash
# .git/hooks/pre-receive (on server)
zero_commit="0000000000000000000000000000000000000000"
while read oldrev newrev refname; do
# Skip branch deletion
if [ "$newrev" = "$zero_commit" ]; then
continue
fi
# Check all commits in push
for commit in $(git rev-list "$oldrev".."$newrev"); do
# Verify commit signature
if ! git verify-commit "$commit" 2>/dev/null; then
echo "Error: Commit $commit is not signed"
echo "All commits must be signed. Configure with:"
echo " git config commit.gpgsign true"
exit 1
fi
done
done
exit 0
```
## Security Configuration
### Recommended Git Config
```bash
# Enforce signed commits
git config --global commit.gpgsign true
git config --global tag.gpgsign true
# Use SSH signing (modern)
git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519.pub
# Security settings
git config --global protocol.version 2
git config --global transfer.fsckobjects true
git config --global fetch.fsckobjects true
git config --global receive.fsckobjects true
# Prevent credential leaks
git config --global credential.helper cache --timeout=3600
# Or use system credential manager
git config --global credential.helper wincred # Windows
git config --global credential.helper osxkeychain # macOS
# Line ending safety
git config --global core.autocrlf true # Windows
git config --global core.autocrlf input # macOS/Linux
# Editor safety (avoid nano/vim leaks)
git config --global core.editor "code --wait"
```
### .gitignore Security
```gitignore
# Secrets
.env
.env.*
*.pem
*.key
*.p12
*.pfx
*_rsa
*_dsa
*_ecdsa
*_ed25519
credentials.json
secrets.yaml
config/secrets.yml
# Cloud provider
.aws/
.azure/
.gcloud/
gcloud-service-key.json
# Databases
*.sqlite
*.db
# Logs (may contain sensitive data)
*.log
logs/
# IDE secrets
.vscode/settings.json
.idea/workspace.xml
# Build artifacts (may contain embedded secrets)
dist/
build/
node_modules/
vendor/
```
## Credential Management
### SSH Keys
```bash
# Generate secure SSH key
ssh-keygen -t ed25519 -C "your.email@example.com" -f ~/.ssh/id_ed25519_work
# Use ed25519 (modern, secure, fast)
# Avoid RSA < 4096 bits
# Avoid DSA (deprecated)
# Configure SSH agent
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519_work
# Test connection
ssh -T git@github.com
# Use different keys for different services
# ~/.ssh/config
Host github.com
IdentityFile ~/.ssh/id_ed25519_github
Host gitlab.com
IdentityFile ~/.ssh/id_ed25519_gitlab
```
### HTTPS Credentials
```bash
# Use credential manager (not plaintext!)
# Windows
git config --global credential.helper wincred
# macOS
git config --global credential.helper osxkeychain
# Linux (libsecret)
git config --global credential.helper /usr/share/git/credential/libsecret/git-credential-libsecret
# Cache for limited time (temporary projects)
git config --global credential.helper 'cache --timeout=3600'
```
### Personal Access Tokens (PAT)
**GitHub:**
- Settings → Developer settings → Personal access tokens → Fine-grained tokens
- Set expiration (max 1 year)
- Minimum scopes needed
- Use for HTTPS authentication
**Never commit tokens:**
```bash
# Use environment variable
export GITHUB_TOKEN="ghp_xxxxxxxxxxxx"
git clone https://$GITHUB_TOKEN@github.com/user/repo.git
# Or use Git credential helper
gh auth login # GitHub CLI method
```
## CodeQL & Security Scanning
### GitHub CodeQL
**.github/workflows/codeql.yml:**
```yaml
name: "CodeQL Security Scan"
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main ]
schedule:
- cron: '0 0 * * 1' # Weekly scan
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
security-events: write
contents: read
strategy:
fail-fast: false
matrix:
language: [ 'javascript', 'python', 'java' ]
