github-actions

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

GitHub Actions Workflow Authoring

GitHub Actions工作流编写

Generate production-grade GitHub Actions workflows from systematic repository analysis. Every workflow is security-hardened, performance-optimized, and verified against the codebase.

通过系统化的仓库分析生成生产级GitHub Actions工作流。每个工作流都经过安全加固、性能优化，并针对代码库进行验证。

Workflow Router

工作流路由

Determine the workflow type before starting. This drives which phases apply, which templates to use, and whether to write from scratch or edit existing workflows.

Do any GitHub Actions workflows already exist?
  (.github/workflows/*.yml or .github/workflows/*.yaml)
  |
  NO --> GREENFIELD (no workflows exist)
  |       Phases: Discover -> Plan -> Write -> Verify
  |
  YES --> What type of change?
           |
           +-> New feature/service needs a pipeline
           |     --> WORKFLOW ENHANCEMENT (brownfield)
           |     Phases: Discover -> Audit Existing -> Plan (delta) -> Write -> Verify
           |
           +-> Existing workflow needs fixing/updating
           |     --> WORKFLOW UPDATE (brownfield)
           |     Phases: Discover -> Audit Existing -> Plan (delta) -> Write (edit) -> Verify
           |
           +-> Workflows exist but have security/performance issues
           |     --> WORKFLOW AUDIT (brownfield)
           |     Phases: Discover -> Audit Existing -> Plan (assessment) -> Write (edit) -> Verify
           |
           +-> User wants a specific workflow rewritten
           |     --> TARGETED REWRITE (brownfield)
           |     Phases: Discover -> Audit Existing (single workflow) -> Write (replace) -> Verify
           |
           +-> User wants a specific new workflow type
           |     --> TARGETED NEW WORKFLOW
           |     Phases: Discover -> Write (specific) -> Verify
           |
           +-> Migrating from another CI system
                 --> CI MIGRATION
                 Phases: Discover -> Audit Source CI -> Plan -> Write -> Verify

Signal detection:

Signal in request	Likely type
"Add CI", "add GitHub Actions", "set up CI/CD" (no workflows exist)	Greenfield
"Add CI", "add pipeline" (workflows already exist)	Workflow Enhancement
"Fix the CI", "workflow is broken", "build fails"	Workflow Update
"Workflow is slow", "optimize CI", "reduce build time"	Workflow Audit
"Security audit", "harden workflows", "pin actions"	Workflow Audit
"Rewrite the CI", "redo the pipeline"	Targeted Rewrite
"Add deploy workflow", "add release pipeline"	Targeted New Workflow
"Add Docker build", "publish to npm/PyPI"	Targeted New Workflow
"Migrate from Jenkins/CircleCI/GitLab"	CI Migration
"Add a cron job", "scheduled workflow"	Targeted New Workflow

开始前先确定工作流类型。这将决定适用的阶段、使用的模板，以及是从头编写还是编辑现有工作流。

是否已存在GitHub Actions工作流？
  (.github/workflows/*.yml 或 .github/workflows/*.yaml)
  |
  否 --> 全新项目（无工作流）
  |       阶段：发现 -> 规划 -> 编写 -> 验证
  |
  是 --> 需要哪种类型的变更？
           |
           +-> 新功能/服务需要流水线
           |     --> 工作流增强（存量项目）
           |     阶段：发现 -> 审计现有工作流 -> 规划（增量）-> 编写 -> 验证
           |
           +-> 现有工作流需要修复/更新
           |     --> 工作流更新（存量项目）
           |     阶段：发现 -> 审计现有工作流 -> 规划（增量）-> 编写（编辑）-> 验证
           |
           +-> 工作流存在但有安全/性能问题
           |     --> 工作流审计（存量项目）
           |     阶段：发现 -> 审计现有工作流 -> 规划（评估）-> 编写（编辑）-> 验证
           |
           +-> 用户希望重写特定工作流
           |     --> 定向重写（存量项目）
           |     阶段：发现 -> 审计现有工作流（单个）-> 编写（替换）-> 验证
           |
           +-> 用户需要特定类型的新工作流
           |     --> 定向新增工作流
           |     阶段：发现 -> 编写（特定类型）-> 验证
           |
           +-> 从其他CI系统迁移
                 --> CI迁移
                 阶段：发现 -> 审计源CI系统 -> 规划 -> 编写 -> 验证

信号检测：

请求中的信号	可能的类型
"Add CI"、"add GitHub Actions"、"set up CI/CD"（无现有工作流）	全新项目
"Add CI"、"add pipeline"（已有工作流）	工作流增强
"Fix the CI"、"workflow is broken"、"build fails"	工作流更新
"Workflow is slow"、"optimize CI"、"reduce build time"	工作流审计
"Security audit"、"harden workflows"、"pin actions"	工作流审计
"Rewrite the CI"、"redo the pipeline"	定向重写
"Add deploy workflow"、"add release pipeline"	定向新增工作流
"Add Docker build"、"publish to npm/PyPI"	定向新增工作流
"Migrate from Jenkins/CircleCI/GitLab"	CI迁移
"Add a cron job"、"scheduled workflow"	定向新增工作流

Phase 0: Discover Repository

阶段0：仓库发现

Always run this phase. Before writing any workflow, build a complete picture of the project. See references/repo-discovery.md for the full discovery method.

必须执行此阶段。 在编写任何工作流之前，全面了解项目情况。完整的发现方法请参考references/repo-discovery.md。

What to discover

需要发现的内容

Language and ecosystem: Identify from manifest files (package.json, pyproject.toml, go.mod, Cargo.toml, pom.xml, build.gradle, etc.)
Package manager: npm/yarn/pnpm, pip/poetry/uv, go mod, cargo, maven/gradle
Framework: Detect from dependencies and config files (Next.js, Django, Spring Boot, Rails, etc.)
Build system: Webpack, Vite, Turborepo, Nx, Gradle, Maven, Make, etc.
Test setup: Test framework, runner command, test config files
Lint/format tools: ESLint, Prettier, Ruff, Black, golangci-lint, etc.
Containerization: Dockerfile presence, docker-compose, Kubernetes manifests
Infrastructure as Code: Terraform, Pulumi, CloudFormation, CDK
Monorepo signals: Multiple package.json files, workspace configs, Nx/Turborepo/Lerna config
Deployment targets: Cloud provider configs, serverless.yml, Kubernetes, Vercel/Netlify config
Existing workflows: Current .github/workflows/*.yml files
Branch strategy: Default branch (main/master), protected branches, release branch patterns
Release patterns: Tags, GitHub Releases, changelogs, version files

