garymike/security-workflows — reverse-engineered prompt
Reverse engineered prompt
Build me a reusable GitHub Actions security repo that I can call from my other personal repos. I want one simple security workflow people can copy into a repo, then it should run on every push and pull request for basic checks like secret scanning, unpinned action detection, and making sure a SECURITY.md file exists. I also want a scheduled weekly audit workflow that checks repo settings like Dependabot alerts and auto fix, read only default permissions, branch protection, and delete branch on merge.
Please also include optional reusable workflows for auditing GitHub Actions files and for auditing agent skills, using pinned toolbox container images published publicly so other repos can pull them. The whole thing should feel supply chain hardened, with pinned versions, signed images, SBOM and provenance, and clear docs on how to use it safely, preferably pinning to a release tag or commit SHA.
Add example workflow usage, docs, and a dogfood setup so this repo scans itself too. Look up current docs online if you need to.
Want more depth? Deep Reverse