一键导入
ci-fix
Fix CI failures in a loop until all GitHub workflow runs on the current branch are green. Use when CI is failing and needs automated repair.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Fix CI failures in a loop until all GitHub workflow runs on the current branch are green. Use when CI is failing and needs automated repair.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Write the next version entry at the top of CHANGELOG.md by summarizing all changes since the last tagged release. Use when preparing release notes.
Audit GitHub Actions workflows for efficiency and recommend fixes to reduce CI minutes and costs. Use when asked to improve CI performance.
AI-powered security scanner — OWASP Top 10, CWE Top 25, KMIP authorization, FIPS gating, memory safety, side-channel, supply chain, and 20 vulnerability families. Use when asked to review code security, audit KMIP access control, or scan for vulnerabilities.
Comprehensive cryptographic audit: FIPS 140-3, BSI TR-02102, ANSSI, NIST SP 800-series compliance, algorithm allow-list, key sizes, feature-flag gating, OpenSSL provider init, key lifecycle, multi-standard matrix, and academic cryptanalysis cross-check. Use when touching crate/crypto/, algorithm selection, or key management code.
Comprehensive security audit orchestrator: invokes /security-review, /cryptography-review, /threat-model, and /standards-review in sequence. Produces a unified go/no-go report. Use for full security audit before release or after significant changes.
Release readiness gate: runs all AI audit skills in sequence and produces a go/no-go report. Use before triggering the release workflow.
| name | ci-fix |
| description | Fix CI failures in a loop until all GitHub workflow runs on the current branch are green. Use when CI is failing and needs automated repair. |
Monitor the GitHub CI pipeline for the current branch, fix every failure, push fixes, and repeat until all workflow runs pass.
Safety: this skill commits and pushes code. It will not force-push, will not modify branches other than the current one, and will not merge or delete branches. It follows all cardinal coding rules on every fix attempt.
BRANCH=$(git branch --show-current)
echo "Branch: $BRANCH"
Confirm the branch is not main or develop. If it is, stop and ask the user
to confirm before proceeding — direct pushes to protected branches require
explicit approval.
GH_PAGER=cat gh run list \
--repo Cosmian/kms \
--branch "$BRANCH" \
--limit 20 \
--json databaseId,name,status,conclusion,headBranch,headSha \
--jq '.[] | select(.status == "completed" or .status == "in_progress" or .status == "queued")'
Wait for all runs to reach completed status before proceeding. If any run is
in_progress or queued, poll every 60 seconds:
# Poll loop — wait for all runs on the branch to complete
while GH_PAGER=cat gh run list \
--repo Cosmian/kms \
--branch "$BRANCH" \
--limit 20 \
--json status \
--jq '.[].status' \
| grep -qE "in_progress|queued|waiting|requested"; do
echo "CI still running — waiting 60s..."
sleep 60
done
echo "All runs completed."
GH_PAGER=cat gh run list \
--repo Cosmian/kms \
--branch "$BRANCH" \
--limit 20 \
--json databaseId,name,conclusion \
--jq '.[] | select(.conclusion == "failure" or .conclusion == "timed_out")'
If no failures → print "✅ All CI runs are green. Nothing to fix." and stop.
If failures exist → collect the run IDs and continue to Step 3.
For each failed run ID, retrieve the failed jobs and their logs:
# List failed jobs in a run
GH_PAGER=cat gh run view <RUN_ID> \
--repo Cosmian/kms \
--json jobs \
--jq '.jobs[] | select(.conclusion == "failure") | {name: .name, steps: [.steps[] | select(.conclusion == "failure")]}'
# Fetch the full log for a failed run
GH_PAGER=cat gh run view <RUN_ID> --repo Cosmian/kms --log-failed 2>&1 | head -300
Repeat for each failed run. Collect all error messages.
Classify each failure into one of these categories (in priority order):
| Category | Indicators | Fix strategy |
|---|---|---|
| Formatting | error: would reformat / cargo fmt / rustfmt | cargo fmt --all |
| Clippy warning | error[clippy::...] / -D warnings | Fix lint, then cargo clippy-all locally |
| Compile error | error[E...] / could not compile | Read error, fix source |
| Test failure | test ... FAILED / assertion failed / panicked | Read test output, fix logic |
| Dependency audit | cargo deny / cargo machete / cargo audit | Update Cargo.toml, add deny.toml exception if justified |
| Nix hash mismatch | hash mismatch / got: sha256- | Run mise run release:update-hashes with failed job link, or update nix/expected-hashes/ manually |
| Docker/packaging | build failures in packaging jobs | Check Dockerfile, packaging scripts |
| Flaky test | intermittent, not reproducible locally | Re-run first; if persistent, investigate |
Fix Formatting and Clippy first — they are fastest and unblock other failure diagnosis.
For each failure category, apply the appropriate fix:
cargo fmt --all
cargo clippy-all 2>&1
# Fix each warning. Follow the decision tree:
# 1. Can it be fixed? → fix it
# 2. Cannot be fixed, documented reason → add #[allow(clippy::X)] with inline comment
# 3. Undecided → report to user before suppressing
Read the exact error from the log
Locate the file using the path in the error message
Read the surrounding code (at least 20 lines of context)
Apply the minimal fix required
Run locally to verify:
cargo test -p <crate> <test_name> 2>&1
Extract the correct hash from the log line: got: sha256-XXXX
Update the matching file in nix/expected-hashes/
Alternatively, run the automated script:
mise run release:update-hashes <failed-job-link>
cargo deny)deny.toml for existing exceptionsCargo.toml to upgrade the
affected crate, or add a time-limited deny.toml ignore entry with a commentcargo machete)[dev-dependencies] and [dependencies] entries from
Cargo.tomlAfter every fix, verify locally before committing:
cargo clippy --workspace --all-targets --all-features -- -D warnings && cargo fmt --all
cargo test -p <affected_crate> <test_name> 2>&1 | tail -20
Important: For sanity checks, only run the tests that directly exercise the changed code. When changes affect only a certain scope, target that scope. Do not run the full test suite unless the change is cross-cutting.
Group all fixes into a single conventional commit per failure category:
git add -p # review each hunk — never commit unrelated changes
git commit -m "fix(<scope>): <description>"
git push origin "$BRANCH"
fix(fmt): for formatting-only commitsfix(clippy): for lint-only commitsfix(ci): for Nix hash or packaging fixesfix(<crate>): for test or compile fixes--no-verify — pre-commit hooks must passAfter pushing, return to Step 1 and wait for the new runs to complete.
echo "Pushed fixes. Waiting for CI to start..."
sleep 30 # give GitHub time to register the push
# Then re-enter the Step 1 polling loop
Loop termination conditions:
conclusion == "success"conclusion == "failure" — go back to Step 3"CI loop aborted after 3 attempts on the same failure:
<category>: <message>. Manual investigation required."
When all CI runs are green, produce:
## CI Fix Summary — <branch>
| Run | Workflow | Status |
|-----|----------|--------|
| <id> | CI | ✅ |
| <id> | Packaging | ✅ |
### Fixes applied
| Commit | Category | Description |
|--------|----------|-------------|
| <sha> | fmt | Reformatted 3 files |
| <sha> | clippy | Fixed unwrap in `crate/server/src/core/operations/get.rs:42` |
### Iterations: <N>