Dependencies drift out of date between manual bumps, and nobody remembers to run the update. A nightly job keeps the lockfile current and opens a PR only when there is actually something to merge.
Contract: A PR is opened only when dependencies changed AND the test suite passed; a clean tree produces no PR and no noise.
Requirements
- GitHub Actions enabled
- peter-evans/create-pull-request action
- A passing test command to gate the bump
Dependabot floods the queue with bumps; reviewing every patch by hand is toil, but blindly auto-merging majors is dangerous. Gate the merge on semver severity so minor/patch flow through and majors wait for a human.
Contract: Minor/patch bumps auto-merge once CI is green; major bumps are labeled and left open for a human, never merged automatically.
Requirements
- Dependabot configured for the repo
- dependabot/fetch-metadata action
- Branch protection so --auto waits for required checks
ci-failureclaude-codegithub-actions
A red build blocks the team until someone free-diagnoses it. Wake an agent with the failure logs as its contract: reproduce, fix on a branch, and push — bounded so it can't thrash forever.
Contract: Fires only on CI failure for a PR; the fix lands on a dedicated `claude-auto-fix-ci-*` branch (never the source branch), and the guard prevents the repair run from re-triggering itself.
Requirements
- anthropics/claude-code-action + ANTHROPIC_API_KEY
- A workflow named 'CI' to watch
- Bounded --max-turns so the loop can't thrash
Flaky end-to-end tests fail on stale locators, and diagnosing which selector broke is tedious. On an E2E failure, parse the report and post concrete locator-fix suggestions to the PR — advisory, so it never blocks the merge.
Contract: Advisory only: posts locator-fix suggestions from the failing report as a PR comment and never blocks the merge.
Requirements
- An E2E job that uploads a results.json artifact named 'e2e-report'
- pull-requests: write permission
pr-openclaude-codegithub-actions
Human reviewers are the bottleneck, and small PRs wait hours for a first pass. Run an automated deep review on every PR open/update so the obvious issues are caught before a person looks.
Contract: Runs on every PR open/sync/reopen and posts findings as a review comment; it never approves or merges — the human decision stays human.
Requirements
- anthropics/claude-code-action + CLAUDE_CODE_OAUTH_TOKEN (or ANTHROPIC_API_KEY)
- SHA-pin the action version for CI supply-chain safety
issue-labelclaude-codegithub-actions
New issues sit un-triaged, so priority and type are unknown until a maintainer gets to them. Classify each new issue automatically and post a triage summary — as suggestions, so the maintainer keeps the final call.
Contract: On every new issue, posts a triage table (type, labels, complexity, priority) as a comment; labels are suggested only and never auto-applied.
Requirements
- anthropics/claude-code-action + ANTHROPIC_API_KEY
- issues: write permission
- Haiku keeps per-issue cost low
scheduleclaude-codegithub-actions
Skill content goes stale as upstream frameworks release new versions, and manually re-writing docs is slow. A weekly pipeline refreshes indices, has an agent regenerate the affected skill files, validates them, and opens a PR only when there's a real change.
Contract: Opens a PR only when the eval harness passes on regenerated skills; if only indices changed it falls back to an index-only PR, and a clean run produces nothing.
Requirements
- @anthropic-ai/sdk + ANTHROPIC_API_KEY
- An eval/validation step to gate generated content
- peter-evans/create-pull-request
Docs and specs silently fall out of sync with the live system, and you only notice when someone follows stale instructions. A weekly tripwire diffs the committed baseline against reality and files an issue on drift — detect-only, so it never rewrites your specs behind your back.
Contract: Detect-only: never writes specs. Exit 0 = fresh (silent), 3 = drift (opens/updates a single 'drift' issue), 1 = hard failure (fails the job loudly so a silent pass can never masquerade as fresh).
Requirements
- A drift-check script with a stable 3-state exit contract
- issues: write permission
- A committed baseline to diff against
Stale things — untouched memory entries, dead flags, flaky tests quarantined and forgotten — accumulate with no forcing function to clean them up. A nightly sweep scans for entries past a staleness threshold and files a report.
