Workflow Skill Extractor Report — 2026-04-09

[github-actions[bot]]

🎯 Executive Summary

Analysis of 187 workflow files in .github/workflows/ revealed a mature library of 70+ shared components already covering the most common patterns. The top 3 shared skills (shared/reporting.md at 96 uses, shared/observability-otlp.md at 55, shared/daily-audit-discussion.md at 41) are near-universally adopted. Despite strong adoption, 36 workflows have no imports at all, and several high-frequency patterns remain un-extracted.

Three high-priority skill extraction opportunities were identified and converted into actionable issues: a git bash navigation tools shared component, a security analysis base configuration, and expanded adoption of the existing PR review config.

Key Statistics:

• Total workflows analyzed: 187
• Existing shared components: 70+ (incl. shared/mcp/ directory)
• Workflows using at least one import: 151 (81%)
• Workflows without any imports: 36 (19%)
• High-priority skills identified: 3
• Estimated total lines saved: ~150-250 across all recommendations

---

📊 Analysis Overview

Most Used Shared Components

Shared Component	# Workflows
shared/reporting.md	96
shared/observability-otlp.md	55
shared/daily-audit-discussion.md	41
shared/jqschema.md	19
shared/github-guard-policy.md	19
shared/mcp/serena-go.md + serena.md	~17
shared/activation-app.md	11
shared/repo-memory-standard.md	10
shared/python-dataviz.md	8
shared/trending-charts-simple.md	7
shared/go-source-analysis.md	6
shared/gh.md	6
shared/github-queries-mcp-script.md	5
shared/trends.md	5

Underutilized Existing Shared Components (candidates for promotion)

Shared Component	Current Uses
shared/pr-code-review-config.md	3
shared/go-make.md	3
shared/docs-server-lifecycle.md	3
shared/safe-output-upload-artifact.md	1
shared/issues-data-fetch.md	1
shared/weekly-issues-data-fetch.md	1

---

🔍 Identified Skills

High Priority Skills

1. Git Bash Navigation Tools

• Frequency: Used in 8+ workflows
• Size: ~10-15 lines per workflow, ~80-120 total
• Priority: High
• Description: Repeated bash allowlists for git log:*, git diff:*, git show:*, and filesystem navigation (find:*, grep:*, cat:*, wc:*, awk:*, sed:*, sort:*)
• Workflows: architecture-guardian, breaking-change-checker, test-quality-sentinel, design-decision-gate, daily-compiler-quality, copilot-cli-deep-research, daily-mcp-concurrency-analysis, mergefest
• Recommendation: Extract to shared/git-bash-tools.md

2. Security Analysis Base Configuration

• Frequency: 5 workflows
• Size: ~10-15 lines per workflow, ~50-75 total
• Priority: High
• Description: Common pattern of bash: true, permissions: security-events: read, strict: true, features: copilot-requests: true + code_security toolset across daily security scanning agents
• Workflows: daily-malicious-code-scan, daily-security-red-team, security-review, code-scanning-fixer, daily-semgrep-scan
• Recommendation: Create shared/security-analysis-base.md

3. PR Code Review Config Adoption Gap

• Frequency: 3 existing users, 4 candidates
• Size: ~8-12 lines per workflow, ~32-48 total
• Priority: High
• Description: shared/pr-code-review-config.md already exists with PR tools, cache-memory, and review comment safe-outputs, but 4 PR review workflows don't import it and re-define the same tools inline
• Workflows not yet using it: ci-doctor, design-decision-gate, approach-validator, test-quality-sentinel
• Recommendation: Migrate 4 workflows to import shared/pr-code-review-config.md

Medium Priority Skills

4. Copilot Requests Feature Flag Pattern

• Frequency: 45 workflows use features: copilot-requests: true
• Size: 2 lines per workflow (low individual savings)
• Priority: Medium — too small alone, but notable as the most common un-extracted config

5. Skip-If-Match + Tracker-ID Combo

• Frequency: Multiple daily analysis workflows use the same skip-if-match: 'is:issue is:open in:title "[name]"' + tracker-id + noop combo
• Workflows: architecture-guardian, breaking-change-checker, refactoring-cadence, is-issue-arborist, etc.
• Note: Workflow-specific title prefix makes full extraction tricky; may need templating support

6. bash: true + edit: Code Modification Pattern

• Frequency: ~15 workflows use bash: true + edit: for code modifications
• Size: 2-4 lines each, but a shared "code modification tools" component could add standard guidance

Low Priority Skills

• shared/weekly-issues-data-fetch.md promotion — only 1 use; patterns exist in several weekly workflows
• GitHub API pagination instructions — shared/mcp-pagination.md (1 use) but the pattern appears in many prompts inline

---

💡 Detailed Recommendations

Recommendation 1: shared/git-bash-tools.md

Full Details

Current State (example from architecture-guardian.md):

tools:
  bash:
    - "git log:*"
    - "git diff:*"
    - "git show:*"
    - "find:*"
    - "wc:*"
    - "grep:*"
    - "cat:*"
    - "head:*"
    - "awk:*"
    - "sed:*"
    - "sort:*"

Proposed Shared Component:

---
# shared/git-bash-tools.md
# Git and filesystem navigation tools for code analysis workflows.
tools:
  bash:
    - "git log:*"
    - "git diff:*"
    - "git show:*"
    - "find:*"
    - "grep:*"
    - "cat:*"
    - "wc:*"
    - "head:*"
    - "awk:*"
    - "sed:*"
    - "sort:*"
    - "echo:*"
    - "ls:*"
---
## Git Navigation Tools
Standard bash tools for analyzing git history and repository source code.