语言与生态系统：从清单文件（package.json、pyproject.toml、go.mod、Cargo.toml、pom.xml、build.gradle等）识别
包管理器：npm/yarn/pnpm、pip/poetry/uv、go mod、cargo、maven/gradle
框架：从依赖和配置文件检测（Next.js、Django、Spring Boot、Rails等）
构建系统：Webpack、Vite、Turborepo、Nx、Gradle、Maven、Make等
测试设置：测试框架、运行命令、测试配置文件
代码检查/格式化工具：ESLint、Prettier、Ruff、Black、golangci-lint等
容器化：Dockerfile存在情况、docker-compose、Kubernetes清单
基础设施即代码：Terraform、Pulumi、CloudFormation、CDK
单体仓库信号：多个package.json文件、工作区配置、Nx/Turborepo/Lerna配置
部署目标：云提供商配置、serverless.yml、Kubernetes、Vercel/Netlify配置
现有工作流：当前.github/workflows/*.yml文件
分支策略：默认分支（main/master）、受保护分支、发布分支模式
发布模式：标签、GitHub Releases、变更日志、版本文件

How to explore

探索方法

Read README.md and CLAUDE.md first (if they exist)
Read manifest files (package.json, pyproject.toml, go.mod, etc.)
Scan
```
.github/
```
directory for existing workflows, actions, dependabot config
Check for Dockerfiles, docker-compose files, Kubernetes manifests
Look for IaC files (*.tf, serverless.yml, template.yaml)
Check for monorepo indicators (workspaces, nx.json, turbo.json, lerna.json)
Read 2-3 key source files to understand project patterns
Check existing CI config from other systems (.circleci/, Jenkinsfile, .gitlab-ci.yml, .travis.yml)

首先阅读README.md和CLAUDE.md（如果存在）
阅读清单文件（package.json、pyproject.toml、go.mod等）
扫描
```
.github/
```
目录查找现有工作流、动作、dependabot配置
检查Dockerfile、docker-compose文件、Kubernetes清单
查找IaC文件（*.tf、serverless.yml、template.yaml）
检查单体仓库指标（工作区、nx.json、turbo.json、lerna.json）
阅读2-3个关键源文件了解项目模式
检查其他系统的现有CI配置（.circleci/、Jenkinsfile、.gitlab-ci.yml、.travis.yml）

Repository discovery algorithm

仓库发现算法

Follow the deterministic detection sequence in references/repo-discovery.md:

1. Scan root for manifest files -> identify language(s)
2. Read manifest -> identify package manager, deps, scripts
3. Check for test/lint config files -> identify quality tools
4. Check for Dockerfile -> plan container build
5. Check for IaC files -> plan infrastructure pipeline
6. Check for monorepo config -> plan multi-package strategy
7. Check for deployment config -> plan CD pipeline
8. Check for existing CI -> plan migration or enhancement

遵循references/repo-discovery.md中的确定性检测顺序：

1. 扫描根目录的清单文件 -> 识别语言
2. 读取清单文件 -> 识别包管理器、依赖、脚本
3. 检查测试/代码检查配置文件 -> 识别质量工具
4. 检查Dockerfile -> 规划容器构建
5. 检查IaC文件 -> 规划基础设施流水线
6. 检查单体仓库配置 -> 规划多包策略
7. 检查部署配置 -> 规划CD流水线
8. 检查现有CI -> 规划迁移或增强

Output: Repository Profile

输出：仓库概况

Produce a mental model (do not write a file unless requested):

Languages: [detected languages and versions]
Package managers: [npm/yarn/pnpm, pip/poetry/uv, etc.]
Framework: [framework and version]
Build tool: [build system]
Test framework: [test runner and command]
Lint/format: [tools and commands]
Container: [Dockerfile location, registry target]
IaC: [Terraform/Pulumi/etc. and directory]
Monorepo: [yes/no, tool, packages]
Deploy target: [cloud provider, platform, method]
Existing CI: [workflow files and their purpose]
Branch strategy: [default branch, release pattern]

This profile drives every subsequent phase.

形成心智模型（除非用户要求，否则无需写入文件）：

语言：[检测到的语言及版本]
包管理器：[npm/yarn/pnpm、pip/poetry/uv等]
框架：[框架及版本]
构建工具：[构建系统]
测试框架：[测试运行器及命令]
代码检查/格式化：[工具及命令]
容器：[Dockerfile位置、镜像仓库目标]
IaC：[Terraform/Pulumi等及目录]
单体仓库：[是/否、工具、包]
部署目标：[云提供商、平台、方法]
现有CI：[工作流文件及其用途]
分支策略：[默认分支、发布模式]

此概况将指导后续所有阶段。

Phase 1: Audit Existing Workflows (Brownfield Only)

阶段1：审计现有工作流（仅存量项目）

Skip this phase for greenfield projects.

Before planning or writing anything, understand what workflows already exist and assess their state.

全新项目跳过此阶段。

在规划或编写任何内容之前，了解现有工作流的情况并评估其状态。

Read every existing workflow

读取所有现有工作流

For each

.github/workflows/*.yml

file found in Phase 0:

Read it fully. Parse the YAML structure: triggers, permissions, jobs, steps, secrets usage, caching, matrix strategies.
Classify its purpose: CI (test/lint/build), CD (deploy), Release (publish/tag), Maintenance (dependabot, stale issues), Scheduled (cron jobs).
Note its conventions: naming style, job naming, step naming, comment style, environment variable patterns.
Assess security posture: permissions declared? Actions pinned by SHA? Secrets handling? Fork protections? OIDC usage?
Assess performance: caching used? Unnecessary steps? Job parallelism? Matrix strategy? Concurrency groups?

对于阶段0中找到的每个

.github/workflows/*.yml

文件：

完整读取。解析YAML结构：触发器、权限、任务、步骤、密钥使用、缓存、矩阵策略。
分类用途：CI（测试/代码检查/构建）、CD（部署）、发布（发布/打标签）、维护（dependabot、过期问题处理）、定时（cron任务）。
记录约定：命名风格、任务命名、步骤命名、注释风格、环境变量模式。
评估安全态势：是否声明权限？动作是否固定到SHA？密钥处理？分支保护？OIDC使用？
评估性能：是否使用缓存？有无不必要的步骤？任务并行性？矩阵策略？并发组？

Existing workflow inventory

现有工作流清单

Build a mental inventory:

Existing Workflow Inventory
  [file path] | [purpose] | [triggers] | [security: good/fair/poor] | [performance: good/fair/poor]
  ci.yml       | CI        | push, PR   | fair (unpinned actions)    | fair (no caching)
  deploy.yml   | CD        | push main  | good (OIDC, pinned)        | good
  ...

