ci: add automated skill review for SKILL.md pull requests

[popey]

Hullo! Thanks for merging the skill improvements earlier. This is a follow-up that adds a lightweight GitHub Action to automatically review any SKILL.md files when they're changed in a PR, using tessl skill review.

• Triggers only on PRs that touch **/SKILL.md
• Posts review results as a PR comment
• Minimal permissions: pull-requests: write and contents: read

This way you and your contributors get an instant quality signal on skill changes before manual review — no signup or tokens needed.

Summary by CodeRabbit

• Chores
  • Added an automated skill review workflow that executes on pull requests modifying skill-related files, enabling continuous quality validation and streamlining the review process.

[coderabbitai]

📝 Walkthrough

Walkthrough

Added a new GitHub Actions workflow file that triggers on pull requests affecting SKILL.md files. The workflow runs the tesslio/skill-review action on ubuntu-latest with write permissions for pull requests and read access to repository contents.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow .github/workflows/skill-review.yml	New workflow triggered on PRs affecting SKILL.md files; executes tesslio/skill-review action with appropriate permissions for PR write access and repo read access.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• feat: improve skill descriptions and content across all 9 skills #21: Directly related—this PR adds a GitHub Actions workflow that reviews SKILL.md files, which aligns with modifications to SKILL.md content in the retrieved PR.

Poem

🐰 Hop, hop, a workflow takes the stage,
To review SKILLS upon the page,
With tesslio's magic touch so fine,
Each pull request shall brightly shine,
Our warren's knowledge reviewed divine! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title clearly and concisely describes the main change: adding an automated CI workflow for skill review of SKILL.md files, which directly matches the changeset content.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/skill-review.yml:
- Line 14: Replace the mutable action reference "tesslio/skill-review@main" with
a pinned immutable commit SHA: find the workflow step using "uses:
tesslio/skill-review@main" and update it to "uses:
tesslio/skill-review@<FULL_COMMIT_SHA>" by retrieving the desired commit SHA
from the tesslio/skill-review repository (e.g., the specific commit that
corresponds to the behavior you want) and substituting that full 40-character
SHA so the action is pinned and cannot unexpectedly change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: aff1c0ba-8949-448b-aa08-dc242b733afe

📥 Commits

Reviewing files that changed from the base of the PR and between 9d1bd15 and 5f82c15.

📒 Files selected for processing (1)

• .github/workflows/skill-review.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify mutable action refs in workflow files (branch/tag refs vs SHA pins).
# Expected: no third-party actions pinned to moving refs like `@main`.
rg -n 'uses:\s*[^[:space:]]+@(?:main|master|v[0-9]+(?:\.[0-9]+){0,2})\s*$' .github/workflows

Repository: rohitg00/pro-workflow

Length of output: 760

---

Pin third-party action to an immutable commit SHA.

Using tesslio/skill-review@main is mutable and can change behavior (or risk compromise) without code changes in this repo. Pin to a full commit SHA instead of a branch reference.

Suggested fix

-      - uses: tesslio/skill-review@main
+      - uses: tesslio/skill-review@<full_commit_sha>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/skill-review.yml at line 14, Replace the mutable action
reference "tesslio/skill-review@main" with a pinned immutable commit SHA: find
the workflow step using "uses: tesslio/skill-review@main" and update it to
"uses: tesslio/skill-review@<FULL_COMMIT_SHA>" by retrieving the desired commit
SHA from the tesslio/skill-review repository (e.g., the specific commit that
corresponds to the behavior you want) and substituting that full 40-character
SHA so the action is pinned and cannot unexpectedly change.

[rohitg00]

@popey

[coderabbitai]

Seems like the humans are having a chat. I'll hop back into my burrow for now. If you need me again, just tag @coderabbitai in a new comment, and I'll come hopping out!