Run any Skill in Manus with one click

$pwd:

github-actions-dependabot-review

Name: Github Actions Dependabot Review
Author: fedimint

// Review Dependabot PRs updating GitHub Actions workflows/actions, with a security-focused upstream diff check before commenting.

Run Skill in Manus

$ git log --oneline --stat

stars:687

forks:276

updated:May 17, 2026 at 04:52

SKILL.md

readonly

name	github-actions-dependabot-review
description	Review Dependabot PRs updating GitHub Actions workflows/actions, with a security-focused upstream diff check before commenting.

GitHub Actions Dependabot Review

Use when asked to review Dependabot PRs for GitHub Actions updates.

Find PRs

gh auth status
gh pr list -R OWNER/REPO --state open --author app/dependabot \
  --json number,title,headRefName,url --limit 100

Target PRs usually have github_actions in the branch name or a title like bump OWNER/ACTION from OLD to NEW.

Review each PR

Delegate one subagent per PR. For each PR:

Check if a non-bot human already reviewed it:

gh pr view PR -R OWNER/REPO --json reviews,comments,reviewDecision

If yes, stop for that PR.

If not reviewed, inspect PR metadata for the action repo, old/new versions, git hashes, and changelog notes:

gh pr view PR -R OWNER/REPO --json title,body,files,commits,url
gh pr diff PR -R OWNER/REPO

Clone the upstream action repo into a temp dir, never into the working tree:

tmp=$(mktemp -d)
git clone https://github.com/OWNER/ACTION "$tmp/action"
cd "$tmp/action"

Diff old vs new. Prefer Dependabot-listed hashes; otherwise resolve tags locally:

git rev-parse OLD
git rev-parse NEW
git diff --stat OLD..NEW
git diff OLD..NEW

Compare the diff to the changelog. Review with a security-critical mindset: secret/token exfiltration, eval/dynamic code, shell injection, new network calls or downloads, dependency/lockfile surprises, token/permission handling, workflow-command injection, and suspicious generated/minified artifacts.

If dependency manifests or lockfiles change (package-lock.json, Cargo.lock, etc.), review each dependency update similarly. If the dependency diff is too large or infeasible, at least check metadata on the relevant registry (npm, crates.io, etc.) and verify the new version is at least a week old. Raise anything not clearly safe as a concern in the PR comment.

Post a concise PR comment using the current agent's normal attribution prefix. Include old/new hashes, what changed, whether it matches the changelog, risks found or explicitly not found, and a clear OK to merge / not OK to merge recommendation.

gh pr comment PR -R OWNER/REPO --body-file COMMENT.md

Final report

Summarize PR link, whether it was already reviewed, whether a comment was posted, and the recommendation.

related-skills.json

same repository

github-cargo-dependabot-review.md

from "fedimint/fedimint"

Review Dependabot PRs updating Rust/Cargo crates with a security-focused crates.io tarball diff before commenting.

2026-05-17687

pr-submissions-checklist.md

from "fedimint/fedimint"

Must read before submitting PRs to Fedimint project

2026-05-17687

github-stale-pr-triage.md

from "fedimint/fedimint"

Triage stale GitHub PRs. Use when asked to review old, inactive, least-recently-updated, obsolete, or closeable pull requests, comment with a recommendation, and close PRs that are clearly no longer useful.

2026-05-16687

gateway-liquidity.md

from "fedimint/fedimint"

Use this skill when the user asks about Fedimint gateway liquidity management, lightning channels, gateway balances, routing fees, peg-in, peg-out, channel opening/closing, payment logs, invoices, or any gateway-cli operations. Triggers on: "gateway", "liquidity", "channels", "routing fees", "peg-in", "peg-out", "ecash balance", "lightning balance", "open channel", "close channel", "set fees", "payment summary", "invoice", "gateway-cli".

2026-05-16687

package.json

"author": "fedimint"

"repository": "fedimint/fedimint"

View GitHub Repository View Creator Repositories

$ install --global

$ download --local

Run Skill in Manus

$ useful --forSOC

Software Quality Assurance Analysts and TestersComputer and Mathematical Occupations15-1253L4

name	github-actions-dependabot-review
description	Review Dependabot PRs updating GitHub Actions workflows/actions, with a security-focused upstream diff check before commenting.

GitHub Actions Dependabot Review

Use when asked to review Dependabot PRs for GitHub Actions updates.

Find PRs

gh auth status
gh pr list -R OWNER/REPO --state open --author app/dependabot \
  --json number,title,headRefName,url --limit 100

Target PRs usually have github_actions in the branch name or a title like bump OWNER/ACTION from OLD to NEW.

Review each PR

Delegate one subagent per PR. For each PR:

Check if a non-bot human already reviewed it:

gh pr view PR -R OWNER/REPO --json reviews,comments,reviewDecision

If yes, stop for that PR.

If not reviewed, inspect PR metadata for the action repo, old/new versions, git hashes, and changelog notes:

gh pr view PR -R OWNER/REPO --json title,body,files,commits,url
gh pr diff PR -R OWNER/REPO

Clone the upstream action repo into a temp dir, never into the working tree:

tmp=$(mktemp -d)
git clone https://github.com/OWNER/ACTION "$tmp/action"
cd "$tmp/action"

Diff old vs new. Prefer Dependabot-listed hashes; otherwise resolve tags locally:

git rev-parse OLD
git rev-parse NEW
git diff --stat OLD..NEW
git diff OLD..NEW

Compare the diff to the changelog. Review with a security-critical mindset: secret/token exfiltration, eval/dynamic code, shell injection, new network calls or downloads, dependency/lockfile surprises, token/permission handling, workflow-command injection, and suspicious generated/minified artifacts.

Post a concise PR comment using the current agent's normal attribution prefix. Include old/new hashes, what changed, whether it matches the changelog, risks found or explicitly not found, and a clear OK to merge / not OK to merge recommendation.

gh pr comment PR -R OWNER/REPO --body-file COMMENT.md

Final report

Summarize PR link, whether it was already reviewed, whether a comment was posted, and the recommendation.

github-actions-dependabot-review

GitHub Actions Dependabot Review

Find PRs

Review each PR

Final report

More from this repository

More from this repository

GitHub Actions Dependabot Review

Find PRs

Review each PR

Final report