构建心智清单：

现有工作流清单
  [文件路径] | [用途] | [触发器] | [安全状态：良好/一般/较差] | [性能状态：良好/一般/较差]
  ci.yml       | CI        | push, PR   | 一般（未固定动作）    | 一般（无缓存）
  deploy.yml   | CD        | push main  | 良好（OIDC、已固定）        | 良好
  ...

What to preserve in brownfield

存量项目中需要保留的内容

Content Type	Example	Preserve?
Working trigger logic	Path filters, branch filters	Always
Environment-specific secrets	AWS credentials, deploy tokens	Always
Custom scripts/steps	Project-specific build logic	Always
Concurrency groups	Existing cancel-in-progress logic	Always
Job dependencies	Established `needs:` chains	Default yes
Unpinned actions	`uses: actions/checkout@v4`	Replace with SHA pin
Overly broad permissions	`permissions: write-all`	Replace with least privilege
Duplicated logic	Same steps in multiple workflows	Refactor to reusable
Dead workflows	Workflows for removed features	Remove

Rule: Working workflows are valuable. A workflow that runs correctly is better than a theoretically perfect one that breaks. Preserve working logic and improve incrementally.

内容类型	示例	是否保留？
可用的触发器逻辑	路径过滤、分支过滤	始终保留
环境特定密钥	AWS凭证、部署令牌	始终保留
自定义脚本/步骤	项目特定构建逻辑	始终保留
并发组	现有取消进行中任务的逻辑	始终保留
任务依赖	已确立的 `needs:` 链	默认保留
未固定的动作	`uses: actions/checkout@v4`	替换为SHA固定
过于宽泛的权限	`permissions: write-all`	替换为最小权限
重复逻辑	多个工作流中的相同步骤	重构为可复用
废弃工作流	针对已移除功能的工作流	删除

规则：可用的工作流具有价值。 能正确运行的工作流比理论完美但会出错的工作流更好。保留可用逻辑并逐步改进。

Brownfield conventions contract

存量项目约定契约

Extract the workflow conventions from existing files and follow them:

File naming: kebab-case? snake_case? What prefix/suffix patterns?
Job naming: How are jobs named? Descriptive or terse?
Step naming: Named steps or anonymous? Style of names?
Comment style: Are inline comments used? YAML comments?
Secret naming: Convention for secret names (SCREAMING_SNAKE, etc.)?
Environment patterns: How environments are used (if at all)?

Match existing conventions. Do NOT impose new conventions on a brownfield project unless the user explicitly requests a style change.

从现有文件中提取工作流约定并遵循：

文件命名：短横线分隔？下划线分隔？前缀/后缀模式？
任务命名：任务如何命名？描述性还是简洁？
步骤命名：命名步骤还是匿名？命名风格？
注释风格：是否使用行内注释？YAML注释？
密钥命名：密钥命名约定（大写下划线等）？
环境模式：如何使用环境（如果有）？

匹配现有约定。 除非用户明确要求更改风格，否则不要在存量项目中强加新约定。

Phase 2: Plan Workflows

阶段2：规划工作流

Greenfield planning

全新项目规划

Derive a complete CI/CD plan from the repository discovery.

从仓库发现结果中推导完整的CI/CD规划。

Pipeline architecture

流水线架构

Every project needs at minimum:

CI workflow (pull request validation):
- Lint/format check
- Type check (if applicable)
- Unit tests
- Build verification
CI workflow (main branch):
- Everything in PR CI, plus:
- Integration tests (if applicable)
- Artifact building
- Trigger CD (if applicable)
CD workflow (if deployment target exists):
- Build artifacts/containers
- Deploy to environments (staging, production)
- Environment protection rules
Release workflow (if library or publishable):
- Version bumping
- Package publishing (npm, PyPI, Maven, crates.io)
- GitHub Release creation
Maintenance workflows (recommended):
- Dependabot configuration
- Stale issue/PR management
- Scheduled security scans

每个项目至少需要：

CI工作流（拉取请求验证）：
- 代码检查/格式化校验
- 类型检查（如适用）
- 单元测试
- 构建验证
CI工作流（主分支）：
- PR CI的所有内容，加上：
- 集成测试（如适用）
- 制品构建
- 触发CD（如适用）
CD工作流（如果有部署目标）：
- 构建制品/容器
- 部署到环境（ staging、生产）
- 环境保护规则
发布工作流（如果是库或可发布产品）：
- 版本升级
- 包发布（npm、PyPI、Maven、crates.io）
- 创建GitHub Release
维护工作流（推荐）：
- Dependabot配置
- 过期问题/PR管理
- 定时安全扫描

Workflow plan algorithm

工作流规划算法

Based on the repository profile from Phase 0:

FOR EACH detected language:
  -> Add CI job: setup + install + lint + test + build
  -> Select template from references/workflow-templates.md

IF Dockerfile exists:
  -> Add Docker build/push job
  -> Select registry (GHCR by default)

IF IaC files exist:
  -> Add infrastructure validation job (plan on PR, apply on merge)

IF monorepo detected:
  -> Add change detection job
  -> Make CI jobs conditional on changed paths
  -> See references/pipeline-patterns.md for monorepo patterns

IF deployment target detected:
  -> Add CD workflow with environment protection
  -> See references/pipeline-patterns.md for deployment patterns

IF library (not service):
  -> Add release/publish workflow triggered by tags

ALWAYS:
  -> Apply security hardening (references/security-hardening.md)
  -> Add concurrency groups
  -> Add caching for dependencies
  -> Set explicit permissions (least privilege)

基于阶段0的仓库概况：

对于每个检测到的语言：
  -> 添加CI任务：环境搭建 + 依赖安装 + 代码检查 + 测试 + 构建
  -> 从references/workflow-templates.md选择模板

如果存在Dockerfile：
  -> 添加Docker构建/推送任务
  -> 选择镜像仓库（默认GHCR）

如果存在IaC文件：
  -> 添加基础设施验证任务（PR时执行plan，合并时执行apply）

如果检测到单体仓库：
  -> 添加变更检测任务
  -> 使CI任务基于变更路径条件执行
  -> 参考references/pipeline-patterns.md中的单体仓库模式

如果检测到部署目标：
  -> 添加带环境保护的CD工作流
  -> 参考references/pipeline-patterns.md中的部署模式

如果是库（非服务）：
  -> 添加由标签触发的发布/推送工作流

始终：
  -> 应用安全加固（references/security-hardening.md）
  -> 添加并发组
  -> 添加依赖缓存
  -> 设置明确的最小权限

Plan output

规划输出

Workflow Plan
- .github/workflows/ci.yml — CI pipeline (lint, test, build) on PR + push main
- .github/workflows/deploy.yml — Deploy to staging/prod with environment protection
- .github/workflows/release.yml — Publish package on tag push
- .github/dependabot.yml — Dependency update automation

Present the plan to the user for approval before writing.