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
queries: security-and-quality
- name: Autobuild
uses: github/codeql-action/autobuild@v3
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{ matrix.language }}"
```
**Detects:**
- SQL injection
- XSS vulnerabilities
- Path traversal
- Command injection
- Insecure deserialization
- Authentication bypass
- Hardcoded secrets
## Audit Trail
### Enable detailed logging
```bash
# Log all Git operations
git config --global alias.ll 'log --all --graph --decorate --oneline --show-signature'
# Check commit verification
git log --show-signature -10
# Export audit log
git log --pretty=format:"%H,%an,%ae,%ad,%s" --date=iso > git-audit.csv
# Verify all commits in branch
git log --show-signature main..HEAD
```
## Security Checklist
**Repository Setup:**
- ☑ Enable branch protection
- ☑ Require signed commits
- ☑ Enable secret scanning with push protection
- ☑ Enable CodeQL or similar scanning
- ☑ Configure Dependabot/Renovate
- ☑ Require 2FA for all contributors
**Developer Workstation:**
- ☑ Use GPG or SSH commit signing
- ☑ Configure credential manager (never plaintext)
- ☑ Install and configure gitleaks
- ☑ Create comprehensive .gitignore
- ☑ Enable fsckobjects for transfers
- ☑ Use SSH keys with passphrase
**Workflow:**
- ☑ Never commit secrets
- ☑ Review changes before commit
- ☑ Verify signatures on pull/merge
- ☑ Regular security audits
- ☑ Rotate credentials periodically
- ☑ Use environment variables for secrets
## Incident Response
**Secret leaked in commit:**
```bash
# 1. Rotate compromised credentials IMMEDIATELY
# 2. Remove from latest commit (if not pushed)
git reset HEAD~1
# Edit files to remove secret
git add .
git commit -m "Remove secrets"
# 3. If pushed, remove from history
git filter-repo --path config/secrets.yml --invert-paths
git push --force
# 4. Notify team to re-clone
# 5. Enable push protection to prevent future leaks
```
**Unsigned commits detected:**
```bash
# Identify unsigned commits
git log --show-signature | grep "No signature"
# Re-sign commits (if you authored them)
git rebase --exec 'git commit --amend --no-edit -n -S' -i HEAD~10
# Force push (with team coordination)
git push --force-with-lease
```
## Resources
- [Git Signing Documentation](https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work)
- [GitHub Secret Scanning](https://docs.github.com/en/code-security/secret-scanning)
- [Gitleaks Documentation](https://github.com/gitleaks/gitleaks)
- [CodeQL Documentation](https://codeql.github.com/docs/)

487
skills/github-actions-2025.md Normal file
View File

@@ -0,0 +1,487 @@
---
name: github-actions-2025
description: GitHub Actions 2025 features including 1 vCPU runners, immutable releases, and Node24 migration
---
# GitHub Actions 2025 Features
## 1 vCPU Linux Runners (October 2025 - Public Preview)
**What:** New lightweight runners optimized for automation tasks with lower cost.
**Specs:**
- 1 vCPU
- 5 GB RAM
- 15-minute job limit
- Optimized for short-running tasks
### When to Use 1 vCPU Runners
**Ideal for:**
- Issue triage automation
- Label management
- PR comment automation
- Status checks
- Lightweight scripts
- Git operations (checkout, tag, commit)
- Notification tasks
**NOT suitable for:**
- Build operations
- Test suites
- Complex CI/CD pipelines
- Resource-intensive operations
### Usage
```yaml
# .github/workflows/automation.yml
name: Lightweight Automation
on:
issues:
types: [opened, labeled]
jobs:
triage:
runs-on: ubuntu-latest-1-core # New 1 vCPU runner
timeout-minutes: 10 # Max 15 minutes
steps:
- name: Triage Issue
run: |
echo "Triaging issue..."
