一键在 Manus 中运行任何 Skill

pr-pass

星标3

分支1

更新时间2026年6月5日 01:51

Triage open GitHub pull requests for actionable feedback, unresolved review threads, requested changes, CI or merge blockers, and ready-to-merge links. Use when the user asks for a PR pass, review/mergeability sweep, status check across their open PRs, a filtered PR cohort, or asks which PRs need action versus can be merged.

安装

用 Codex 或 Claude 帮你安装复制这段 Prompt，粘贴到 Codex、Claude 或其他助手里，让它检查 Skill 页面并帮你完成安装。

在 Manus 中运行

来源

robert-chiniquy

robert-chiniquy/dotfiles

打开 GitHub 仓库查看创作者相关仓库

下载

在 Manus 中运行

PR Pass

Overview

Run a focused GitHub PR sweep. Report only what needs action and which PRs are ready to merge; avoid long status dumps.

Do not merge, assign reviewers, post comments, or push changes unless the user explicitly asks for that write action.

Workflow

Resolve scope.
- If the user names repos, orgs, authors, PR URLs, branches, labels, base branches, or a provenance filter, use that scope.
- If the user says "my PRs", identify the authenticated GitHub user with gh api user.
- If the user names a cohort like "auth PRs", "release PRs", "generated-code PRs", or "go-analysis PRs", infer matching title, branch, body, label, and repo markers; keep the filter conservative and say what was included.
- Exclude unrelated stacks or cohorts unless the user explicitly includes them.
Fetch current PR state.
- Prefer GitHub structured data through gh api graphql or gh pr view --json.
- Fetch at least: title, URL, state, draft status, head branch, body, labels, review decision, merge state, mergeability, latest check state, issue comments, reviews, and review threads.
- When GraphQL reports UNKNOWN mergeability for an otherwise likely-ready PR, refresh with REST:

gh api repos/OWNER/REPO/pulls/NUMBER --jq '{number, mergeable, mergeable_state, draft}'

Classify actionable feedback.
- Action needed: any unresolved thread with reviewer feedback not already answered by the author, any CHANGES_REQUESTED review, failed checks, draft state when the PR is expected to be ready, or merge conflicts.
- Needs decision: unresolved technical question where the author is waiting on someone else, or a thread that changes whether the PR should merge.
- No action: bot-only comments with no unresolved thread, resolved threads, author self-comments, approvals, and old comments already addressed by later commits or replies.
- Do not count GitHub Actions review summaries as human review. Mention them only if they contain unresolved suggestions or failures.
Classify ready-to-merge PRs.
- Include only open, non-draft PRs with successful checks, no unresolved threads, no requested changes, no merge conflicts, and a review state that satisfies branch protection.
- If branch protection requires review, require reviewDecision: APPROVED.
- If checks or mergeability are stale or unknown after refresh, put the PR under "Unknown" rather than calling it mergeable.
- Link directly to each ready PR. Do not merge unless explicitly asked.
Report tersely.
- Lead with action-needed PRs.
- Then list ready-to-merge links only.
- Then list unknown/stale PRs if any.
- Omit no-action PRs unless the user asks for a full inventory.

Provenance Filters

Use user-provided cohort language as a filter, not as a special case. Match against title, branch, body, labels, and repo when possible. Examples:

Area PRs: package names, service labels, path names, domain words from the user's request.
Release PRs: release, backport, version tags, release branches.
Generated-code PRs: generated, codegen, proto, wire, generated file paths.
Static-analysis or go-analysis PRs: go-analysis, occult-go-analysis, static analysis, analyzer, detector, How found, Origin, detector names.

When the filter is inferred, include one short sentence such as Scoped to PRs whose title/body/branch matched static-analysis provenance. Do not let an example cohort dominate the workflow.

Output Shape

Use this shape by default:

**Needs Action**
- PR title: reason. Link.

**Ready To Merge**
- Link
- Link

**Unknown**
- PR title: what could not be verified. Link.

If there is no action needed, say No feedback needs action. If there are no mergeable PRs, say No PRs are ready to merge.

Query Patterns

Use GraphQL when scanning multiple PRs:

gh api graphql -F q='is:pr is:open author:USER org:ORG' -f query='
query($q:String!) {
  search(type: ISSUE, query: $q, first: 100) {
    nodes {
      ... on PullRequest {
        number
        title
        url
        state
        updatedAt
        isDraft
        headRefName
        bodyText
        reviewDecision
        mergeStateStatus
        mergeable
        statusCheckRollup { state }
        repository { nameWithOwner }
        comments(last:20) {
          nodes { author { login } bodyText createdAt updatedAt url }
        }
        reviews(last:50) {
          nodes { author { login } state submittedAt bodyText url }
        }
        reviewThreads(first:100) {
          nodes {
            isResolved
            comments(last:10) {
              nodes { author { login } bodyText createdAt updatedAt url path line }
            }
          }
        }
      }
    }
  }
}'

Use --jq or a JSON parser for filtering. Do not parse JSON with text matching alone.