工作流规划
- .github/workflows/ci.yml — CI流水线（代码检查、测试、构建），触发条件为PR + 推送到main分支
- .github/workflows/deploy.yml — 部署到staging/生产环境，带环境保护
- .github/workflows/release.yml — 推送标签时发布包
- .github/dependabot.yml — 依赖更新自动化

编写前先向用户展示规划并获得批准。

Brownfield planning

存量项目规划

Use the workflow inventory from Phase 1. Do NOT plan from scratch. Plan only what changes.

使用阶段1的工作流清单。 不要从头规划，只规划需要变更的内容。

Workflow Enhancement: Delta plan

工作流增强：增量规划

When adding a new workflow to an existing set:

Identify which EXISTING workflows might be affected (shared secrets, concurrency groups, deployment targets)
Identify the NEW workflow to create
For existing workflows, specify ONLY what changes (if anything)

Workflow Delta Plan
- .github/workflows/ci.yml — KEEP (no changes needed)
- .github/workflows/deploy.yml — MODIFY: add staging environment before prod
- .github/workflows/docker.yml — CREATE: Docker build + push to GHCR

当向现有工作流集中添加新工作流时：

识别可能受影响的现有工作流（共享密钥、并发组、部署目标）
确定要创建的新工作流
对于现有工作流，仅指定需要变更的内容（如有）

工作流增量规划
- .github/workflows/ci.yml — 保留（无需变更）
- .github/workflows/deploy.yml — 修改：在生产环境前添加staging环境
- .github/workflows/docker.yml — 创建：Docker构建 + 推送到GHCR

Workflow Audit: Assessment plan

工作流审计：评估规划

When auditing existing workflows for security/performance:

List all issues found in Phase 1 with severity
Propose fixes grouped by category (Security > Performance > Maintenance)
For each workflow: KEEP (as-is), EDIT (fix issues), REWRITE (replace), DELETE (remove dead workflow)
Present to user for approval

Audit Findings & Plan
  ci.yml:
    - [Critical] Actions not pinned to SHA → EDIT: pin all actions
    - [High] No permissions declared → EDIT: add least-privilege permissions
    - [Medium] No dependency caching → EDIT: add cache configuration
  deploy.yml:
    - [High] Uses long-lived AWS keys → EDIT: migrate to OIDC
    - [Low] No concurrency group → EDIT: add concurrency
  old-ci.yml:
    - [Low] Duplicate of ci.yml → DELETE

当审计现有工作流的安全/性能时：

列出阶段1中发现的所有问题及严重程度
按类别提出修复方案（安全 > 性能 > 维护）
对于每个工作流：保留（原样）、编辑（修复问题）、重写（替换）、删除（移除废弃工作流）
向用户展示并获得批准

审计结果与规划
  ci.yml:
    - [严重] 动作未固定到SHA → 编辑：固定所有动作
    - [高] 未声明权限 → 编辑：添加最小权限
    - [中] 无依赖缓存 → 编辑：添加缓存配置
  deploy.yml:
    - [高] 使用长期AWS密钥 → 编辑：迁移到OIDC
    - [低] 无并发组 → 编辑：添加并发
  old-ci.yml:
    - [低] 与ci.yml重复 → 删除

Targeted Rewrite: Single-workflow plan

定向重写：单工作流规划

When the user asks to rewrite a specific workflow:

Read the existing workflow fully (done in Phase 1)
Identify what to PRESERVE (working trigger logic, secrets, custom scripts)
Identify what to REPLACE (insecure patterns, poor performance, outdated actions)
Identify what to ADD (missing security, caching, concurrency)
Present the plan

Rewrite Plan: ci.yml
  PRESERVE: Trigger logic (push/PR), test matrix (Node 18/20), deploy job dependency
  REPLACE:  Unpinned actions (pin to SHA), npm install (use npm ci + caching),
            missing permissions (add least-privilege)
  ADD:      Concurrency group, artifact upload for test reports, type checking step

Get user approval before rewriting.

当用户要求重写特定工作流时：

完整读取现有工作流（阶段1已完成）
确定需要保留的内容（可用的触发器逻辑、密钥、自定义脚本）
确定需要替换的内容（不安全模式、性能差、过时动作）
确定需要添加的内容（缺失的安全措施、缓存、并发）
展示规划

重写规划：ci.yml
  保留：触发器逻辑（push/PR）、测试矩阵（Node 18/20）、部署任务依赖
  替换：未固定的动作（固定到SHA）、npm install（使用npm ci + 缓存）、缺失的权限（添加最小权限）
  添加：并发组、测试报告制品上传、类型检查步骤

重写前获得用户批准。

CI Migration plan

CI迁移规划

When migrating from another CI system:

Read the source CI config (.circleci/config.yml, Jenkinsfile, .gitlab-ci.yml)
Map each job/stage to a GitHub Actions equivalent
Identify feature gaps (some CI features don't map 1:1)
Plan the migration as a set of new workflows

Migration Plan: CircleCI → GitHub Actions
  CircleCI build job → .github/workflows/ci.yml (lint + test + build)
  CircleCI deploy job → .github/workflows/deploy.yml (with environment protection)
  CircleCI scheduled scan → .github/workflows/security.yml (cron schedule)
  Gap: CircleCI orbs used → Replace with equivalent GitHub Actions

Present the plan to the user for approval before writing.

当从其他CI系统迁移时：

读取源CI配置（.circleci/config.yml、Jenkinsfile、.gitlab-ci.yml）
将每个任务/阶段映射到GitHub Actions等效项
识别功能差距（部分CI功能无法1:1映射）
将迁移规划为一组新工作流

迁移规划：CircleCI → GitHub Actions
  CircleCI构建任务 → .github/workflows/ci.yml（代码检查 + 测试 + 构建）
  CircleCI部署任务 → .github/workflows/deploy.yml（带环境保护）
  CircleCI定时扫描 → .github/workflows/security.yml（cron调度）
  差距：使用了CircleCI orbs → 替换为等效的GitHub Actions

编写前向用户展示规划并获得批准。

Phase 3: Write Workflows

阶段3：编写工作流

Greenfield: Write from scratch

全新项目：从头编写

Write each planned workflow using the appropriate template and security rules. See references/workflow-templates.md for ecosystem-specific templates. See references/security-hardening.md for security rules. See references/pipeline-patterns.md for CI/CD patterns.