gh issue edit ${{ github.event.issue.number }} --add-label "needs-review"
```
### Cost Savings Example
```yaml
# Before: Using 2 vCPU runner for simple task
jobs:
label:
runs-on: ubuntu-latest # 2 vCPU, higher cost
steps:
- name: Add label
run: gh pr edit ${{ github.event.number }} --add-label "reviewed"
# After: Using 1 vCPU runner (lower cost)
jobs:
label:
runs-on: ubuntu-latest-1-core # 1 vCPU, 50% cost reduction
timeout-minutes: 5
steps:
- name: Add label
run: gh pr edit ${{ github.event.number }} --add-label "reviewed"
```
## Immutable Releases (August 2025)
**What:** Releases can now be marked immutable - assets and Git tags cannot be changed or deleted once released.
**Benefits:**
- Supply chain security
- Audit compliance
- Prevent tampering
- Trust in release artifacts
### Create Immutable Release
```bash
# Using GitHub CLI
gh release create v1.0.0 \
dist/*.zip \
--title "Version 1.0.0" \
--notes-file CHANGELOG.md \
--immutable
# Verify immutability
gh release view v1.0.0 --json isImmutable
```
### GitHub Actions Workflow
```yaml
# .github/workflows/release.yml
name: Create Immutable Release
on:
push:
tags:
- 'v*'
jobs:
release:
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Build artifacts
run: npm run build
- name: Create Immutable Release
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const tag = context.ref.replace('refs/tags/', '');
await github.rest.repos.createRelease({
owner: context.repo.owner,
repo: context.repo.repo,
tag_name: tag,
name: `Release ${tag}`,
body: fs.readFileSync('CHANGELOG.md', 'utf8'),
draft: false,
prerelease: false,
make_immutable: true # Mark as immutable
});
- name: Upload Release Assets
run: gh release upload ${{ github.ref_name }} dist/*.zip --clobber
```
### Immutable Release Policy
```yaml
# Organizational policy for immutable releases
name: Enforce Immutable Releases
on:
release:
types: [created]
jobs:
enforce-immutability:
runs-on: ubuntu-latest
if: "!github.event.release.immutable && startsWith(github.event.release.tag_name, 'v')"
steps:
- name: Fail if not immutable
run: |
echo "ERROR: Production releases must be immutable"
exit 1
```
## Node24 Migration (September 2025)
**What:** GitHub Actions migrating from Node20 to Node24 in fall 2025.
**Timeline:**
- September 2025: Node24 support added
- October 2025: Deprecation notices for Node20
- November 2025: Node20 phase-out begins
- December 2025: Full migration to Node24
### Update Your Actions
**Check Node version in actions:**
```yaml
# Old - Node20
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/setup-node@v3
with:
node-version: '20' # Update to 24
# New - Node24
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/setup-node@v4
with:
node-version: '24' # Current LTS
```
### Runner Version Compatibility
```yaml
# Ensure runner supports Node24
jobs:
test:
runs-on: ubuntu-latest # Runner v2.328.0+ supports Node24
steps:
- name: Verify Node version
run: node --version # Should show v24.x.x
```
### Custom Actions Migration
If you maintain custom actions:
```javascript
// action.yml
runs:
using: 'node24' // Updated from 'node20'
main: 'index.js'
```
```bash
# Update dependencies
npm install @actions/core@latest
npm install @actions/github@latest
# Test with Node24
node --version # Ensure 24.x
npm test
```
## Actions Environment Variables (May 2025)
**What:** Actions environments now available for all plans (public and private repos).
### Environment Protection Rules
```yaml
# .github/workflows/deploy.yml
name: Deploy to Production
on:
push:
branches: [main]
jobs:
deploy:
runs-on: ubuntu-latest
environment:
name: production
url: https://app.example.com
steps:
- name: Deploy
run: |
echo "Deploying to ${{ vars.DEPLOY_URL }}"
# Deployment steps...
```
**Environment configuration:**
- Settings → Environments → production
- Add protection rules:
- Required reviewers
- Wait timer
- Deployment branches (only main)