Migration Path:

1. Create shared/git-bash-tools.md
2. In each target workflow, replace the inline bash: block with imports: - shared/git-bash-tools.md
3. Run make recompile

Impact:

• Lines saved: ~80-120 across 8 workflows
• Security benefit: centralized audit point for git permissions

Recommendation 2: shared/security-analysis-base.md

Full Details

Current State (pattern repeated across 5 workflows):

permissions:
  security-events: read
tools:
  github:
    toolsets: [repos, code_security]
  bash: true
strict: true
features:
  copilot-requests: true

Proposed Shared Component:

---
# shared/security-analysis-base.md
permissions:
  security-events: read
tools:
  github:
    toolsets: [repos, code_security]
  bash: true
features:
  copilot-requests: true
---
## Security Analysis Configuration
Standard tooling for security scanning agents: code security toolsets, full bash, and `copilot-requests` feature.

Migration Path:

1. Create shared/security-analysis-base.md
2. Update each of the 5 target workflows to add imports: - shared/security-analysis-base.md
3. Remove redundant inline config from each workflow
4. Run make recompile and verify no regressions

Impact:

• Lines saved: ~50-75 across 5 workflows
• Maintenance: one file to harden security permissions for all scanning agents

Recommendation 3: Expand shared/pr-code-review-config.md Adoption

Full Details

Current Component (shared/pr-code-review-config.md):

tools:
  cache-memory: true
  github:
    toolsets: [pull_requests, repos]
safe-outputs:
  create-pull-request-review-comment:
    side: "RIGHT"
  submit-pull-request-review:
    max: 1

Workflows to migrate (each re-defines subsets of the above):

• ci-doctor.md — uses cache-memory: true and github: tools but not the shared component
• design-decision-gate.md — defines github: toolsets: [pull_requests, repos] and git tools inline
• approach-validator.md — has similar github tool config and could benefit from cache-memory
• test-quality-sentinel.md — defines submit-pull-request-review inline + git analysis tools

Migration Path:

1. For each workflow, add shared/pr-code-review-config.md to imports
2. Remove the duplicated github: toolsets: [pull_requests, repos] and submit-pull-request-review lines
3. Run make recompile

Impact:

• Lines saved: ~32-48 across 4 workflows
• Consistency: all PR review workflows use cache-memory to avoid re-commenting

---

📈 Impact Analysis

By Category

Category	New Skills	Lines Saved
Tool Configurations (bash allowlists)	1	~80-120
Security Configuration	1	~50-75
Shared Component Adoption Gap	1	~32-48
Total	3	~160-240

By Priority

Priority	Skills	Lines Saved	Workflows Affected
High	3	~160-240	~17
Medium	2	~20-50	~50+
Low	2	~10-20	~5

---

✅ Created Issues

This analysis has created the following actionable issues:

1. [refactoring] Extract git bash navigation tools into shared/git-bash-tools.md
2. [refactoring] Create shared/security-analysis-base.md for daily security scan workflows
3. [refactoring] Expand shared/pr-code-review-config.md adoption to cover more PR review workflows

---

🎯 Next Steps

1. Review and prioritize the 3 created issues
2. Start with shared/git-bash-tools.md — clearest pattern, highest workflow count, easiest to implement
3. Evaluate the "skip-if-match + tracker-id" medium-priority pattern for potential templating support in the compiler
4. Consider promoting shared/weekly-issues-data-fetch.md — currently 1 use but the weekly data fetch pattern appears in several more places
5. Schedule next extractor run in ~1 month to track progress and find new patterns

---

📚 Methodology

• Analyzed 187 workflow files (including 70+ shared component files)
• Sampled 30+ representative workflows in detail
• Mapped import frequency for all 70+ shared components
• Compared frontmatter and tool configuration patterns across workflow categories
• Applied 4-category skill recognition (Tool Configurations, Prompt Skills, Data Processing, Setup Steps)
• Prioritized by: frequency (3+ workflows), lines saved (10+), implementation complexity (low)

Analysis Date: 2026-04-09
Analyzer: Workflow Skill Extractor v1.0
Run: §24187880969

Generated by Workflow Skill Extractor · ● 2.6M · ◷

• expires on Apr 16, 2026, 11:43 AM UTC

[github-actions[bot]]

This discussion has been marked as outdated by Workflow Skill Extractor.

A newer discussion is available at Discussion #26627.