Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .claude-plugin/marketplace.json
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@
{
"name": "bitwarden-devops-engineer",
"source": "./plugins/bitwarden-devops-engineer",
"version": "0.1.3",
"version": "0.1.4",
"description": "GitHub Actions workflow compliance, action security auditing, and org-wide CI/CD remediation."
},
{
Expand Down
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ A curated collection of plugins for AI-assisted development at Bitwarden. Enable
| [bitwarden-delivery-tools](plugins/bitwarden-delivery-tools/) | 2.0.0 | Delivery lifecycle skills: initiative funnel navigation, work transitions, tech breakdowns and task decomposition, commits, PRs, preflight, labeling |
| [bitwarden-designer](plugins/bitwarden-designer/) | 0.1.0 | Product designer persona: Code of Conduct and 30/60/90 critique, critique facilitation; dispatches into bitwarden-design-tools |
| [bitwarden-design-tools](plugins/bitwarden-design-tools/) | 0.1.0 | Design toolkit: content style guide, Figma Dev Mode MCP, Bitwarden brand application, handoff prep, Design System governance, Product and Design Jira |
| [bitwarden-devops-engineer](plugins/bitwarden-devops-engineer/) | 0.1.3 | DevOps engineering assistant: workflow compliance linting, action security auditing, and org-wide CI/CD remediation |
| [bitwarden-devops-engineer](plugins/bitwarden-devops-engineer/) | 0.1.4 | DevOps engineering assistant: workflow compliance linting, action security auditing, and org-wide CI/CD remediation |
| [bitwarden-init](plugins/bitwarden-init/) | 1.2.0 | Initialize and enhance CLAUDE.md files with Bitwarden's standardized template format |
| [bitwarden-product-analyst](plugins/bitwarden-product-analyst/) | 0.1.5 | Product analyst agent for creating comprehensive Bitwarden requirements documents from multiple sources |
| [bitwarden-security-engineer](plugins/bitwarden-security-engineer/) | 1.2.0 | Application security engineering: vulnerability triage, threat modeling, and secure code analysis |
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "bitwarden-devops-engineer",
"version": "0.1.3",
"version": "0.1.4",
"description": "GitHub Actions workflow compliance, action security auditing, and org-wide CI/CD remediation.",
"author": {
"name": "Bitwarden",
Expand Down
6 changes: 6 additions & 0 deletions plugins/bitwarden-devops-engineer/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,12 @@ All notable changes to the bitwarden-devops-engineer plugin will be documented i
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [0.1.4] - 2026-06-23

### Security

- Removed the `Bash(git add .github/:*)`, `Bash(git commit:*)`, and `Bash(git push:*)` permissions from the `action-remediate` and `workflow-fix` skills so these mutating git operations are run manually by the user instead of auto-approved. The skills now present the commands and resume to create the draft PR after the user confirms the push. Read-only `git diff`/`git status`, branch setup via `git checkout`, and `gh pr create` are retained.

## [0.1.3] - 2026-05-08

### Changed
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,15 +15,15 @@ description: >
User: Replace tj-actions/changed-files with the safe version across those repos
Action: Trigger action-remediate to swap the action and create PRs
</example>
allowed-tools: Read, Edit, Glob, Grep, Bash(gh pr create:*), Bash(git checkout:*), Bash(git add .github/:*), Bash(git commit:*), Bash(git push:*), Bash(git diff:*)
allowed-tools: Read, Edit, Glob, Grep, Bash(gh pr create:*), Bash(git checkout:*), Bash(git diff:*)
---

## Rules

- **No mutating API calls without confirmation.** `gh api` GET requests are allowed freely. Any call using `-X POST`, `-X PUT`, `-X PATCH`, or `-X DELETE` must be shown to the user and approved before execution.
- **Never force-push, delete branches, or delete repositories.**
- **Only modify files under `.github/`.** Do not touch application code, scripts, or configuration outside of workflow files.
- **Show a diff and get confirmation before every commit.**
- **Show a diff and get confirmation before handing off for commit.**
- **All PRs must be created as drafts.**
- **Flag uncertainty.** If a finding is ambiguous or a fix could break a workflow, stop and ask rather than guessing.

Expand Down Expand Up @@ -59,13 +59,19 @@ For each selected repo:

4. Show a `git diff` of changes in this repo and get confirmation before proceeding.

## Step 3: Create PRs
## Step 3: Commit, Push, and Create PRs

After fixes are confirmed, for each repo:
Do not run the staging, commit, or push commands yourself. For each repo, present the block below for the user to run manually as a suggestion:

```bash
git add .github/
git commit -m "Remediate <action-name> action usage"
git push -u origin fix/action-remediation-<action-name-slug>
```
Comment on lines 66 to +70

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⛏️ If the user is now responsible for manually committing and pushing, is this inline bash necessary?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is a valid point. There is ambiguity here. I'll revisit this to be a bit more explicit with the intent. πŸ‘

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed in 064b2ee

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm good with these changes, thoughts @SaintPatrck?

Thanks for the work to improve the plugin @fntyler!

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! :shipit:


Once the user confirms the push, create the draft PR:

```bash
gh pr create \
--title "Remediate <action-name> action usage" \
--body "$(cat <<'EOF'
Expand Down
12 changes: 9 additions & 3 deletions plugins/bitwarden-devops-engineer/skills/workflow-fix/SKILL.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,15 +14,15 @@ description: >
User: Fix the workflow linter issues in server and clients
Action: Trigger workflow-fix for those repos
</example>
allowed-tools: Read, Edit, Glob, Grep, Skill, Bash(bwwl:*), Bash(gh api --method GET *), Bash(git checkout:*), Bash(git add .github/:*), Bash(git commit:*), Bash(git push:*), Bash(git diff:*), Bash(git status:*), Bash(gh pr create:*)
allowed-tools: Read, Edit, Glob, Grep, Skill, Bash(bwwl:*), Bash(gh api --method GET *), Bash(git checkout:*), Bash(git diff:*), Bash(git status:*), Bash(gh pr create:*)
---

## Rules

- **No mutating API calls without confirmation.** `gh api` GET requests are allowed freely. Any call using `-X POST`, `-X PUT`, `-X PATCH`, or `-X DELETE` must be shown to the user and approved before execution.
- **Never force-push, delete branches, or delete repositories.**
- **Only modify files under `.github/`.** Do not touch application code, scripts, or configuration outside of workflow files.
- **Show a diff and get confirmation before every commit.**
- **Show a diff and get confirmation before handing off for commit.**
- **All PRs must be created as drafts.**
- **Flag uncertainty.** If a finding is ambiguous or a fix could break a workflow, stop and ask rather than guessing.

Expand Down Expand Up @@ -84,11 +84,17 @@ After all fixes are applied:

1. Show a `git diff` of all changes made.
2. Ask the user to confirm they want to proceed with a PR.
3. If confirmed:
3. Do not run the staging, commit, or push commands yourself. Present the block below for the user to run manually as a suggestion:

```bash
git add .github/workflows/
git commit -m "Fix workflow linter findings"
git push -u origin fix/workflow-linter-findings
```

4. Once the user confirms the push, create the draft PR:

```bash
gh pr create \
--title "Fix workflow linter findings" \
--body "Automated fixes for findings from the Bitwarden workflow linter (bwwl)." \
Expand Down
Loading