Configure pre-commit hooks and lean GitHub Actions for shift-left quality assurance. Use when adding or auditing CI/CD to maximize local test coverage and minimize CI cost. Skip for Terraform/K8s, deployment pipelines, or non-GitHub CI providers.
Installation
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Configure pre-commit hooks and lean GitHub Actions for shift-left quality assurance. Use when adding or auditing CI/CD to maximize local test coverage and minimize CI cost. Skip for Terraform/K8s, deployment pipelines, or non-GitHub CI providers.
Implement comprehensive DevOps quality gates adapted to project type, with a shift-left philosophy: run as many checks as possible locally via pre-commit so developers get fast feedback and CI is a safety net rather than the primary gate.
Core principle: If a check can run locally in under ~60 seconds, it belongs in pre-commit. GitHub Actions should handle things that can't run locally: matrix version testing, secrets-based security scans, deployment, and reporting.
To stay within the agent's context budget, this SKILL keeps templates short and links to references/*.md for language-specific configs, workflow templates, and the CLI E2E script.
Repo Sync Before Edits (mandatory)
Before creating/updating/deleting files in an existing repository, sync the current branch with remote:
Flaky or environment-sensitive tests that need a clean VM
CLI End-to-End Testing
If the project is a CLI tool, create scripts/e2e_test.sh that exercises every command/subcommand to verify the CLI works end-to-end (not just compiles). Wire it into pre-commit on the push stage.
See references/cli-e2e.md for command discovery patterns, the script template, and the pre-commit hook snippet.
Install hooks:
pre-commit install
pre-commit install --hook-type pre-push # also install push-stage hooks
pre-commit run --all-files # Test on existing code
3. Create GitHub Actions Workflows (lean CI)
Create .github/workflows/ci.yml — but keep it lean since pre-commit already catches most issues. See references/github-actions.md for workflow templates.
Matrix testing across language versions (important for libraries)
Upload coverage reports (Codecov, etc.)
Deployment on merge to main
PR status comments/badges
Secrets-dependent scans
Since pre-commit already runs lint, format, type-check, unit tests, and E2E tests — the CI workflow can be simpler: install deps → run pre-commit → run tests with coverage upload → build artifact.
# Minimal CI when pre-commit covers everything locally:-name:Runpre-commitrun:pre-commitrun--all-files-name:Runtestswithcoveragerun:<test-command>--cov--cov-report=xml-name:Uploadcoverageuses:codecov/codecov-action@v4
4. Verify Pipeline
# Test all pre-commit hooks (commit stage)
pre-commit run --all-files
# Test push-stage hooks (includes E2E)
pre-commit run --all-files --hook-stage push
# Verify the CLI E2E script directly
bash scripts/e2e_test.sh
If all local checks pass, GitHub Actions becomes a thin verification layer, not the primary quality gate.
Tool Selection by Language
Language
Formatter
Linter
Type Check
Security
Tests
JS/TS
Prettier
ESLint
tsc
npm audit
Jest/Vitest
Python
Ruff/Black
Ruff
mypy
Bandit + detect-secrets
pytest
Go
gofmt
golangci-lint
built-in
gosec
go test
Rust
rustfmt
Clippy
built-in
cargo-audit
cargo test
Java
google-java-format
Checkstyle
-
SpotBugs
mvn test
Where each check runs (commit-stage pre-commit, push-stage pre-commit, or GitHub Actions only) is set out in Workflow steps 2 and 3 above — do not re-split checks differently here.
Expected Output
After running the skill, the repository contains:
.pre-commit-config.yaml — hooks for formatting, linting, type-checking, and unit tests on commit stage; full test suite and E2E tests on push stage.
.github/workflows/ci.yml — lean CI that re-runs pre-commit and uploads coverage; no duplicate lint/format steps.
.pre-commit-config.yaml exists at the repo root and lists at least one hook for the detected primary language (formatter, linter, or type checker).
All checks runnable locally in under ~60 seconds are configured in pre-commit, not GitHub Actions.
At least one .github/workflows/*.yml exists and runs only the things pre-commit cannot (matrix builds, secret-scanning, deployment, or release).
pre-commit run --all-files succeeds (or its failures are surfaced explicitly to the user, not auto-suppressed).
For CLI projects, an E2E test step is wired into either pre-commit or CI per the language reference files.
No duplication: the same check (e.g., eslint, ruff) does not run in both pre-commit and CI on the same trigger.
Edge Cases
No package manager detected: Prompt the user for the language/build system before generating hooks; never guess silently.
Pre-commit not installed: Emit the install command (pip install pre-commit or brew install pre-commit) and stop; don't generate config files for a tool that isn't present.
Existing .pre-commit-config.yaml: Merge new hooks into the existing file rather than overwriting; preserve user-defined hooks and pinned revs.
Monorepo with multiple languages: Generate one config with per-language hook sections and files: path filters so hooks only run on relevant subdirectories.
No origin remote: Skip the repo-sync step and inform the user; proceed with local-only setup.
Tests take >60 seconds: Move slow tests to push stage or GitHub Actions only; note the decision explicitly in the generated config with a comment.
Windows-only repo: Substitute PowerShell-compatible hook entries and flag any Unix-specific commands.
Step Completion Reports
After completing each major step, output a status report in this format:
Adapt the check names to match what the step actually validates. Use √ for pass, × for fail, and — to add brief context. The "Criteria" line summarizes how many acceptance criteria were met. The "Result" line gives the overall verdict.