## Allowed Actions Policy Updates (August 2025)
**What:** Enhanced governance with explicit blocking and SHA pinning.
### Block Specific Actions
```yaml
# .github/workflows/policy.yml
# Repository or organization settings
allowed-actions:
verified-only: true
# Explicitly block actions
blocked-actions:
- 'untrusted/action@*'
- 'deprecated-org/*'
# Require SHA pinning for security
require-sha-pinning: true
```
### SHA Pinning for Security
```yaml
# Before: Version pinning (can be changed by action maintainer)
- uses: actions/checkout@v4
# After: SHA pinning (immutable)
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
```
### Generate SHA-Pinned Actions
```bash
# Get commit SHA for specific version
gh api repos/actions/checkout/commits/v4.1.1 --jq '.sha'
# Or use action-security tool
npx pin-github-action actions/checkout@v4
# Output: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
```
## Copilot-Triggered Workflows (April 2025)
**What:** Workflows triggered by Copilot-authored events now require explicit approval.
### Configure Copilot Workflow Approval
```yaml
# .github/workflows/copilot-automation.yml
name: Copilot PR Automation
on:
pull_request:
types: [opened]
jobs:
copilot-review:
runs-on: ubuntu-latest
# Copilot-generated PRs require approval
if: github.event.pull_request.user.login != 'github-copilot[bot]'
steps:
- name: Auto-review
run: gh pr review --approve
```
**Manual approval required for Copilot PRs** (same mechanism as fork PRs).
## Artifact Storage Architecture (February 2025)
**What:** Artifacts moved to new architecture on February 1, 2025.
**Breaking changes:**
- `actions/upload-artifact@v1-v2` retired March 1, 2025
- Must use `actions/upload-artifact@v4+`
### Migration
```yaml
# Old (Retired)
- uses: actions/upload-artifact@v2
with:
name: build-artifacts
path: dist/
# New (Required)
- uses: actions/upload-artifact@v4
with:
name: build-artifacts
path: dist/
retention-days: 30
```
## Windows Server 2019 Retirement (June 2025)
**What:** `windows-2019` runner image fully retired June 30, 2025.
### Migration
```yaml
# Old
jobs:
build:
runs-on: windows-2019 # Retired
# New
jobs:
build:
runs-on: windows-2022 # Current
# Or windows-latest (recommended)
```
## Meta API for Self-Hosted Runners (May 2025)
**What:** New `actions_inbound` section in meta API for network configuration.
```bash
# Get network requirements for self-hosted runners
curl https://api.github.com/meta | jq '.actions_inbound'
# Configure firewall rules based on response
{
"domains": [
"*.actions.githubusercontent.com",
"*.pkg.github.com"
],
"ip_ranges": [
"140.82.112.0/20",
"143.55.64.0/20"
]
}
```
## Best Practices for 2025
### 1. Use Appropriate Runners
```yaml
# Use 1 vCPU for lightweight tasks
jobs:
label-management:
runs-on: ubuntu-latest-1-core
timeout-minutes: 5
# Use standard runners for builds/tests
build:
runs-on: ubuntu-latest
```
### 2. Immutable Releases for Production
```yaml
# Always mark production releases as immutable
- name: Create Release
run: gh release create $TAG --immutable
```
### 3. SHA Pinning for Security
```yaml
# Pin actions to SHA, not tags
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8
```
### 4. Update to Node24
```yaml
# Use latest Node version
- uses: actions/setup-node@v4
with:
node-version: '24'
```
### 5. Environment Protection
```yaml
# Use environments for deployments
jobs:
deploy:
environment: production
# Requires approval, wait timer, branch restrictions
```
## Troubleshooting
**1 vCPU runner timeout:**
```yaml
# Ensure task completes within 15 minutes
jobs:
task:
runs-on: ubuntu-latest-1-core
timeout-minutes: 10 # Safety margin
```
**Node24 compatibility issues:**
```bash
# Test locally with Node24
nvm install 24
nvm use 24
npm test
```
**Artifact upload failures:**
```yaml
# Use v4 of artifact actions
- uses: actions/upload-artifact@v4 # Not v1/v2
```
## Resources
- [GitHub Actions 1 vCPU Runners](https://github.blog/changelog/2025-10-28-1-vcpu-linux-runner-now-available-in-github-actions-in-public-preview/)
- [Immutable Releases](https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/)
- [Node24 Migration](https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/)

382
skills/github-ai-features-2025.md Normal file
View File

@@ -0,0 +1,382 @@
---
name: github-ai-features-2025
description: GitHub AI-powered security and automation features for 2025
---
## 🚨 CRITICAL GUIDELINES
### Windows File Path Requirements
**MANDATORY: Always Use Backslashes on Windows for File Paths**
When using Edit or Write tools on Windows, you MUST use backslashes (`\`) in file paths, NOT forward slashes (`/`).
