// Use when Codex needs to manage GitHub repositories with gh CLI or GitHub APIs, including issues, pull requests, review comments, GitHub Actions CI, releases, labels, milestones, branch protection, repository hygiene, security audit, dependency alerts, or repo governance tasks.
| name | github-management |
| description | Use when Codex needs to manage GitHub repositories with gh CLI or GitHub APIs, including issues, pull requests, review comments, GitHub Actions CI, releases, labels, milestones, branch protection, repository hygiene, security audit, dependency alerts, or repo governance tasks. |
Use this skill for full-cycle GitHub repository management. Prefer gh CLI for authenticated operations and use GitHub REST or GraphQL only when gh does not expose the needed data cleanly.
Collect facts first, summarize risk, then ask before any mutating action.
Mutating actions include pushing commits, merging PRs, closing issues, deleting branches or tags, creating releases, changing labels or milestones, editing branch protection, changing repository settings, modifying permissions, dismissing reviews, rerunning workflows, and applying generated fixes.
Run the pipeline exactly:
Context -> Auth -> Read-only Inspect -> Risk Summary -> Confirmation -> Mutation -> Verification
If context, authentication, target identifiers, or user intent are missing, stop and ask. Do not guess.
When this skill is triggered, first decide whether GitHub authentication is already ready for the requested repo. If readiness is unknown or missing, tell the user how to configure GitHub access step by step before doing GitHub management work.
Do not skip this onboarding. Use references/authentication.md and present the user-facing steps there. Keep the guidance practical:
repo scope.config/ folder, never in chat.gh auth login --with-token < config/token and gh auth setup-git.gh auth status.git remote -v.gh repo view --json nameWithOwner,url.references/authentication.md and inspect config/auth.example.json for the expected local auth shape.gh auth status.gh auth login --with-token < config/token, gh auth setup-git, or the configured token environment.config/auth.local.json, config/token, or secret config files.scripts/ when they match the task.--json output when the result will feed later reasoning.gh command or API call.Use these scripts from the repository being managed unless the user provides another path:
python "<skill-path>/scripts/inspect_pr.py" --repo "." --json
python "<skill-path>/scripts/inspect_ci.py" --repo "." --json
python "<skill-path>/scripts/inspect_pr_checks.py" --repo "." --json
python "<skill-path>/scripts/fetch_comments.py" --repo "." --json
python "<skill-path>/scripts/triage_issues.py" --repo "." --json
python "<skill-path>/scripts/repo_audit.py" --repo "." --json
All JSON output uses:
{"ok": true, "source": "github-management", "items": [], "warnings": [], "next_actions": []}
| Task | First inspection | Confirmation needed before |
|---|---|---|
| Issue triage | triage_issues.py or gh issue list --json ... | labeling, assigning, closing, editing milestone |
| PR review | inspect_pr.py | pushing fixes, submitting reviews, merging |
| Review comments | fetch_comments.py; read references/review-comments.md | resolving conversations or pushing fixes |
| CI failure | inspect_ci.py or inspect_pr_checks.py; read references/ci-diagnostics.md | rerunning workflows or applying fixes |
| Release | gh release list/view | creating, editing, deleting, or publishing a release |
| Repo audit | repo_audit.py | changing settings, protections, permissions, secrets, Actions policy |
| Security review | Read the matching security best-practice reference listed below | filing issues, changing policy, applying fixes |
| Threat model | Read references/security-threat-model-template.md and references/security-controls-and-assets.md | writing files, filing issues, applying mitigations |
| Security ownership map | Run scripts/security_ownership/run_ownership_map.py and query with scripts/security_ownership/query_ownership.py | writing analysis outside the requested output directory |
For security best practices, identify the repo language and framework, then load every matching reference:
references/security-best-practices-golang-general-backend-security.mdreferences/security-best-practices-javascript-express-web-server-security.mdreferences/security-best-practices-javascript-general-web-frontend-security.mdreferences/security-best-practices-javascript-jquery-web-frontend-security.mdreferences/security-best-practices-javascript-typescript-nextjs-web-server-security.mdreferences/security-best-practices-javascript-typescript-react-web-frontend-security.mdreferences/security-best-practices-javascript-typescript-vue-web-frontend-security.mdreferences/security-best-practices-python-django-web-server-security.mdreferences/security-best-practices-python-fastapi-web-server-security.mdreferences/security-best-practices-python-flask-web-server-security.mdFor threat modeling, stay repo-grounded: use evidence anchors, trust boundaries, assets, attacker capabilities, abuse paths, mitigations, and explicit assumptions from references/security-threat-model-template.md.
For security ownership map tasks, keep analysis read-only against git history. Write artifacts only to the user-specified output directory or a repo-local ownership-map-out/, then use references/security-ownership-neo4j-import.md only when graph import is requested.
references/authentication.md before configuring or troubleshooting GitHub authentication.references/safety-policy.md before any mutating GitHub action.references/workflows.md for task-specific GitHub workflows.references/review-comments.md for PR comment and review-thread handling.references/ci-diagnostics.md for failing check and log inspection.references/development-practices.md before code changes caused by GitHub management work.references/source-attribution.md when source provenance matters.gh auth status.