使用适当的模板和安全规则编写每个规划的工作流。生态系统特定模板请参考references/workflow-templates.md。安全规则请参考references/security-hardening.md。CI/CD模式请参考references/pipeline-patterns.md。

Writing sequence

编写顺序

Write workflows in this order:

CI workflow first (validates that the build/test pipeline works)
CD workflow (deployment depends on CI)
Release workflow (publishing depends on build)
Maintenance workflows (dependabot, security scans)

按以下顺序编写工作流：

先写CI工作流（验证构建/测试流水线可用）
CD工作流（部署依赖于CI）
发布工作流（发布依赖于构建）
维护工作流（dependabot、安全扫描）

Per-workflow process (greenfield)

单工作流编写流程（全新项目）

For each workflow:

Select template: Choose from references/workflow-templates.md based on language/ecosystem detected in Phase 0.
Customize for project: Replace template placeholders with actual commands, paths, versions from the repository profile.
Apply security hardening: Follow every rule in references/security-hardening.md:
- Set explicit
```
permissions:
```
  (least privilege)
- Pin all actions to full SHA
- Use OIDC for cloud auth where possible
- Protect secrets from fork exposure
- Guard against script injection
Add performance optimization:
- Add dependency caching (use setup action's built-in cache where available)
- Add concurrency groups to cancel stale runs
- Use matrix strategy for multi-version testing
- Add path filters to avoid unnecessary runs
Verify YAML syntax: Ensure valid YAML, proper indentation, correct GitHub Actions syntax.
Add inline comments: Explain non-obvious choices (why a specific SHA, why a particular cache key, why a permission).

对于每个工作流：

选择模板：根据阶段0检测到的语言/生态系统从references/workflow-templates.md选择。
针对项目定制：将模板占位符替换为仓库概况中的实际命令、路径、版本。
应用安全加固：遵循references/security-hardening.md中的每条规则：
- 设置明确的
```
permissions:
```
  （最小权限）
- 将所有动作固定到完整SHA
- 尽可能使用OIDC进行云认证
- 保护密钥不被分支暴露
- 防范脚本注入
添加性能优化：
- 添加依赖缓存（尽可能使用setup动作的内置缓存）
- 添加并发组以取消过期运行
- 使用矩阵策略进行多版本测试
- 添加路径过滤避免不必要的运行
验证YAML语法：确保YAML有效、缩进正确、GitHub Actions语法正确。
添加行内注释：解释非显而易见的选择（为什么使用特定SHA、为什么使用特定缓存键、为什么设置某个权限）。

Brownfield: Edit existing workflows

存量项目：编辑现有工作流

Read before writing. For every workflow you modify, read it fully first (already done in Phase 1). Never modify a workflow you haven't read.

编写前先阅读。 对于每个要修改的工作流，先完整阅读（阶段1已完成）。永远不要修改未阅读过的工作流。

Per-workflow process (brownfield)

单工作流编写流程（存量项目）

For each workflow being modified:

Re-read the workflow. Confirm your understanding from Phase 1.
Apply only planned changes. Follow the delta plan from Phase 2. Do NOT restructure, restyle, or "improve" sections outside scope.
Match existing conventions. Use the same naming style, comment style, and patterns discovered in Phase 1.
Preserve working logic. Trigger conditions, environment variables, secrets references, and custom scripts survive unless explicitly marked for change.
Verify every edit. Each changed action version, command, or path must be verified against the codebase.
Minimize diff. Change only what needs changing. Smaller diffs are easier to review.

对于每个要修改的工作流：

重新阅读工作流。确认阶段1的理解。
仅应用规划的变更。遵循阶段2的增量规划。不要重构、重新格式化或改进范围外的部分。
匹配现有约定。使用阶段1发现的相同命名风格、注释风格和模式。
保留可用逻辑。触发条件、环境变量、密钥引用和自定义脚本除非明确标记为变更，否则保持不变。
验证每个编辑。每个修改的动作版本、命令或路径必须针对代码库进行验证。
最小化差异。只修改需要变更的内容。更小的差异更易于审核。

Brownfield-specific rules

存量项目特定规则

Edit, don't rewrite. Unless the user requests a rewrite, modify the existing workflow surgically. Fix the specific issues; leave working steps alone.
Match existing style. If existing workflows use
```
name: Build and Test
```
for jobs, continue that pattern. Do NOT switch to
```
name: build-and-test
```
because you prefer it.
Preserve structure. Keep the existing job ordering unless it's part of the planned changes.
Never silently remove steps. If a step needs removal, note it in your plan and confirm with the user. A step that looks unnecessary may have a non-obvious purpose.
Refactor only what you're asked to change. Do NOT improve adjacent workflows, fix unrelated issues, or add features not in the plan.

编辑而非重写。除非用户要求重写，否则仅对现有工作流进行精准修改。修复特定问题；保留可用步骤。
匹配现有风格。如果现有工作流使用
```
name: Build and Test
```
命名任务，继续使用该模式。不要因为个人偏好而切换为
```
name: build-and-test
```
。
保留结构。除非是规划变更的一部分，否则保持现有任务顺序。
永远不要静默删除步骤。如果需要删除步骤，在规划中注明并获得用户确认。看似不必要的步骤可能有非显而易见的用途。
仅重构要求变更的内容。不要改进相邻工作流、修复无关问题或添加规划外的功能。

Targeted Rewrite process

定向重写流程

When rewriting a specific workflow (user explicitly requested):

Create from the approved plan. Write the new version using the PRESERVE/REPLACE/ADD breakdown from Phase 2.
Start from the template in references/workflow-templates.md, then transplant preserved logic into the new structure.
For preserved content: Keep trigger logic, secrets, and custom scripts intact.
For replaced content: Write fresh from repository analysis.
For added content: Follow greenfield per-workflow process.
Present the full new workflow for review before replacing.

当重写特定工作流（用户明确要求）时：

根据批准的规划创建。使用阶段2的保留/替换/添加分解编写新版本。
从references/workflow-templates.md的模板开始，然后将保留的逻辑移植到新结构中。
保留内容：保持触发器逻辑、密钥和自定义脚本不变。
替换内容：根据仓库分析重新编写。
添加内容：遵循全新项目的单工作流编写流程。
替换前向用户展示完整的新工作流供审核。

Shared: Workflow structure conventions

通用：工作流结构约定

Every workflow file must follow this structure:

yaml

undefined

每个工作流文件必须遵循以下结构：

yaml

undefined

.github/workflows/<name>.yml

name: <Descriptive Name>

on:

Triggers section — always explicit, never use defaults

push: branches: [main] pull_request: branches: [main]

name: <描述性名称>

on:

触发器部分 — 始终明确，不要使用默认值

push: branches: [main] pull_request: branches: [main]

