gh-actions: Keep Agents from Writing Outdated GitHub Actions Workflows

Every time I ask an AI coding agent to write a GitHub Actions workflow, it reaches for old versions of actions/checkout, etc., that haven’t been current for a while. It also tends to skip permissions, ignore built-in caching, and miss basics like timeout-minutes and concurrency.

I built gh-actions, an agent skill that teaches your agent GitHub Actions best practices so you don’t have to fix the same things every time.

What it does

• Version lookup at runtime — instead of hardcoding versions that go stale, the skill tells agents to check gh api repos/{owner}/{action}/releases/latest before writing a workflow
• Security — least-privilege permissions, expression injection prevention, fork/secret safety, and SHA pinning for third-party actions (with pinact for automation)
• Caching — prefer the built-in cache input on setup actions over separate actions/cache steps
• Common patterns — concurrency groups, matrix strategies, reusable workflows, path filtering, and timeout-minutes

Why bother

LLMs are trained on a snapshot of the internet. GitHub Actions moves fast — major versions bump, best practices shift, and new features like built-in caching get added. The skill fills the gap between what the model learned and what’s current.

The version lookup approach is the key part. Instead of maintaining a static list that rots, the skill teaches the agent how to check — so it stays current without any maintenance.

Install

npx skills add retlehs/gh-actions

Works with Claude Code, Cursor, Codex, and 30+ other agents.

Also check out gh-fetch — a skill that tells agents to use the gh CLI instead of web fetching when you share GitHub URLs.