justinmclean opened a new issue, #350:
URL: https://github.com/apache/airflow-steward/issues/350
### What should happen
## Summary
Add a GitHub Actions workflow that runs `skill-validate` on every pull
request that touches the skills or the validator, so frontmatter, link,
and placeholder violations are caught in CI instead of by hand.
## Background
The repo has a `skill-validator` tool (`tools/skill-validator/`) that
checks every `.claude/skills/**/SKILL.md`, but nothing runs it in CI yet,
so a regression only shows up if someone runs it locally. There is already
a sibling workflow built for exactly this shape, `sandbox-lint.yml`, which
runs a `uv`-based linter on the PRs that touch its inputs. This issue
copies that pattern for the skill validator.
## Where to look
- `.github/workflows/sandbox-lint.yml` — the template to copy. Mirror its
structure: `pull_request` + `push: [main]` triggers with a `paths:`
filter, top-level `permissions: {}`, a job with `contents: read`, a
pinned `actions/checkout` (with `persist-credentials: false`) and pinned
`astral-sh/setup-uv`, then one run step.
- `tools/skill-validator/` — the tool the workflow runs. Its command is
`uv run --project tools/skill-validator --group dev skill-validate`.
- New file to add: `.github/workflows/skill-validate.yml`.
The `paths:` filter should fire the workflow on changes to
`.claude/skills/**`, `tools/skill-validator/**`, and the workflow file
itself.
**Watch out:** this repo runs the `zizmor` workflow-security check, so the
new workflow must keep the same hardening as `sandbox-lint.yml` — pin every
action to a full commit SHA, set `persist-credentials: false`, and keep
permissions minimal (`permissions: {}` at the top, `contents: read` on the
job). Copying `sandbox-lint.yml` and swapping the run step is the safe path.
## Acceptance criteria
- [ ] `.github/workflows/skill-validate.yml` exists and runs `uv run
--project tools/skill-validator --group dev skill-validate`.
- [ ] It triggers on PRs (and pushes to `main`) that touch
`.claude/skills/**`, `tools/skill-validator/**`, or the workflow file.
- [ ] Actions are pinned to commit SHAs, `persist-credentials: false`,
permissions are minimal; the `zizmor` check passes.
- [ ] The workflow passes on `main` as it stands today.
## Estimated effort
~1-2 hours for someone new to the codebase.
## Getting started
- [Contributing guide](<contributing-doc-url>)
- [Local setup](<local-setup-doc-url>)
- [How to open a pull request](<pr-opening-doc-url>)
---
_This issue was drafted with an AI-assisted tool and reviewed by a
maintainer before posting._
### Why
So that validator violations are caught in CI instead of by hand.
### Which layer
Other / unsure
### Boundary conditions (optional)
_No response_
### Out of scope (optional)
_No response_
### References (optional)
_No response_
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