同仓库更多 Skills

同仓库

authorization-model-review

robert-chiniquy/dotfiles

Reviewer persona for authorization models — RBAC, ABAC, ReBAC, and hybrids. Catches the bugs that ship after auth is correct but authz is wrong: missing tenant scoping, IDOR via predictable IDs, role escalation through unchecked write paths, permission caching staleness, transitive-trust loopholes, RBAC/ReBAC drift between policy doc and code. Use when reviewing endpoints that gate access by user/role/relationship, when adding a new role/permission/scope, when changing tenant isolation, or when designing a permission system from scratch. Triggers: RBAC, ABAC, ReBAC, IDOR, tenant isolation, multi-tenant, permission check, role, scope, principal, Zanzibar, OpenFGA, casbin, authz, can_, has_permission, isAuthorized.

2026-06-233

c1-dev-stack-in-squire

robert-chiniquy/dotfiles

Stand up a full c1 dev stack inside a Squire env — process-compose, postgres, envoy, pub-api, pub-auth, be-* services — wired so an external client can drive c1's gRPC surface end to end with TLS + OAuth2 client_credentials. Use when testing a Latchkey or other c1 client against a real (not stubbed) c1 backend, or when reproducing c1 server-side behavior locally. Triggers on: c1 dev env, squire c1 stack, pc/up, dev-util mint-test-client, test against c1, c1 OAuth client_credentials, run c1 integration tests in squire, repro buildkite integration test, TEST_LOCAL_EXEC, api_no_uplift.

2026-06-233

c1-squire-dispatch

robert-chiniquy/dotfiles

c1-specific values for the general squire dispatch protocols defined in squire-env-management. Provides the c1 gate bundle's contents, the task-family table for c1 work, the c1 always-actives, and the list of c1 skills that should NOT be spent on a squire env. Use when about to spawn a squire env to execute c1 work, when writing a brief for a remote c1 agent, or when filing a c1 bead intended for squire dispatch. Triggers: c1 squire dispatch, c1 squire brief, c1 remote work, c1 ephemeral env, c1 fire-and-forget.

2026-06-233

custom-crypto-detection

robert-chiniquy/dotfiles

Reviewer persona for detecting hand-rolled cryptography. Distinct from `sharp-edges` (which catches footgun APIs) and `key-lifecycle-review` (which covers lifecycle hygiene): this skill catches the class where someone wrote their own MAC, KDF, AEAD, signature scheme, secret-comparison routine, RNG, or password hash. Almost all custom crypto is broken. Use when reviewing any code that does math on bytes, manipulates buffers in a 'crypto-shaped' way, or implements something whose docs reference a named primitive (HMAC, AES-GCM, Argon2, X25519). Triggers: hand-rolled crypto, custom MAC, custom hash, custom KDF, byte XOR, constant-time compare, derived key, password hashing, HKDF, encrypt_then_mac, mac_then_encrypt, AE, AEAD.

2026-06-233

key-lifecycle-review

robert-chiniquy/dotfiles

Reviewer persona for the full lifecycle of cryptographic keys and high-value secrets: generation, storage, distribution, rotation, revocation, and destruction. Trail of Bits' `zeroize-audit` covers the destruction half; this skill covers the other four phases plus closes the loop with destruction. Use when reviewing key management code, secret stores, KMS integrations, rotation logic, key derivation, RNG usage, or any system that issues, holds, or revokes long-lived credentials. Triggers: key generation, key rotation, KMS, HSM, secret store, vault, key derivation, KDF, master key, DEK, KEK, rotation, revocation, RNG, entropy, random, secrets management.

2026-06-233

oauth-oidc-review

robert-chiniquy/dotfiles

Reviewer persona for OAuth 2.0 / 2.1 and OpenID Connect flow implementations. Catches the well-documented attack classes that still ship: missing PKCE, wildcard redirect URIs, mishandled refresh tokens, scope creep, mixed flows on a single endpoint, leaking tokens through referrer or logs, JWT signature bypass. Use when reviewing any code that issues, accepts, validates, exchanges, refreshes, revokes, or stores tokens; when designing a new auth integration; when a PR touches /authorize, /token, /userinfo, /jwks, /introspect, /revoke, OIDC discovery, or a third-party identity provider client. Triggers: OAuth, OIDC, JWT, PKCE, redirect_uri, scope, refresh token, access token, id_token, client_credentials, authorization code, implicit, device code, token exchange, identity provider, IdP, SSO.