Workflow-level permissions — least privilege

工作流级权限 — 最小权限

permissions: contents: read

Concurrency — prevent queue buildup

并发 — 防止队列堆积

concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true # Set to false for deploy/release/IaC workflows

jobs: <job-name>: name: <Human-Readable Job Name> runs-on: ubuntu-latest # Job-level permissions if different from workflow steps: - name: Checkout code uses: actions/checkout@<full-sha> # Always pinned # ... remaining steps

undefined

concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true # 部署/发布/IaC工作流设置为false

jobs: <job-name>: name: <人类可读任务名称> runs-on: ubuntu-latest # 任务级权限（如果与工作流不同） steps: - name: 检出代码 uses: actions/checkout@<完整SHA> # 始终固定 # ... 剩余步骤

undefined

Shared: Action version pinning

通用：动作版本固定

Always pin actions to full commit SHA. Never use tags or branches in production workflows.

yaml

undefined

始终将动作固定到完整提交SHA。 生产工作流中永远不要使用标签或分支。

yaml

undefined

WRONG — tag can be moved to point at malicious code

错误 — 标签可被移动指向恶意代码

uses: actions/checkout@v4

CORRECT — immutable SHA reference

正确 — 不可变SHA引用

uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2


Include the tag version as an inline comment for readability.

See [references/security-hardening.md](references/security-hardening.md)
for the full SHA pinning guide and current action SHAs.

uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2


添加标签版本作为行内注释以提高可读性。

完整的SHA固定指南和当前动作SHA请参考[references/security-hardening.md](references/security-hardening.md)。

Shared: Caching strategy

通用：缓存策略

For each language ecosystem, use the appropriate caching approach:

Ecosystem	Cache Method	Cache Key
Node.js	`actions/setup-node` with `cache: 'npm'`	Lockfile hash (automatic)
Python	`actions/setup-python` with `cache: 'pip'`	requirements.txt hash (automatic)
Go	`actions/setup-go` with `cache: true`	go.sum hash (automatic)
Rust	`Swatinem/rust-cache`	Cargo.lock + rustc version (automatic)
Java/Gradle	`actions/setup-java` with `cache: 'gradle'`	Gradle files hash (automatic)
Java/Maven	`actions/setup-java` with `cache: 'maven'`	pom.xml hash (automatic)
.NET	`actions/setup-dotnet` (NuGet cache via `actions/cache` )	`packages.lock.json` hash
Ruby	`ruby/setup-ruby` with `bundler-cache: true`	Gemfile.lock hash (automatic)
Generic	`actions/cache`	Custom key based on lockfile hash

Prefer setup action caching over raw
actions/cache
where available. Setup actions handle cache paths and keys automatically.

对于每个语言生态系统，使用适当的缓存方法：

生态系统	缓存方法	缓存键
Node.js	`actions/setup-node` 搭配 `cache: 'npm'`	锁文件哈希（自动）
Python	`actions/setup-python` 搭配 `cache: 'pip'`	requirements.txt哈希（自动）
Go	`actions/setup-go` 搭配 `cache: true`	go.sum哈希（自动）
Rust	`Swatinem/rust-cache`	Cargo.lock + rustc版本（自动）
Java/Gradle	`actions/setup-java` 搭配 `cache: 'gradle'`	Gradle文件哈希（自动）
Java/Maven	`actions/setup-java` 搭配 `cache: 'maven'`	pom.xml哈希（自动）
.NET	`actions/setup-dotnet` （通过 `actions/cache` 实现NuGet缓存）	`packages.lock.json` 哈希
Ruby	`ruby/setup-ruby` 搭配 `bundler-cache: true`	Gemfile.lock哈希（自动）
通用	`actions/cache`	基于锁文件哈希的自定义键

优先使用setup动作的缓存而非原生
actions/cache
。 Setup动作会自动处理缓存路径和键。

Shared: Dependabot configuration

通用：Dependabot配置

Always recommend adding

.github/dependabot.yml

for automated dependency and action version updates:

yaml

version: 2
updates:
  # Keep GitHub Actions up to date
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
    # Group minor/patch updates to reduce PR noise
    groups:
      actions:
        patterns:
          - "*"

  # Keep project dependencies up to date
  - package-ecosystem: "<ecosystem>"  # npm, pip, gomod, cargo, etc.
    directory: "/"
    schedule:
      interval: "weekly"

始终建议添加

.github/dependabot.yml

以实现依赖和动作版本的自动更新：

yaml

version: 2
updates:
  # 保持GitHub Actions更新
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
    # 分组次要/补丁更新以减少PR噪音
    groups:
      actions:
        patterns:
          - "*"

  # 保持项目依赖更新
  - package-ecosystem: "<生态系统>"  # npm、pip、gomod、cargo等
    directory: "/"
    schedule:
      interval: "weekly"

Phase 4: Verify Workflows

阶段4：验证工作流

After writing, verify every workflow against the codebase and GitHub Actions best practices.

编写完成后，针对代码库和GitHub Actions最佳实践验证每个工作流。

Verification checklist (all workflows)

验证清单（所有工作流）

Valid YAML: Proper indentation, no syntax errors
Triggers correct: Events match intended behavior (push, PR, tag, schedule)
Permissions declared: Explicit
```
permissions:
```
at workflow or job level
Least privilege: No unnecessary write permissions
Actions pinned: All
```
uses:
```
reference full SHA (not tags or branches)
Commands exist: Every
```
run:
```
command references valid scripts, tools, and paths
Secrets referenced correctly: All
```
${{ secrets.* }}
```
reference expected secret names
Caching configured: Dependencies are cached where possible
Concurrency set: Workflow has concurrency group to prevent queue buildup
Branch filters correct: Push/PR triggers reference correct branch names
Path filters appropriate: Path-based triggers match actual project structure
Matrix strategy sensible: Tested versions are current and supported
Artifact handling correct: Upload/download artifact names are consistent
Environment protection: Deploy jobs reference proper environments
No script injection: Untrusted input is never used in
```
run:
```
directly
No hardcoded secrets: No credentials in workflow files

有效YAML：缩进正确，无语法错误
触发器正确：事件匹配预期行为（push、PR、标签、调度）
已声明权限：在工作流或任务级别明确设置
```
permissions:
```
最小权限：无不必要的写入权限
动作已固定：所有
```
uses:
```
引用完整SHA（而非标签或分支）
命令存在：每个
```
run:
```
命令引用有效的脚本、工具和路径
密钥引用正确：所有
```
${{ secrets.* }}
```
引用预期的密钥名称
已配置缓存：尽可能缓存依赖
已设置并发：工作流有并发组以防止队列堆积
分支过滤正确：Push/PR触发器引用正确的分支名称
路径过滤适当：基于路径的触发器匹配实际项目结构
矩阵策略合理：测试的版本是当前且受支持的
制品处理正确：上传/下载制品名称一致
环境保护：部署任务引用正确的环境
无脚本注入：不可信输入从未直接用于
```
run:
```
无硬编码密钥：工作流文件中无凭证