Contract: Produces a staleness report artifact every night; the threshold is configurable on manual runs and defaults to 30 days.
Requirements
- A staleness-scan script for your domain
- actions/upload-artifact for the report
Cutting a release by hand — bumping the version, writing the changelog, tagging — is forgettable toil. Let conventional commits drive it: on every push plus a weekly floor, generate the changelog and open a release PR that becomes a tagged release on merge.
Contract: release-please analyzes conventional commits, opens/updates a release PR with the computed version bump and generated CHANGELOG; merging that PR creates the GitHub Release and tag.
Requirements
- Conventional Commits discipline in the history
- googleapis/release-please-action
- contents + pull-requests write permission
Security scanning that only runs on PRs misses vulnerabilities introduced by dependency advisories published after a merge. A weekly CodeQL sweep plus a secret scan on every push keeps coverage continuous.
Contract: CodeQL runs weekly (and on push) and uploads findings to the Security tab; Gitleaks scans full history for committed secrets. Findings surface as alerts rather than blocking the push.
Requirements
- security-events: write permission for CodeQL upload
- github/codeql-action and gitleaks/gitleaks-action
Inactive issues pile up and hide the ones that matter, but closing them by hand is thankless. A daily sweep marks issues stale after inactivity and closes them if nothing changes, while exempting the labels you care about.
Contract: Marks an issue stale after 30 days idle and closes it 7 days later unless it carries an exempt label or gets new activity; PRs are untouched.
Requirements
- actions/stale
- issues: write permission
- An agreed exempt-label set
External links in docs rot silently — a vendor moves a page and your quickstart 404s for weeks. A weekday link check catches breakage early and pings Slack on failure so someone actually fixes it.
Contract: Runs weekdays; on any broken external link the job fails and a Slack message with the run URL is sent. A clean run is silent.
Requirements
- A link checker (lychee, or bun/npm equivalent)
- SLACK_WEBHOOK_URL secret for the alert
A generated README (catalog, index, badge table) drifts from the underlying data between manual regenerations. A scheduled job rebuilds it from source and commits only when the output actually changed.
Contract: Rebuilds README.md from source on schedule and commits only on a real diff; an unchanged README yields no commit.
Requirements
- A README-generation script
- contents: write permission
scheduleclaude-codegithub-actions
A dependency you track (an upstream CLI, a framework) ships changes you need to adopt, but nobody watches its changelog daily. A watcher diffs the upstream changelog, and — optionally with an agent — files adoption issues for the gaps worth acting on.
Contract: Only acts when the upstream changelog changed. LLM triage is a soft dependency (skipped cleanly if the token is absent); either way a fallback 'upstream-adoption' issue is filed so a change is never silently dropped.
Requirements
- A cached copy of the upstream changelog to diff against
- Optional CLAUDE_CODE_OAUTH_TOKEN for the LLM triage step
- issues: write permission
You mean to cut a package release 'soon' but lose track of whether it's actually due — commits accrued, version proposed, npm behind the tag. A daily check computes readiness and upserts a single tracking issue instead of spamming new ones.
Contract: Writes a readiness summary to the run each day and keeps exactly one open 'release-watch' issue (upsert), so the signal never becomes issue spam.
Requirements
- A readiness-check script (commit count, version, registry state)
- issues: write permission
A content repo (registry entries, schemas, generated site) can pass per-PR checks yet still rot in aggregate. A weekly full validation re-runs every schema, policy, and build lane so drift is caught even when no one touched the files.
Contract: Runs on PRs for changed lanes and does a full weekly sweep of schema, policy, build, and registry validation so aggregate drift surfaces even without a triggering change.
Requirements
- Validation scripts for each content lane
- A reproducible build step
When a spec is the source of truth, small edits can quietly violate invariants — a rubric weight that no longer sums, a version marker left un-bumped, a frontmatter field dropped. A push/PR guard runs the whole battery of consistency assertions so a broken spec never merges.
Contract: Every invariant script must exit zero for the job to pass; a single violated assertion (schema, version, rubric, frontmatter) blocks the merge.
Requirements
- A suite of single-invariant validation scripts
- Runs on push and pull_request