What this skill covers

Use this skill whenever you are:

Reading or changing GitHub Actions workflows under .github/workflows/ Explaining why a PR fails checks (title, changelog, conflict markers, secret scanning) Figuring out which workflows run for UI/API/SDK changes and why Diagnosing path-filtering behavior (why a workflow did/didn't run) Quick map (where to look) PR template: .github/pull_request_template.md PR title validation: .github/workflows/conventional-commit.yml Changelog gate: .github/workflows/pr-check-changelog.yml Conflict markers check: .github/workflows/pr-conflict-checker.yml Secret scanning: .github/workflows/find-secrets.yml Auto labels: .github/workflows/labeler.yml and .github/labeler.yml Review ownership: .github/CODEOWNERS Debug checklist (PR failing checks) Identify which workflow/job is failing (name + file under .github/workflows/). Check path filters: is the workflow supposed to run for your changed files? If it's a title check: verify PR title matches Conventional Commits. If it's changelog: verify the right CHANGELOG.md is updated OR apply no-changelog label. If it's conflict checker: remove <<<<<<<, =======, >>>>>>> markers. If it's secrets (TruffleHog): see section below. TruffleHog Secret Scanning

TruffleHog scans for leaked secrets. Common false positives in test files:

Patterns that trigger TruffleHog:

sk-T3BlbkFJ - OpenAI API keys AKIA[A-Z0-9]{16} - AWS Access Keys ghp_ / gho_ - GitHub tokens Base64-encoded strings that look like credentials

Fix for test files:

BAD - looks like real OpenAI key

api_key = "sk-test1234567890T3BlbkFJtest1234567890"

GOOD - obviously fake

api_key = "sk-fake-test-key-for-unit-testing-only"

If TruffleHog flags a real secret:

Remove the secret from the code immediately Rotate the credential (it's now in git history) Consider using .trufflehog-ignore for known false positives (rarely needed) Notes Keep prowler-pr focused on creating PRs and filling the template. Use prowler-ci for CI policies and gates that apply to PRs.