Additional brownfield verification

存量项目额外验证

Verification method

验证方法

For each workflow:

Validate YAML syntax by reading it carefully for indentation and structure issues
Check all referenced paths exist in the repository (scripts, config files, directories)
Verify action references are valid (action exists, SHA is real)
Verify commands match the project's actual tools and scripts (check package.json scripts, Makefile targets, etc.)
Check secret names match what the project expects (documented in README or existing workflows)
Simulate trigger scenarios mentally: what happens on PR, push to main, tag push, schedule?
(Brownfield) Compare against original to confirm only planned changes were made

对于每个工作流：

验证YAML语法：仔细阅读检查缩进和结构问题
检查所有引用路径：确认仓库中存在（脚本、配置文件、目录）
验证动作引用：确保动作存在、SHA真实
验证命令：匹配项目实际使用的工具和脚本（检查package.json脚本、Makefile目标等）
检查密钥名称：匹配项目预期的名称（在README或现有工作流中记录）
模拟触发场景：思考PR、推送到main、推送标签、调度时会发生什么？
（存量项目）与原始版本对比：确认仅进行了规划的变更

Common errors to catch

需要捕捉的常见错误

Error	How to Detect
Unpinned action	`uses:` line has @vN instead of @sha
Missing permissions	No `permissions:` block at workflow or job level
Wrong branch name	Triggers reference `master` when default is `main`
Dead path filter	`paths:` references directory that doesn't exist
Wrong test command	`run: npm test` when project uses `pnpm test`
Missing cache	Setup action used without `cache:` parameter
Script injection	`${{ github.event.* }}` used directly in `run:` block
Overly broad trigger	`on: push` without branch filter runs on every push
Missing concurrency	No `concurrency:` block means queue buildup on rapid pushes
Hardcoded version	Python/Node/Go version hardcoded instead of from matrix or config

错误	检测方法
未固定动作	`uses:` 行使用@vN而非@sha
缺失权限	工作流或任务级别无 `permissions:` 块
错误分支名称	触发器引用 `master` 但默认分支是 `main`
无效路径过滤	`paths:` 引用不存在的目录
错误测试命令	`run: npm test` 但项目使用 `pnpm test`
缺失缓存	使用setup动作但未加 `cache:` 参数
脚本注入	`${{ github.event.* }}` 直接用于 `run:` 块
过于宽泛的触发器	`on: push` 无分支过滤会在每次推送时运行
缺失并发	无 `concurrency:` 块会导致快速推送时队列堆积
硬编码版本	Python/Node/Go版本硬编码而非来自矩阵或配置

Phase 5: Maintenance Strategy

阶段5：维护策略

Workflows rot when they fall behind ecosystem changes. Embed maintenance practices.

当工作流落后于生态系统变化时会逐渐失效。嵌入维护实践。

Workflow-as-code principles

工作流即代码原则

Version workflows alongside code. All workflows live in
```
.github/workflows/
```
.
Review workflow changes in PRs. Use CODEOWNERS on
```
.github/
```
to require review for workflow changes.
Keep actions updated. Use Dependabot for GitHub Actions ecosystem updates.
Delete dead workflows. Unused workflows create confusion and security risk.
Document non-obvious choices. Inline comments explain WHY, not WHAT.

工作流与代码一起版本化。所有工作流位于
```
.github/workflows/
```
。
在PR中审核工作流变更。在
```
.github/
```
上使用CODEOWNERS要求工作流变更需审核。
保持动作更新。使用Dependabot更新GitHub Actions生态系统。
删除废弃工作流。未使用的工作流会造成混淆并带来安全风险。
记录非显而易见的选择。行内注释解释原因，而非内容。

Automated maintenance (recommend to user)

自动化维护（推荐给用户）

Tool	Purpose
Dependabot (github-actions ecosystem)	Auto-update action versions
actionlint	Lint workflow files for syntax and best practice issues
CODEOWNERS on `.github/`	Require review for workflow changes
OpenSSF Scorecard	Automated security assessment of CI/CD practices
GitHub branch protection	Require status checks to pass before merge

工具	用途
Dependabot（github-actions生态系统）	自动更新动作版本
actionlint	检查工作流文件的语法和最佳实践问题
`.github/` 上的CODEOWNERS	要求工作流变更需审核
OpenSSF Scorecard	CI/CD实践的自动化安全评估
GitHub分支保护	合并前要求状态检查通过

Recommend to user

向用户推荐

Suggest adding these where relevant:

Branch protection rules: Require CI to pass before merge
CODEOWNERS: Protect
```
.github/
```
directory
Dependabot: Keep actions and dependencies updated
actionlint: Add as a CI step or pre-commit hook
Environment protection rules: Require approval for production deploys

根据情况建议添加以下内容：

分支保护规则：合并前要求CI通过
CODEOWNERS：保护
```
.github/
```
目录
Dependabot：保持动作和依赖更新
actionlint：添加为CI步骤或预提交钩子
环境保护规则：生产部署需批准

Failure Recovery

故障恢复

Workflow issue
  |
  +-> Can't determine project type
  |     +-> Read more source files and config
  |     +-> Check build scripts in package.json/Makefile
  |     +-> Ask user for clarification
  |
  +-> Conflicting CI config (multiple systems)
  |     +-> Ask user which system is canonical
  |     +-> Treat GitHub Actions as target; other as reference
  |
  +-> Unsure which actions to use
  |     +-> Prefer official actions (actions/*, github/*)
  |     +-> For ecosystem tools, use most-adopted community action
  |     +-> Check references/workflow-templates.md for recommendations
  |     +-> When in doubt, use raw `run:` commands instead of actions
  |
  +-> Existing workflows are complex but fragile (brownfield)
  |     +-> Preserve working logic first
  |     +-> Never rewrite from scratch unless user requests it
  |     +-> Fix one issue at a time, verify between changes
  |
  +-> Monorepo with unclear service boundaries
  |     +-> Look for workspace configs (package.json workspaces, nx.json, turbo.json)
  |     +-> Check for independent package.json/go.mod files in subdirectories
  |     +-> Ask user to confirm service/package boundaries
  |
  +-> Migration from another CI system
  |     +-> Map concepts: jobs->jobs, stages->jobs with needs, orbs->reusable workflows
  |     +-> Not everything maps 1:1 — document gaps
  |     +-> Prioritize: get CI working first, optimize later
  |
  +-> Conventions in existing workflows conflict with best practices (brownfield)
        +-> Follow existing conventions (consistency > correctness)
        +-> Only change conventions if user explicitly requests it
        +-> Exception: always fix critical security issues (unpinned actions,
            missing permissions, script injection) regardless of convention

Never fabricate action names. If you're unsure an action exists, use a raw

run:

command instead. Verify action names against known actions.

