By name: toolr-ci-setup
description: |
Wire the s0undt3ch/ToolR GitHub Action into a caller
repository's workflows. Use when setting up toolr in CI;
when authoring .github/workflows/*.yml that runs a toolr
command; when wiring toolr self build-manifest --check
as a CI gate for a plugin repository; when picking the
right pin form for uses: s0undt3ch/ToolR@…; or when
debugging the action's minimum-version error, attestation
verify failures, or persistent venv cache misses. Triggers
on phrases like "set up toolr in CI", "GitHub Actions for
toolr", "use the toolr action", "cache toolr in CI",
"verify SLSA attestation in CI", and literal
uses: s0undt3ch/ToolR@ snippets. Stays inert on local
authoring requests (covered by the toolr-command-authoring
skill), on wheel-building outside a CI gate (covered by
toolr-command-packaging), and on toolr's own internal
.github/actions/* sub-actions.
Setting up toolr in GitHub Actions
You are wiring the s0undt3ch/ToolR composite action into a
repository's CI. The action installs the toolr Rust binary, verifies
its SLSA build provenance, caches the binary and the per-repo
tools/.venv, and hands the next workflow step a toolr on PATH.
Your job is to produce (or modify) a .github/workflows/*.yml that
consumes the action correctly.
This skill teaches the consumer side of the action. The
authoritative input/output surface lives in
references/action.md, regenerated from
action.yml on every release — read it when you need exact defaults
or argument shapes.
What this skill covers
- Pinning
uses: s0undt3ch/ToolR@<sha>correctly. - A minimal one-step workflow that runs a toolr command.
- The two canonical recipes: running a toolr command in CI, and
gating
toolr self build-manifest --checkfor plugin repos. - The three failure modes a typical caller hits first.
What this skill does not cover
- Authoring or editing the
tools/*.pycommands the workflow runs — see thetoolr-command-authoringskill. - Building or shipping a toolr plugin wheel — see the
toolr-command-packagingskill. This skill only covers the CI gate side (--check), not manifest generation itself. - Non-action install paths in CI (manual
curl | shfallback,mise-action, self-hosted runner image baking). Use the action. - Toolr's own internal
.github/actions/*sub-actions (apply-release-patch,configure-git,setup-pre-commit,setup-virtualenv,throttle). Those are toolr's release plumbing, not a public consumer surface — do not call them from external repos.
The minimum viable workflow
name: toolr
on: [push, pull_request]
jobs:
run:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: s0undt3ch/ToolR@<sha> # v0.20.0
- run: toolr <group> <cmd>
Replace <sha> with the full commit SHA of the release tag and
<group> <cmd> with the toolr command you want to run. That is
the whole surface for the common case — the action handles
attestation verification, caching, and venv setup.
Pinning policy
Recommended default — SHA-pinned with a version comment:
- uses: s0undt3ch/ToolR@a1b2c3d4e5f6... # v0.20.0
This is the form GitHub's own security guidance recommends and the
form toolr itself uses for upstream actions (see actions/cache in
action.yml). The version comment lets a human reader (and
Dependabot) match the SHA to a release tag without resolving the ref.
Acceptable for prototypes — tag-pinned:
- uses: s0undt3ch/ToolR@v0.20.0
Easier to write while iterating; trade reproducibility for readability.
Do not use floating-major (@v0) pre-1.0. Toolr's pre-1.0
contract permits breaking changes on minor bumps, so @v0 is
effectively latest and may silently break a workflow.
The action enforces a minimum version of 0.20.0 (the first
binary-only release shape). Anything below that fails fast with a
clear error.
Recipe 1 — Run a toolr command in CI
Single-OS form was shown above. For multi-OS coverage (use this when your toolr commands shell out to platform-specific tooling or you ship a plugin that must work cross-platform):
name: toolr
on: [push, pull_request]
jobs:
run:
strategy:
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
- uses: s0undt3ch/ToolR@<sha> # v0.20.0
- run: toolr <group> <cmd>
The action ships binaries for x86_64/aarch64 Linux (glibc and
musl), x86_64/aarch64 macOS, and x86_64 Windows. The right
archive is selected automatically from RUNNER_OS + uname -m.
For the authoring side — how the tools/<file>.py defining the
command you're running is structured — see
toolr-command-authoring.
Recipe 2 — Gate plugin manifests with --check
When you ship toolr commands as a plugin wheel, the committed
toolr-manifest.json must match what toolr self build-manifest
would produce from the current source. The --check flag gives you
a non-zero exit on drift. Wire it as a CI gate so a stale manifest
cannot land:
name: toolr-manifest
on: [push, pull_request]
jobs:
check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: s0undt3ch/ToolR@<sha> # v0.20.0
- run: |
toolr self build-manifest \
--source-dir src/my_plugin \
--package my_plugin \
--check
Replace src/my_plugin with your plugin source directory and
my_plugin with the importable package name.
For the generation side — how to produce toolr-manifest.json
in the first place, what schema it follows, and how to include it
in the wheel — see
toolr-command-packaging —
this skill only owns the --check gate side.
Inputs and outputs at a glance
The full input/output surface (defaults, descriptions, what each
input controls) lives in
references/action.md. It is regenerated
from action.yml on every release, so it cannot drift. Read it when
you need to override caching, point at a different release, or pass
extra uv sync flags.
Common failure modes
refusing to install toolr <ver> — minimum supported version is 0.20.0— the action enforces a0.20.0floor because earlier releases shipped as a Python package and are no longer compatible. Upgrade your pin to0.20.0or later; do not try to work around the check.gh attestation verifyfails on a fork — the action verifies the SLSA build provenance of every downloaded archive. On runners withoutghavailable, setskip-attestation: trueonly if you understand you are turning off the supply-chain gate. Prefer installinggh(it's already present on GitHub-hosted runners) or pre-baking it into self-hosted runner images.tools/.venvcache misses every run — the venv cache key hashestools/pyproject.toml,tools/uv.lock, anduv.lock. If none of those are committed (or if yourtools/layout is non-standard), the key never stabilises. Commit the lock files alongsidetools/pyproject.toml. Local complement to the CI gate: the--checkrecipe above works equally well as a prek hook in yourpre-commitconfig.
Authoring and packaging are different problems
If you haven't written the toolr commands yet, this skill cannot
help you produce them. Invoke
toolr-command-authoring
to write them, then come back here to wire the workflow. For
shipping commands as a distributable plugin, see
toolr-command-packaging —
this skill only owns the --check gate side.