From 72a920e254465b7b33a08eeb79dc08a50150176d Mon Sep 17 00:00:00 2001 From: Sebastian Mendel Date: Wed, 6 May 2026 12:49:45 +0200 Subject: [PATCH 1/2] docs: cite org-security-settings and tag-validation references Adds two previously orphaned reference files to the References table: org-security-settings.md (SHA pinning) and tag-validation.md (defense-in-depth). The reusable-workflow-security reference is already cited upstream. Signed-off-by: Sebastian Mendel --- skills/github-project/SKILL.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/skills/github-project/SKILL.md b/skills/github-project/SKILL.md index b769a9c..2dfa054 100644 --- a/skills/github-project/SKILL.md +++ b/skills/github-project/SKILL.md @@ -109,6 +109,8 @@ scripts/verify-github-project.sh /path/to/repository | Multi-repo batch ops | `references/multi-repo-operations.md` | | Reusable workflow supply-chain trust + SHA pinning | `references/reusable-workflow-security.md` | | Reusable workflow pitfalls (composite actions, ref caching, permissions) | `references/reusable-workflow-pitfalls.md` | +| Org-level security settings (SHA pinning) | `references/org-security-settings.md` | +| Tag validation (defense-in-depth) | `references/tag-validation.md` | --- From 11d8b86c6bdc529a8e822bc73f1a11bc14d8f65c Mon Sep 17 00:00:00 2001 From: Sebastian Mendel Date: Wed, 6 May 2026 13:14:37 +0200 Subject: [PATCH 2/2] chore: trim SKILL.md to fit 500-word cap Signed-off-by: Sebastian Mendel --- skills/github-project/SKILL.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/skills/github-project/SKILL.md b/skills/github-project/SKILL.md index 2dfa054..9ec9bcb 100644 --- a/skills/github-project/SKILL.md +++ b/skills/github-project/SKILL.md @@ -16,16 +16,16 @@ GitHub repository configuration, troubleshooting, and collaboration workflow bes ## When to Use -- PR won't merge, shows BLOCKED, or has unresolved review threads -- Auto-merge not working for Dependabot/Renovate PRs -- Solo maintainer needs auto-approve for their own PRs -- Branch protection, rulesets, or `enforce_admins` audit -- GitHub Actions workflow problems, CI failures, or permission issues -- Signed commit merge failures (rebase cannot be auto-signed) -- CodeQL default setup conflicts with custom workflows -- OpenSSF Scorecard improvements (token permissions, pinned deps) -- Setting up CODEOWNERS, issue templates, PR templates, or release labeling -- Fork PR merge base issues (too many commits shown) +- PR won't merge, BLOCKED, or unresolved threads +- Auto-merge fails for Dependabot/Renovate +- Solo maintainer needs auto-approve +- Branch protection, rulesets, `enforce_admins` +- GHA failures or permission issues +- Signed commit merge (rebase can't auto-sign) +- CodeQL default vs custom workflows +- OpenSSF Scorecard (token perms, pinned deps) +- CODEOWNERS, issue/PR templates, release labels +- Fork PR merge base (too many commits) ## Quick Diagnostics