**Examples:**
- ❌ WRONG: `D:/repos/project/file.tsx`
- ✅ CORRECT: `D:\repos\project\file.tsx`
This applies to:
- Edit tool file_path parameter
- Write tool file_path parameter
- All file operations on Windows systems
### Documentation Guidelines
**NEVER create new documentation files unless explicitly requested by the user.**
- **Priority**: Update existing README.md files rather than creating new documentation
- **Repository cleanliness**: Keep repository root clean - only README.md unless user requests otherwise
- **Style**: Documentation should be concise, direct, and professional - avoid AI-generated tone
- **User preference**: Only create additional .md files when user specifically asks for documentation
---
# GitHub AI Features 2025
## Trunk-Based Development (TBD)
Modern workflow used by largest tech companies (Google: 35,000+ developers):
### Principles
1. **Short-lived branches:** Hours to 1 day maximum
2. **Small, frequent commits:** Reduce merge conflicts
3. **Continuous integration:** Always deployable main branch
4. **Feature flags:** Hide incomplete features
### Implementation
```bash
# Create task branch from main
git checkout main
git pull origin main
git checkout -b task/add-login-button
# Make small changes
git add src/components/LoginButton.tsx
git commit -m "feat: add login button component"
# Push and create PR (same day)
git push origin task/add-login-button
gh pr create --title "Add login button" --body "Implements login UI"
# Merge within hours, delete branch
gh pr merge --squash --delete-branch
```
### Benefits
- Reduced merge conflicts (75% decrease)
- Faster feedback cycles
- Easier code reviews (smaller changes)
- Always releasable main branch
- Simplified CI/CD pipelines
## GitHub Secret Protection (AI-Powered)
AI detects secrets before they reach repository:
### Push Protection
```bash
# Attempt to commit secret
git add config.py
git commit -m "Add config"
git push
# GitHub AI detects secret:
"""
⛔ Push blocked by secret scanning
Found: AWS Access Key
Pattern: AKIA[0-9A-Z]{16}
File: config.py:12
Options:
1. Remove secret and try again
2. Mark as false positive (requires justification)
3. Request review from admin
"""
# Fix: Use environment variables
# config.py
import os
aws_key = os.environ.get('AWS_ACCESS_KEY')
git add config.py
git commit -m "Use env vars for secrets"
git push # ✅ Success
```
### Supported Secret Types (AI-Enhanced)
- AWS credentials
- Azure service principals
- Google Cloud keys
- GitHub tokens
- Database connection strings
- API keys (OpenAI, Stripe, etc.)
- Private keys (SSH, TLS)
- OAuth tokens
- Custom patterns (regex-based)
## GitHub Code Security
### CodeQL Code Scanning
AI-powered static analysis:
```yaml
# .github/workflows/codeql.yml
name: "CodeQL"
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
analyze:
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: javascript, python, java
- name: Autobuild
uses: github/codeql-action/autobuild@v2
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
```
**Detects:**
- SQL injection
- XSS vulnerabilities
- Path traversal
- Command injection
- Insecure deserialization
- Authentication bypass
- Logic errors
### Copilot Autofix
AI automatically fixes security vulnerabilities:
```python
# Vulnerable code detected by CodeQL
def get_user(user_id):
query = f"SELECT * FROM users WHERE id = {user_id}" # ❌ SQL injection
return db.execute(query)
# Copilot Autofix suggests:
def get_user(user_id):
query = "SELECT * FROM users WHERE id = ?"
