
action-remediate
β 121by bitwarden Β· part of bitwarden/ai-plugins
Before proceeding, verify that the user has audit findings to act on. These should come from a prior run of the action-audit skill. Confirm:
Before proceeding, verify that the user has audit findings to act on. These should come from a prior run of the action-audit skill. Confirm:
Inspect the full instructions your agent will receiveExpandCollapse
This is the exact playbook injected into your agent when the skill activates β shown here so you can audit it before installing. You don't need to read it to use the skill.
name: action-remediate
description: >
Remediate GitHub Actions action findings identified by the action-audit skill. Applies the
appropriate fix per action type β @main ref for internal bitwarden/ actions, full SHA with
inline version comment for external actions, or full replacement β across selected repos and
creates draft PRs. Run the action-audit skill first to identify findings before using this skill.
Rules
- No mutating API calls without confirmation.
gh apiGET requests are allowed freely. Any call using-X POST,-X PUT,-X PATCH, or-X DELETEmust be shown to the user and approved before execution. - Never force-push, delete branches, or delete repositories.
- Only modify files under
.github/. Do not touch application code, scripts, or configuration outside of workflow files. - Show a diff and get confirmation before every commit.
- All PRs must be created as drafts.
- Flag uncertainty. If a finding is ambiguous or a fix could break a workflow, stop and ask rather than guessing.
Step 1: Confirm Audit Findings
Before proceeding, verify that the user has audit findings to act on. These should come from a prior run of the action-audit skill. Confirm:
- Which repos to remediate (all, a subset, or specific ones)
- The remediation approach:
- pin to main β for internal
bitwarden/actions: change the ref to@main - pin update β for external actions: update to a verified 40-character SHA with an inline version comment
- replace β swap to a different action entirely
- pin to main β for internal
- The target SHA, replacement action, or confirmation that
@mainis the fix
If any of this is unclear, ask the user before continuing.
Step 2: Apply Fixes Per Repo
For each selected repo:
-
Ask the user for the base directory where their repos are cloned (if not already known). Check if a local clone exists at
<base-dir>/<repo>. If not, inform the user and skip that repo. -
Create a fix branch:
Copy & paste β that's itgit checkout -b fix/action-remediation-<action-name-slug> -
Apply the fix to each affected file based on the remediation approach:
- Pin to main (internal
bitwarden/actions): Replace the ref with@mainβ e.g.,uses: bitwarden/gh-actions/action@v1βuses: bitwarden/gh-actions/action@main. No SHA resolution needed. - Pin update (external actions): Replace the
uses:line withuses: <action>@<sha> # <original-ref> - Replace: Before applying, verify the replacement action is on Bitwarden's approved actions list in
bitwarden/workflow-linter. Then swapuses: <old-action>@<ref>withuses: <new-action>@<sha> # <tag>
- Pin to main (internal
-
Show a
git diffof changes in this repo and get confirmation before proceeding.
Step 3: Create PRs
After fixes are confirmed, for each repo:
git add .github/
git commit -m "Remediate <action-name> action usage"
gh pr create \
--title "Remediate <action-name> action usage" \
--body "$(cat <<'EOF'
## Summary
Remediates usage of `<action-name>` across this repository.
**Action taken:** <pin updated to `<sha>` / replaced with `<new-action>`>
**Reason:** <compromised action / deprecated action / unpinned reference>
EOF
)" \
--draftStep 4: Final Summary
Output a summary of all actions taken:
| Repo | Files Changed | PR Created | Notes |
|---|---|---|---|
| ... | ... | ... | ... |
Remind the user that code search results may have a lag and to verify no repos were missed by checking manually if this is a security incident.
npx skills add https://github.com/bitwarden/ai-plugins --skill action-remediateRun this in your project β your agent picks the skill up automatically.
No common issues documented yet. If you hit a problem, the repository's GitHub Issues page is the best place to look.