Every developer tool repository must have these four core GitHub Actions workflows. Optional workflows are documented at the end.
Triggers: push to main, pull_request to main
Validates the structural integrity of the plugin before merging.
Required checks:
| Check | Description |
|---|---|
| JSON validity | plugin.json (and mcp.json if present) parse without errors |
| Manifest fields | All required fields exist, name is kebab-case |
| Skill file existence | Every path in plugin.json skills array points to a real file |
| Rule file existence | Every path in plugin.json rules array points to a real file |
| Frontmatter | Skills have YAML frontmatter starting with ---; rules have .mdc frontmatter |
| Credential scanning | No hardcoded passwords, API keys, or tokens in source files |
Conditional checks (include if applicable):
| Check | Condition |
|---|---|
| Python syntax | If mcp-server/ exists, py_compile all .py files |
| Test suite | If tests/ exists, run pytest tests/ -v |
| Content counts | If README contains stat counts, verify they match actual file counts |
Triggers: push to main (with paths-ignore for docs, markdown, and .github/ changes)
Automatic version bump, tagging, and GitHub Release creation.
Flow:
- Read current version from
.cursor-plugin/plugin.json - Parse commit messages since last tag for bump type:
feat!:orBREAKING CHANGE= majorfeat:= minor- Everything else = patch
- Compute new semver version
- Update
plugin.jsonversion andREADME.mdversion badge - Commit with
chore: bump version to X.Y.Z [skip ci] - Create git tag
vX.Y.Z - Create GitHub Release with grouped release notes
- Sync repo About section (description, homepage, topics) via
gh repo edit
Requirements:
concurrency: { group: release, cancel-in-progress: false }to prevent race conditionspermissions: contents: writefetch-depth: 0on checkout for full git history
Triggers: push to main (paths: docs/**, assets/**), workflow_dispatch
Deploys the docs/ directory to GitHub Pages.
Static HTML approach (default):
steps:
- uses: actions/checkout@v4
- name: Copy assets into docs
run: cp -r assets docs/assets
- uses: actions/configure-pages@v5
- uses: actions/upload-pages-artifact@v4
with:
path: docs
- uses: actions/deploy-pages@v5MkDocs approach (for repos with extensive docs):
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.12"
- run: pip install mkdocs-material
- run: mkdocs build --strict
- uses: actions/upload-pages-artifact@v3
with:
path: site/
- uses: actions/deploy-pages@v4Required permissions:
permissions:
pages: write
id-token: writeTriggers: schedule (daily or weekly), workflow_dispatch
Marks issues and PRs as stale after inactivity and closes them after further inactivity. Use actions/stale with sensible defaults (e.g., 30 days stale, 7 days to close).
| Workflow | Purpose | When to include |
|---|---|---|
codeql.yml |
Security scanning via GitHub CodeQL | Repos with substantial code (MCP servers, TypeScript packages) |
dependency-review.yml |
PR dependency audit | Repos with external dependencies |
release-drafter.yml |
Draft release notes automatically | Repos with frequent PRs |
ci.yml |
Extended test/lint/build pipeline | Repos with complex test suites |
| Domain-specific update | Auto-fetch external data (e.g., native DBs, API schemas) | Repos that consume external data |
- Use lowercase with hyphens:
validate.yml,release.yml,pages.yml - The
name:field inside the workflow should be title case:Validate,Release,Deploy GitHub Pages - Job names should be descriptive:
validate-json,bump-version-and-release,deploy
- Use
${{ secrets.GITHUB_TOKEN }}(automatically provided) for all Git operations - Never store custom secrets unless absolutely required (e.g., npm publish tokens)
- Set minimal
permissionsat the workflow level, not at the job level