return db.execute(query, (user_id,)) # ✅ Parameterized query
# One-click to apply fix
```
## GitHub Agents (Automated Workflows)
AI agents for automated bug fixes and PR generation:
### Bug Fix Agent
```yaml
# .github/workflows/ai-bugfix.yml
name: AI Bug Fixer
on:
issues:
types: [labeled]
jobs:
autofix:
if: contains(github.event.issue.labels.*.name, 'bug')
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Analyze Bug
uses: github/ai-agent@v1
with:
task: 'analyze-bug'
issue-number: ${{ github.event.issue.number }}
- name: Generate Fix
uses: github/ai-agent@v1
with:
task: 'generate-fix'
create-pr: true
pr-title: "Fix: ${{ github.event.issue.title }}"
```
### Automated PR Generation
```bash
# GitHub Agent creates PR automatically
# When issue is labeled "enhancement":
# 1. Analyzes issue description
# 2. Generates implementation code
# 3. Creates tests
# 4. Opens PR with explanation
# Example: Issue #42 "Add dark mode toggle"
# Agent creates PR with:
# - DarkModeToggle.tsx component
# - ThemeContext.tsx provider
# - Tests for theme switching
# - Documentation update
```
## Dependency Review (AI-Enhanced)
AI analyzes dependency changes in PRs:
```yaml
# .github/workflows/dependency-review.yml
name: Dependency Review
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Dependency Review
uses: actions/dependency-review-action@v3
with:
fail-on-severity: high
fail-on-scopes: runtime
```
**AI Insights:**
- Known vulnerabilities in new dependencies
- License compliance issues
- Breaking changes in updates
- Alternative safer packages
- Dependency freshness score
## Trunk-Based Development Workflow
### Daily Workflow
```bash
# Morning: Sync with main
git checkout main
git pull origin main
# Create task branch
git checkout -b task/user-profile-api
# Work in small iterations (2-4 hours)
# First iteration: API endpoint
git add src/api/profile.ts
git commit -m "feat: add profile API endpoint"
git push origin task/user-profile-api
gh pr create --title "Add user profile API" --draft
# Continue work: Add tests
git add tests/profile.test.ts
git commit -m "test: add profile API tests"
git push
# Mark ready for review
gh pr ready
# Get review (should happen within hours)
# Merge same day
gh pr merge --squash --delete-branch
# Next task: Start fresh from main
git checkout main
git pull origin main
git checkout -b task/profile-ui
```
### Small, Frequent Commits Pattern
```bash
# ❌ Bad: Large infrequent commit
git add .
git commit -m "Add complete user profile feature with API, UI, tests, docs"
# 50 files changed, 2000 lines
# ✅ Good: Small frequent commits
git add src/api/profile.ts
git commit -m "feat: add profile API endpoint"
git push
git add src/components/ProfileCard.tsx
git commit -m "feat: add profile card component"
git push
git add tests/profile.test.ts
git commit -m "test: add profile tests"
git push
git add docs/profile.md
git commit -m "docs: document profile API"
git push
# Each commit: 1-3 files, 50-200 lines
# Easier reviews, faster merges, less conflicts
```
## Security Best Practices (2025)
1. **Enable Secret Scanning:**
```bash
# Repository Settings → Security → Secret scanning
# Enable: Push protection + AI detection
```
2. **Configure CodeQL:**
```bash
# Add .github/workflows/codeql.yml
# Enable for all languages in project
```
3. **Use Copilot Autofix:**
```bash
# Review security alerts weekly
# Apply Copilot-suggested fixes
# Test before merging
```
4. **Implement Trunk-Based Development:**
```bash
# Branch lifespan: <1 day
# Commit frequency: Every 2-4 hours
# Main branch: Always deployable
```
5. **Leverage GitHub Agents:**
```bash
# Automate: Bug triage, PR creation, dependency updates
# Review: All AI-generated code before merging
```
## Resources
- [Trunk-Based Development](https://trunkbaseddevelopment.com)
- [GitHub Secret Scanning](https://docs.github.com/en/code-security/secret-scanning)
- [GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security)
- [GitHub Copilot for Security](https://github.com/features/security)