Add pre-commit hook, GitHub Actions workflow, and community templates#73
Add pre-commit hook, GitHub Actions workflow, and community templates#73ckdash-git wants to merge 1 commit into
Conversation
…mplates - Add .pre-commit-hooks.yaml so downstream projects can run SkillSpector as a pre-commit hook (static-only by default, no API key required) - Add .github/workflows/skillspector.yml: scans on push/PR and uploads SARIF results to GitHub Code Scanning for inline PR annotations - Add .github/PULL_REQUEST_TEMPLATE.md with contributor checklist - Add .github/ISSUE_TEMPLATE/bug_report.md and feature_request.md - Update README with new CI/CD Integration section covering the GitHub Actions workflow and pre-commit hook with usage examples Signed-off-by: Chandan Kumar Dash <mail.ckdash@gmail.com>
rng1995
left a comment
rng1995
left a comment
There was a problem hiding this comment.
The issue/PR/bug/feature templates are great, and the documented pre-commit + Actions usage is genuinely useful for downstream consumers. Two things about the active CI workflow and the hook need attention before merging, because as written they affect this repository directly.
1. The committed workflow will scan this repo and very likely fail its own CI (blocking). .github/workflows/skillspector.yml runs skillspector scan . --no-llm over the entire repository root and then fails the job when the risk score exceeds 50. This repository's own source intentionally contains malicious-pattern signatures, jailbreak example strings, and deliberately-malicious test fixtures — a static scan of . is very likely to exceed that threshold, so the Check scan result step would exit 1 on every push/PR to main. Please scope the scan to a dedicated example/target directory (or exclude src/ and the tests/ fixtures), or keep this as a copy-paste template in the docs rather than an active workflow on this repo.
2. pip install skillspector installs the published package, not the code under review. For this repo's own CI that won't exercise the PR's changes (and the step fails entirely if the package isn't published under that name on PyPI). Consider pip install . (or -e .) for the in-repo workflow, keeping pip install skillspector only in the copy-paste template for downstream users.
3. Verify the pre-commit hook passes a scan target. .pre-commit-hooks.yaml uses entry: skillspector scan with args: [--no-llm] and pass_filenames: false, so the effective invocation is skillspector scan --no-llm with no path argument. Unless scan defaults its input to the current directory, the hook will error on every commit. If scan requires a path, add one (e.g. .) to args.
Minor / optional:
- The
## Testingchecklist in the PR description is unchecked — confirmingactionlintpasses on the workflow would be worth doing.
The templates themselves are good to go; these points are specifically about the workflow/hook behaviour.
2 participants
Closes #72
Summary
Adds CI/CD integration support: a pre-commit hook definition and a GitHub
Actions workflow, so downstream projects can scan AI agent skills automatically
before commits and on every PR — without needing an LLM API key.
Changes
.pre-commit-hooks.yaml: pre-commit hook definition (static scan, no API key).github/workflows/skillspector.yml: GitHub Actions workflow with SARIF upload.github/PULL_REQUEST_TEMPLATE.md: contributor checklist for all future PRs.github/ISSUE_TEMPLATE/: structured bug and feature templatesREADME.md: new CI/CD Integration section with usage examplesTesting
make testpasses (no Python changes, no tests affected)make lintpassesactionlint(or GitHub's built-in check)Checklist
git commit -s)