2026-06-233

name	pr-pass
description	Triage open GitHub pull requests for actionable feedback, unresolved review threads, requested changes, CI or merge blockers, and ready-to-merge links. Use when the user asks for a PR pass, review/mergeability sweep, status check across their open PRs, a filtered PR cohort, or asks which PRs need action versus can be merged.

PR Pass

Overview

Run a focused GitHub PR sweep. Report only what needs action and which PRs are ready to merge; avoid long status dumps.

Do not merge, assign reviewers, post comments, or push changes unless the user explicitly asks for that write action.

Workflow

Resolve scope.
- If the user names repos, orgs, authors, PR URLs, branches, labels, base branches, or a provenance filter, use that scope.
- If the user says "my PRs", identify the authenticated GitHub user with gh api user.
- If the user names a cohort like "auth PRs", "release PRs", "generated-code PRs", or "go-analysis PRs", infer matching title, branch, body, label, and repo markers; keep the filter conservative and say what was included.
- Exclude unrelated stacks or cohorts unless the user explicitly includes them.
Fetch current PR state.
- Prefer GitHub structured data through gh api graphql or gh pr view --json.
- Fetch at least: title, URL, state, draft status, head branch, body, labels, review decision, merge state, mergeability, latest check state, issue comments, reviews, and review threads.
- When GraphQL reports UNKNOWN mergeability for an otherwise likely-ready PR, refresh with REST:

gh api repos/OWNER/REPO/pulls/NUMBER --jq '{number, mergeable, mergeable_state, draft}'

Classify actionable feedback.
- Action needed: any unresolved thread with reviewer feedback not already answered by the author, any CHANGES_REQUESTED review, failed checks, draft state when the PR is expected to be ready, or merge conflicts.
- Needs decision: unresolved technical question where the author is waiting on someone else, or a thread that changes whether the PR should merge.
- No action: bot-only comments with no unresolved thread, resolved threads, author self-comments, approvals, and old comments already addressed by later commits or replies.
- Do not count GitHub Actions review summaries as human review. Mention them only if they contain unresolved suggestions or failures.
Classify ready-to-merge PRs.
- Include only open, non-draft PRs with successful checks, no unresolved threads, no requested changes, no merge conflicts, and a review state that satisfies branch protection.
- If branch protection requires review, require reviewDecision: APPROVED.
- If checks or mergeability are stale or unknown after refresh, put the PR under "Unknown" rather than calling it mergeable.
- Link directly to each ready PR. Do not merge unless explicitly asked.
Report tersely.
- Lead with action-needed PRs.
- Then list ready-to-merge links only.
- Then list unknown/stale PRs if any.
- Omit no-action PRs unless the user asks for a full inventory.

Provenance Filters

Use user-provided cohort language as a filter, not as a special case. Match against title, branch, body, labels, and repo when possible. Examples:

Area PRs: package names, service labels, path names, domain words from the user's request.
Release PRs: release, backport, version tags, release branches.
Generated-code PRs: generated, codegen, proto, wire, generated file paths.
Static-analysis or go-analysis PRs: go-analysis, occult-go-analysis, static analysis, analyzer, detector, How found, Origin, detector names.

When the filter is inferred, include one short sentence such as Scoped to PRs whose title/body/branch matched static-analysis provenance. Do not let an example cohort dominate the workflow.

Output Shape

Use this shape by default:

**Needs Action**
- PR title: reason. Link.

**Ready To Merge**
- Link
- Link

**Unknown**
- PR title: what could not be verified. Link.

If there is no action needed, say No feedback needs action. If there are no mergeable PRs, say No PRs are ready to merge.

Query Patterns

Use GraphQL when scanning multiple PRs:

gh api graphql -F q='is:pr is:open author:USER org:ORG' -f query='
query($q:String!) {
  search(type: ISSUE, query: $q, first: 100) {
    nodes {
      ... on PullRequest {
        number
        title
        url
        state
        updatedAt
        isDraft
        headRefName
        bodyText
        reviewDecision
        mergeStateStatus
        mergeable
        statusCheckRollup { state }
        repository { nameWithOwner }
        comments(last:20) {
          nodes { author { login } bodyText createdAt updatedAt url }
        }
        reviews(last:50) {
          nodes { author { login } state submittedAt bodyText url }
        }
        reviewThreads(first:100) {
          nodes {
            isResolved
            comments(last:10) {
              nodes { author { login } bodyText createdAt updatedAt url path line }
            }
          }
        }
      }
    }
  }
}'

Use --jq or a JSON parser for filtering. Do not parse JSON with text matching alone.