一键导入
ci-efficiency
Audit GitHub Actions workflows for efficiency and recommend fixes to reduce CI minutes and costs. Use when asked to improve CI performance.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Audit GitHub Actions workflows for efficiency and recommend fixes to reduce CI minutes and costs. Use when asked to improve CI performance.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Write the next version entry at the top of CHANGELOG.md by summarizing all changes since the last tagged release. Use when preparing release notes.
Fix CI failures in a loop until all GitHub workflow runs on the current branch are green. Use when CI is failing and needs automated repair.
AI-powered security scanner — OWASP Top 10, CWE Top 25, KMIP authorization, FIPS gating, memory safety, side-channel, supply chain, and 20 vulnerability families. Use when asked to review code security, audit KMIP access control, or scan for vulnerabilities.
Comprehensive cryptographic audit: FIPS 140-3, BSI TR-02102, ANSSI, NIST SP 800-series compliance, algorithm allow-list, key sizes, feature-flag gating, OpenSSL provider init, key lifecycle, multi-standard matrix, and academic cryptanalysis cross-check. Use when touching crate/crypto/, algorithm selection, or key management code.
Comprehensive security audit orchestrator: invokes /security-review, /cryptography-review, /threat-model, and /standards-review in sequence. Produces a unified go/no-go report. Use for full security audit before release or after significant changes.
Release readiness gate: runs all AI audit skills in sequence and produces a go/no-go report. Use before triggering the release workflow.
| name | ci-efficiency |
| description | Audit GitHub Actions workflows for efficiency and recommend fixes to reduce CI minutes and costs. Use when asked to improve CI performance. |
Inspect the repository's GitHub Actions workflows, identify waste sources, and recommend targeted fixes to reduce CI minutes and cost.
The CI entry point is MISE (mise run). All builds and tests go through it:
mise run [--variant fips|non-fips] [--link static|dynamic] <task>
Key workflows:
.github/workflows/pr.yml — pull request CI.github/workflows/main.yml + main_base.yml — push CI.github/workflows/test_all.yml — full test matrix.github/workflows/release.yml — release automation.github/workflows/packaging.yml, packaging-docker.yml, packaging-tests.yml — packagingTest matrix variants: sqlite, psql, mariadb, percona, wasm, google_cse, gcp_cmek, otel_export, hsm, redis (non-fips), aws_xks (non-fips), azure_ekm (non-fips), ui (non-fips).
# Scan for efficiency signals
rg -n "on:|concurrency:|paths:|paths-ignore:|strategy:|matrix:|cache:" .github/workflows
# Check recent run history (if gh CLI available)
GH_PAGER=cat gh run list --limit 10 --repo Cosmian/kms
run_id=$(GH_PAGER=cat gh run list --limit 1 --json databaseId --jq '.[0].databaseId' --repo Cosmian/kms)
GH_PAGER=cat gh run view "$run_id" --log-failed --repo Cosmian/kms
Look for:
~/.cargo, target/, nix store, pnpm store)concurrency groups to cancel stale runs on the same PRpr.yml and main.yml)Before recommending any fix, verify it passes all guardrails:
From these candidates, keep only those supported by audit evidence AND passing all guardrails. Rank by estimated daily CI minutes saved:
~/.cargo/registry, and pnpm store with lockfile-based keysconcurrency: { group: "${{ github.ref }}", cancel-in-progress: true } to PR workflowspaths: filters so Rust-only changes don't trigger the full UI E2E suite and vice versadevelop/main, not on every PRpr.yml and main.ymlIf gh CLI is available, validate path-gating and concurrency cancellation with a dry-run check.
If live validation is not possible, state that explicitly.
If shell or gh CLI access is unavailable: request the user paste .github/workflows/ contents and gh run list --limit 10 output. Begin static-only responses with: "Static-only analysis (not confirmed with live runs)."