Labsco
bitwarden logo

workflow-audit

β˜… 121

by bitwarden Β· part of bitwarden/ai-plugins

Check if bwwl is available:

πŸ”₯πŸ”₯FreeQuick setup
πŸ”’ Repo-maintenance skill. It exists to help maintain bitwarden/ai-plugins itself β€” it's only useful if you contribute code to that project.

This is the playbook your agent receives when the skill activates β€” you don't need to read it to use the skill, but it's here to audit before installing.


name: workflow-audit description: > Run the Bitwarden workflow linter (bwwl) against one or more repos and report findings. Strictly read-only β€” does not modify any files. Categorizes findings as mechanical or judgment using the bitwarden-workflow-linter-rules skill. Supports single repo, multiple repos, or single file/directory scope.

<example> User: Run the workflow linter on the server repo Action: Trigger workflow-audit for that repo </example> <example> User: Lint the workflows across server, clients, and android Action: Trigger workflow-audit in multi-repo mode </example> allowed-tools: Read, Glob, Grep, Skill, Bash(bwwl:*) ---

Rules

  • This skill is strictly read-only. Do not modify, create, or delete any files.
  • Flag uncertainty. If a finding is ambiguous, note it in the report rather than guessing.

Step 2: Determine Scope

Parse the user's request to determine what to lint:

  • Single file or directory (e.g., .github/workflows/build.yml or .github/workflows/): Operate on the current repo only.
  • Multiple repos (e.g., "server, clients, android"): Operate on each repo sequentially. Ask the user for the base directory where their repos are cloned. For each repo, look for its local clone at <base-dir>/<repo>. If a clone is not found, inform the user and skip that repo.
  • No specific target: Lint all files in .github/workflows/ of the current directory.

Step 3: Run the Linter

For each repo in scope, run:

bwwl lint -f .github/workflows/

Capture both stdout and stderr. If operating on multiple repos, announce which repo is being linted.

Step 4: Parse and Categorize Findings

From the linter output, produce a structured list of findings. Group by file and rule. Consult the bitwarden-workflow-linter-rules skill to categorize each finding:

Mechanical (can be auto-fixed):

  • name_capitalized, permissions_exist, pinned_job_runner, step_pinned, underscore_outputs, job_environment_prefix, check_pr_target
  • Simple run_actionlint findings (single-line shell fixes)

Judgment (requires user input):

  • name_exists, step_approved, complex run_actionlint findings

Step 5: Report

Output a summary table per repo:

FileFindingRuleCategory
............

Include totals: mechanical findings, judgment findings, and repos with no issues.

Inform the user that they can use the workflow-fix skill to apply fixes based on these findings.