SKILL·E365A3

review-renovate

backnotprop
Updated 1 month ago
9 views
6,590
470
6,590
View on GitHub
Otheraiautomation

About

This skill reviews Renovate bot PRs that update GitHub Actions dependencies. It verifies supply chain integrity by checking commit SHAs against upstream releases, reviews changelogs for breaking changes, and confirms workflow compatibility. Use it when Renovate opens a PR modifying files in `.github/workflows/`.

Quick Install

Claude Code

Recommended
Primary
npx skills add backnotprop/plannotator -a claude-code
Plugin CommandAlternative
/plugin add https://github.com/backnotprop/plannotator
Git CloneAlternative
git clone https://github.com/backnotprop/plannotator.git ~/.claude/skills/review-renovate

Copy and paste this command in Claude Code to install this skill

Documentation

Review Renovate GitHub Actions PRs

You are reviewing a Renovate bot PR that updates GitHub Actions dependencies. Your job is to verify supply chain integrity and ensure the upgrades won't break CI/CD workflows.

Inputs

You will be given a PR number or URL. Use gh CLI to fetch PR details and diff.

Steps

1. Fetch PR metadata and diff

gh pr view <PR> --json title,body,files,commits,author,headRefName
gh pr diff <PR>

Confirm the PR author is app/renovate. If not, flag this immediately — it may not be an automated dependency update.

2. Identify all action version changes

From the diff, extract each changed action:

  • Full action name (e.g., oven-sh/setup-bun)
  • Old version tag and pinned SHA
  • New version tag and pinned SHA
  • Update type (patch, minor, major)

3. Verify pinned SHAs against upstream tags

For every action being updated, verify both old and new SHAs match the claimed version tags:

gh api repos/{owner}/{repo}/git/ref/tags/{version} --jq '.object.sha'

Compare each result against the SHA in the workflow file. If any SHA does not match, stop and report a supply chain integrity failure. Do not approve the PR.

4. Review changelogs for breaking changes

From the PR body (Renovate includes release notes), check each updated action for:

  • Removed inputs or outputs that the workflows currently use
  • Changed default behavior for inputs the workflows rely on
  • New required inputs
  • Major version bumps (these almost always have breaking changes)

5. Check workflow compatibility

Read the affected workflow files and verify:

  • No removed or renamed inputs are being used
  • No changed defaults affect current behavior
  • The action's runtime requirements are still met (e.g., Node.js version compatibility)

6. Report findings

Present a summary table:

ActionOldNewTypeSHA verified
.........patch/minor/majoryes/NO

Then state:

  • Whether all SHAs are verified
  • Whether any breaking changes were found
  • Whether the workflows remain compatible
  • A clear safe to merge or do not merge recommendation

GitHub Repository

backnotprop/plannotator
Path: .agents/skills/review-renovate
0
agentsclaude-codecode-reviewcodexobsidianopencode
FAQ

Frequently asked questions

What is the review-renovate skill?

review-renovate is a Claude Skill by backnotprop. Skills package instructions and resources that Claude loads on demand, so Claude can perform review-renovate-related tasks without extra prompting.

How do I install review-renovate?

Use the install commands on this page: add review-renovate to Claude Code as a plugin, or clone its repository into your skills directory, then restart Claude so it picks up the skill.

What category does review-renovate belong to?

review-renovate is in the Other category, tagged ai and automation.

Is review-renovate free to use?

Yes. review-renovate is listed on AIMCP and free to install. It runs inside Claude, so no separate service account is required to use the skill itself.

Related Skills

llamaguard
Other

LlamaGuard is Meta's 7-8B parameter model for moderating LLM inputs and outputs across six safety categories like violence and hate speech. It offers 94-95% accuracy and can be deployed using vLLM, Hugging Face, or Amazon SageMaker. Use this skill to easily integrate content filtering and safety guardrails into your AI applications.

View skill
cost-optimization
Other

This Claude Skill helps developers optimize cloud costs through resource rightsizing, tagging strategies, and spending analysis. It provides a framework for reducing cloud expenses and implementing cost governance across AWS, Azure, and GCP. Use it when you need to analyze infrastructure costs, right-size resources, or meet budget constraints.

View skill
quantizing-models-bitsandbytes
Other

This skill quantizes LLMs to 8-bit or 4-bit precision using bitsandbytes, achieving 50-75% memory reduction with minimal accuracy loss. It's ideal for running larger models on limited GPU memory or accelerating inference, supporting formats like INT8, NF4, and FP4. The skill integrates with HuggingFace Transformers and enables QLoRA training and 8-bit optimizers.

View skill
sports-betting-analyzer
Other

This Claude Skill analyzes sports betting markets including spreads, over/unders, and prop bets by examining historical trends and situational statistics to identify value bets. It provides structured markdown output with actionable recommendations for educational purposes. Developers should use this for sports betting analysis tools while noting it's designed for entertainment/education only.

View skill