feat: add /pre-publish repo hygiene audit skill#613
Open
zengury wants to merge 1 commit intogarrytan:mainfrom
Open
feat: add /pre-publish repo hygiene audit skill#613zengury wants to merge 1 commit intogarrytan:mainfrom
zengury wants to merge 1 commit intogarrytan:mainfrom
Conversation
Closes a gap in the release workflow: `/document-release` and `/ship`
are diff-scoped and don't audit all tracked files before a repo goes
public. This skill does that.
Five checks, all mandatory:
1. **Dev scaffolding** — TODOS.md, PLAN.md, personal CLAUDE.md config,
named deployment guides (DEPLOY_FOR_*.md)
2. **Credentials** — real API keys in any tracked file or .env,
with vendor-specific revocation URLs and git-filter-repo purge
instructions
3. **Security disclosures** — undisclosed security issues documented
in markdown files (e.g. "no auth on :8090, cannot ship publicly")
4. **Language consistency** — README in English but DEPLOYMENT.md
in Chinese (or vice versa), catches mismatch across key docs
5. **Privacy / PII** — real phone numbers, email addresses, WeChat
fields, and personal paths in sample/fixture/data files; warns
that git history purge is required and cites applicable law
(GDPR, PIPL, CCPA)
Also checks .gitignore completeness for high-risk patterns.
Verdict: BLOCKED (any CRITICAL), PROCEED_WITH_CAUTION, or CLEAN.
Origin: discovered when snakes-V shipped publicly with TODOS.md
containing an unacknowledged security disclosure ("cannot ship
publicly until T5 is done") and hr-assistant shipped with a real
Kimi API key in a tracked .env file and a real DeepSeek key in a
deployment guide.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this adds
A new
/pre-publishskill that scans every git-tracked file before a repo goes public.This closes a real gap:
/document-releaseand/shipare diff-scoped — they check what changed, not what exists. Neither catches a TODOS.md with a security disclosure, a committed.envwith a real API key, or a deployment guide written in a different language than the README.Five checks (all mandatory, no skips)
DEPLOY_FOR_*.md.env— with vendor revocation URLs andgit-filter-repopurge instructionsAlso checks
.gitignorecompleteness for high-risk patterns.Verdict:
BLOCKED(any CRITICAL),PROCEED_WITH_CAUTION, orCLEAN.Origin
Found during a real release:
snakes-Vshipped publicly withTODOS.mdcontaining"security hardening is post-M1 — cannot ship publicly until T5 is done"hr-assistantshipped with a real Kimi API key in a tracked.envand a real DeepSeek key inDEPLOY_FOR_LIUZHIQIANG.md/document-releasebecause it doesn't rungit ls-filesThe contributor field report is in
~/.gstack/contributor-logs/missing-pre-publish-hygiene-skill.md.Suggested trigger placement
/shipStep 0 (pre-flight) — suggest running/pre-publishif the repo has no prior clean audit on record.Files
pre-publish/SKILL.md.tmpl— source templatepre-publish/SKILL.md— generated viabun run gen:skill-docs