Expertise across GitHub Actions, GitLab CI, and Jenkins with reusable workflows, matrix builds, and intelligent caching strategies for performance optimization
Embedded security throughout pipelines: SAST/DAST/SCA scanning, secrets management, artifact signing with Cosign, and supply chain integrity verification
Deployment automation patterns including blue/green, canary, ro
Confirm successful installation by checking the skill directory location:
.cursor/skills/cicd-expert
Restart Cursor to activate cicd-expert. Access via /cicd-expert in your agent's command palette.
β
Security Notice
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
RISK LEVEL: HIGH - CI/CD pipelines have access to source code, secrets, and production infrastructure. A compromised pipeline can lead to supply chain attacks, leaked credentials, or unauthorized deployments.
2. Core Principles
TDD First - Write pipeline tests before implementation. Validate workflow syntax, test job outputs, and verify security gates work correctly before deploying pipelines.
Performance Aware - Optimize for speed with caching, parallelization, and conditional execution. Every minute saved in CI/CD compounds across all developers.
Security by Default - Embed security gates at every stage. Use least privilege, OIDC authentication, and artifact signing.
Fail Fast - Detect issues early with proper ordering: lint β security scan β test β build β deploy.
Reproducible - Pipelines must produce identical results given identical inputs. Pin versions, use lockfiles, and avoid external state.
3. Implementation Workflow (TDD)
Step 1: Write Failing Test First
Before creating or modifying a pipeline, write tests that validate expected behavior:
# .github/workflows/test-pipeline.ymlname: Test Pipeline Configuration
on:[push]jobs:validate-workflow:runs-on: ubuntu-latest
steps:-uses: actions/checkout@v4
-name: Validate workflow syntax
run:| # Install actionlint for GitHub Actions validation
bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
./actionlint -color-name: Test workflow outputs
run:| # Verify expected outputs exist
grep -q "outputs:" .github/workflows/ci-cd.yml || exit 1
echo "Output definitions found"test-security-gates:runs-on: ubuntu-latest
steps:-uses: actions/checkout@v4
-name: Verify security scans are required
run:| # Check that security jobs are dependencies for deploy
grep -A 10 "deploy:" .github/workflows/ci-cd.yml | grep -q "needs:.*security" || {
echo "ERROR: Deploy must depend on security jobs"
exit 1
}-name: Verify permissions are minimal
run:| # Check for explicit permissions block
grep -q "^permissions:" .github/workflows/ci-cd.yml || {
echo "ERROR: Workflow must have explicit permissions"
exit 1
}
Step 2: Implement Minimum to Pass
Create the pipeline with just enough configuration to pass the tests:
Expand the pipeline with full implementation while keeping tests passing:
# Add caching, matrix testing, artifact signing, etc.# Run tests after each addition to ensure compliance
Step 4: Run Full Verification
# Validate all workflowsactionlint
# Test workflow locally with actact -n# Dry run to validate# Run the test pipelinegh workflow run test-pipeline.yml
# Verify security compliancegh api repos/{owner}/{repo}/actions/permissions
4. Performance Patterns
Pattern 1: Dependency Caching
# BAD: No caching - reinstalls every time-name: Install dependencies
run: npm install
# GOOD: Cache with hash-based keys-name: Cache npm dependencies
uses: actions/cache@v3
with:path: ~/.npm
key: ${{ runner.os }}-npm-${{ hashFiles('**/package-lock.json')}}restore-keys:| ${{ runner.os }}-npm--name: Install dependencies
run: npm ci
Pattern 2: Parallel Job Execution
# BAD: Sequential jobsjobs:lint:runs-on: ubuntu-latest
test:needs: lint # Waits for lintsecurity:needs: test # Waits for test# GOOD: Independent jobs run in paralleljobs:lint:runs-on: ubuntu-latest
test:runs-on: ubuntu-latest # Parallel with lintsecurity:runs-on: ubuntu-latest # Parallel with lint and testbuild:needs:[lint, test, security]# Only build waits
Pattern 3: Artifact Optimization
# BAD: Upload entire node_modules-uses: actions/upload-artifact@v4
with:name: build
path: . # Includes node_modules!# GOOD: Upload only build outputs with compression-uses: actions/upload-artifact@v4
with:name: build
path: dist/
retention-days:7compression-level:9
Pattern 4: Incremental Builds
# BAD: Full rebuild every time-name: Build
run: npm run build
# GOOD: Cache build outputs-name: Cache build
uses: actions/cache@v3
with:path:| dist
.next/cache
node_modules/.cachekey: ${{ runner.os }}-build-${{ hashFiles('src/**')}}-name: Build
run: npm run build
Pattern 5: Conditional Workflows
# BAD: Run everything on every changeon:[push]
β
Make data-driven prioritization decisions faster
Stakeholder Communication
Draft PRDs, status updates, and stakeholder presentations
βΊAccess to product documentation and roadmap tools (Jira, Notion, etc.)
βΊUnderstanding of product management frameworks (RICE, Jobs-to-be-Done, etc.)
βΊStakeholder contact information and communication channels
Time Estimate
30-60 minutes to see productivity improvements
Steps
1Install product management skill
2Start with user story generation for known feature
3Progress to competitive analysis: research 2-3 competitors
4Use for roadmap prioritization: apply RICE/ICE scoring
5Draft stakeholder communications and refine based on feedback
6Build template library for recurring PM tasks
7Share effective prompts with product team
Common Pitfalls
β Not validating competitive researchβverify facts before sharing
β Accepting user stories without involving engineering team
β Over-relying on frameworks without qualitative judgment
β Not customizing outputs to company culture and communication style
β Skipping stakeholder validation of generated requirements
Best Practices
β Do
+Validate research and competitive analysis with real data
+Collaborate with engineering when generating technical requirements
+Customize frameworks and templates to your company context
+Use skill for first drafts, refine with stakeholder input
+Document successful prompt patterns for PM tasks
+Combine AI efficiency with human judgment and intuition
β Don't
βDon't publish competitive analysis without fact-checking
βDon't finalize user stories without engineering review
βDon't make prioritization decisions solely on AI scoring
βDon't skip customer validation of generated requirements
βDon't ignore company-specific context and culture
π‘ Pro Tips
β Provide context: company goals, constraints, customer feedback
β Ask for alternatives: 'Show 3 ways to prioritize this roadmap'
β Request stakeholder-specific formatting: 'Executive summary vs. engineering spec'
β Use skill for 70% generation + 30% customization to company needs
When to Use This
β Use when
Use for user story writing, competitive research, roadmap prioritization, stakeholder communication, and PRD drafting. Best for reducing repetitive documentation and research work.
β Avoid when
Avoid for strategic product vision (requires deep customer empathy), pricing decisions (needs market and financial expertise), or when face-to-face customer discovery is more valuable than speed.
Learning Path
1Basic: user stories, feature specs, status updates