Never hardcode secrets. Always reference

${{ secrets.* }}

Never write workflows you haven't verified. Check every command, path, and action reference against the actual repository.

工作流问题
  |
  +-> 无法确定项目类型
  |     +-> 阅读更多源文件和配置
  |     +-> 检查package.json/Makefile中的构建脚本
  |     +-> 向用户请求澄清
  |
  +-> 冲突的CI配置（多个系统）
  |     +-> 询问用户哪个系统是标准
  |     +-> 将GitHub Actions作为目标；其他作为参考
  |
  +-> 不确定使用哪个动作
  |     +-> 优先使用官方动作（actions/*、github/*）
  |     +-> 对于生态系统工具，使用最受欢迎的社区动作
  |     +-> 参考references/workflow-templates.md获取推荐
  |     +-> 不确定时，使用原生`run:`命令而非动作
  |
  +-> 现有工作流复杂但脆弱（存量项目）
  |     +-> 先保留可用逻辑
  |     +-> 除非用户要求，否则永远不要从头重写
  |     +-> 一次修复一个问题，修复后验证
  |
  +-> 单体仓库服务边界不清晰
  |     +-> 查找工作区配置（package.json工作区、nx.json、turbo.json）
  |     +-> 检查子目录中的独立package.json/go.mod文件
  |     +-> 请求用户确认服务/包边界
  |
  +-> 从其他CI系统迁移
  |     +-> 映射概念：任务->任务、阶段->带needs的任务、orbs->可复用工作流
  |     +-> 并非所有内容都能1:1映射 — 记录差距
  |     +-> 优先级：先让CI可用，再优化
  |
  +-> 现有工作流约定与最佳实践冲突（存量项目）
        +-> 遵循现有约定（一致性 > 正确性）
        +-> 仅在用户明确要求时更改约定
        +-> 例外：始终修复严重安全问题（未固定动作、缺失权限、脚本注入），无论约定如何

永远不要编造动作名称。 如果不确定动作是否存在，使用原生

run:

命令。针对已知动作验证动作名称。

永远不要硬编码密钥。 始终引用

${{ secrets.* }}

。

永远不要编写未验证的工作流。 针对实际仓库检查每个命令、路径和动作引用。

Anti-Patterns

反模式

Security anti-patterns

安全反模式

Unpinned actions: Using
```
@v4
```
instead of
```
@sha
```
— supply chain attack vector
Missing permissions: No
```
permissions:
```
block — defaults to overly broad access
Script injection: Using
```
${{ github.event.* }}
```
directly in
```
run:
```
blocks
Long-lived credentials: Storing AWS/GCP keys as secrets instead of using OIDC
Fork secret exposure: Running
```
pull_request_target
```
with checkout of PR code
Overly broad
GITHUB_TOKEN
: Granting write permissions when read suffices

未固定动作：使用
```
@v4
```
而非
```
@sha
```
— 供应链攻击向量
缺失权限：无
```
permissions:
```
块 — 默认权限过于宽泛
脚本注入：直接在
```
run:
```
块中使用
```
${{ github.event.* }}
```
长期凭证：存储AWS/GCP密钥作为密钥而非使用OIDC
分支密钥暴露：运行
```
pull_request_target
```
并检出PR代码
过于宽泛的
GITHUB_TOKEN
：在仅需读取权限时授予写入权限

Performance anti-patterns

性能反模式

No caching: Reinstalling dependencies from scratch every run
No concurrency groups: Queue buildup on rapid pushes
Monolithic workflows: One huge workflow instead of parallel jobs
Unnecessary triggers: Running full CI on docs-only changes
Missing path filters: Every push triggers every workflow regardless of changes
Excessive matrix: Testing on 12 OS/version combos when 4 would suffice

无缓存：每次运行都从头重新安装依赖
无并发组：快速推送时队列堆积
单体工作流：一个巨大的工作流而非并行任务
不必要的触发器：仅文档变更时运行完整CI
缺失路径过滤：每次推送触发所有工作流，无论变更内容
过度矩阵：测试12种OS/版本组合而实际只需4种

Architecture anti-patterns

架构反模式

Workflow sprawl: 20 small workflow files with overlapping triggers
Duplicate logic: Same steps copy-pasted across workflows (use reusable workflows)
Missing
needs:
: Jobs that should be sequential running in parallel
No environment protection: Deploy to production without approval gates
No Dependabot: Actions and dependencies never updated

工作流泛滥：20个小工作流文件，触发器重叠
重复逻辑：相同步骤复制粘贴到多个工作流（使用可复用工作流）
缺失
needs:
：应顺序运行的任务并行运行
无环境保护：无需批准即可部署到生产环境
无Dependabot：动作和依赖从未更新

Process anti-patterns

流程反模式

Treating first draft as final: Always verify against the codebase
Ignoring existing workflows: Not reading current workflows before modifying
Over-engineering: Adding complex matrix builds for a single-language project
Premature optimization: Adding self-hosted runners before measuring need

将初稿视为最终版本：始终针对代码库验证
忽略现有工作流：修改前未读取当前工作流
过度设计：为单语言项目添加复杂矩阵构建
过早优化：在评估需求前添加自托管运行器

Reference Files

参考文件

Repository discovery: See references/repo-discovery.md for deterministic repository analysis: language detection, ecosystem identification, deployment target detection, and monorepo discovery
Workflow templates: See references/workflow-templates.md for complete YAML templates per ecosystem: Node.js, Python, Go, Rust, Java, Docker, Terraform, and monorepo configurations
Security hardening: See references/security-hardening.md for permissions model, action pinning with current SHAs, OIDC configuration, secret management, fork protection, and script injection prevention
Pipeline patterns: See references/pipeline-patterns.md for CI/CD patterns: caching strategies, matrix builds, concurrency groups, reusable workflows, monorepo change detection, deployment strategies, release automation, and scheduled pipelines

仓库发现：确定性仓库分析请参考references/repo-discovery.md：语言检测、生态系统识别、部署目标检测和单体仓库发现
工作流模板：各生态系统完整YAML模板请参考references/workflow-templates.md：Node.js、Python、Go、Rust、Java、Docker、Terraform和单体仓库配置
安全加固：权限模型、带当前SHA的动作固定、OIDC配置、密钥管理、分支保护和脚本注入预防请参考references/security-hardening.md
流水线模式：CI/CD模式请参考references/pipeline-patterns.md：缓存策略、矩阵构建、并发组、可复用工作流、单体仓库变更检测、部署策略、发布自动化和定时流水线