Summary
The github-health-check skill currently runs a comprehensive audit and reports what is missing or misconfigured. It should go further: when a section is not set up, the skill should offer to walk the user through fixing it interactively rather than just listing it as a recommendation.
Motivation
Right now the health check ends with a "Recommended Actions" list. Users then have to figure out on their own how to implement each item. The skill is in a perfect position to do this work — it already knows exactly what is missing per section.
Proposed Changes
After generating the health report, for each section that has a failing or missing configuration, the skill should:
- Ask the user if they want to set it up now (e.g. "Branch protection is not configured on
main. Would you like me to set it up now?")
- Walk through setup if the user agrees, using
gh CLI or the GitHub MCP tools
- Confirm completion and re-check that section before moving on
Sections that should get interactive setup prompts
| Check |
What to prompt |
How to fix |
| Branch Protection (Check 7) |
No protection rules on default branch |
Use gh api to create branch protection rules: require PR reviews, status checks, block force pushes |
| Dependabot (Check 9) |
.github/dependabot.yml missing |
Generate a dependabot.yml appropriate for the repo's detected ecosystems (npm, go, python, github-actions) |
| Codecov (Check 4) |
Not configured in CI |
Add codecov/codecov-action step to the build workflow; create codecov.yml config |
| Snyk (Check 6) |
Not integrated |
Prompt for Snyk token, add SNYK_TOKEN secret via gh secret set, add Snyk scan step to CI workflow |
| Code Scanning / CodeQL (Check 5) |
Not enabled |
Create .github/workflows/codeql.yml with a default CodeQL analysis workflow |
| Secret Scanning (Check 5) |
Not enabled |
Enable via gh api repo settings update |
| SECURITY.md (Check 9) |
Missing |
Generate a minimal SECURITY.md with vulnerability disclosure policy |
| CODEOWNERS (Check 9) |
Missing |
Prompt for team/user and generate a basic CODEOWNERS file |
| Repo description / topics (Check 9) |
Empty description or no topics |
Prompt the user for a description and topics, then apply via gh repo edit |
| Stale secrets (Check 12) |
Secrets not rotated in 180+ days |
Remind user to rotate; offer to open the secrets settings page URL |
Interaction model
After the report is printed, the skill should present unconfigured items one at a time (or grouped by priority), prompt for confirmation, and execute the fix. Example flow:
⚠️ Branch protection is not configured on `main`.
Required PR reviews, status checks, and force-push blocking are all off.
Would you like me to configure branch protection now? [y/n]
If yes → apply sensible defaults via gh api, then confirm:
✅ Branch protection applied to `main`:
- Requires 1 approving review
- Requires status checks to pass
- Force pushes blocked
- Branch deletion blocked
If no → skip and move to the next item.
Priority order for prompts
Present items in this order (critical first):
- CRITICAL: Secret scanning alerts (leaked secrets)
- HIGH: Branch protection missing
- HIGH: Code scanning (CodeQL) not enabled
- MEDIUM: Dependabot missing
- MEDIUM: Snyk not integrated
- MEDIUM: Codecov not configured
- LOW: SECURITY.md missing
- LOW: CODEOWNERS missing
- LOW: Repo description/topics missing
Acceptance Criteria
Summary
The
github-health-checkskill currently runs a comprehensive audit and reports what is missing or misconfigured. It should go further: when a section is not set up, the skill should offer to walk the user through fixing it interactively rather than just listing it as a recommendation.Motivation
Right now the health check ends with a "Recommended Actions" list. Users then have to figure out on their own how to implement each item. The skill is in a perfect position to do this work — it already knows exactly what is missing per section.
Proposed Changes
After generating the health report, for each section that has a failing or missing configuration, the skill should:
main. Would you like me to set it up now?")ghCLI or the GitHub MCP toolsSections that should get interactive setup prompts
gh apito create branch protection rules: require PR reviews, status checks, block force pushes.github/dependabot.ymlmissingdependabot.ymlappropriate for the repo's detected ecosystems (npm, go, python, github-actions)codecov/codecov-actionstep to the build workflow; createcodecov.ymlconfigSNYK_TOKENsecret viagh secret set, add Snyk scan step to CI workflow.github/workflows/codeql.ymlwith a default CodeQL analysis workflowgh apirepo settings updateSECURITY.mdwith vulnerability disclosure policyCODEOWNERSfilegh repo editInteraction model
After the report is printed, the skill should present unconfigured items one at a time (or grouped by priority), prompt for confirmation, and execute the fix. Example flow:
If yes → apply sensible defaults via
gh api, then confirm:If no → skip and move to the next item.
Priority order for prompts
Present items in this order (critical first):
Acceptance Criteria
ghCLI or GitHub MCP tools (no manual steps required from the user)