CI/CD pipelines decay quietly. The build that took 4 minutes at launch takes 14 now. The cache that worked yesterday silently busts on every commit because the lockfile path changed. The secret that was set up for a one-off task is still in the workflow file two years later, with read access to the production database. The team feels the slowness and the security debt without locating either, because the pipeline is rarely audited deliberately.
The /relay-audit skill performs the audit across four dimensions: performance (where the pipeline is slow), security (hardcoded secrets, over-permissioned tokens, missing pinned actions), reliability (missing retries, race conditions on parallel jobs), and developer experience (cryptic error messages, missing artifact uploads on failure). The output is a ranked findings list with file-level remediation.
What the audit covers
Performance: cache key correctness, parallelization opportunities, expensive steps that could be moved off the critical path. Security: secret scanning across workflow files, GitHub Actions third-party action pinning, OIDC for cloud auth instead of long-lived credentials, principle of least privilege for service accounts. Reliability: retry policies on flaky network steps, concurrency control for branches, atomic deploys with rollback. Developer experience: clear failure messages, artifact upload on failure for debugging, run-time visibility per step.
How /relay-audit works
The skill reads the pipeline configuration, recent run history (timing per step, failure patterns), and the secrets and permissions configuration. It cross-references against the team's standards and produces ranked findings. Each finding has a severity, remediation steps, and the file/line where the change applies.
Unpinned third-party GitHub Actions are a supply-chain risk that has bitten multiple high-profile projects. /relay-audit flags every unpinned action and recommends SHA pinning by default.
Tonone's /relay-audit skill audits CI/CD pipelines for performance bottlenecks, security gaps, reliability issues, and developer experience problems.
| Capability | Tonone | Generalist chatbot | Cursor / Copilot |
|---|---|---|---|
| Reads pipeline run history | Yes, finds slow steps with data | Generic advice | Tool-specific |
| Secret and permission scan | Yes, with action pinning check | Surface scan | Variable |
| Reliability findings (retries, concurrency) | Yes | Often missed | Variable |
| Developer experience findings | Yes, error messages and artifacts | Not in scope | Variable |
Related skills
/relay-audit audits existing pipelines. /relay-pipeline builds new ones. /relay-docker covers container builds. /relay-deploy covers deployment configuration.
Install
/relay-audit ships with the Relay agent in Tonone for Claude Code. Install Tonone, invoke /relay-audit against the pipeline config, and the skill produces the audit.
1. Add to marketplace
2. Install Relay
Frequently asked questions
- What does /relay-audit do?
- It audits CI/CD pipelines across performance, security, reliability, and developer experience, producing ranked findings with file-level remediation.
- What CI platforms does /relay-audit support?
- GitHub Actions, GitLab CI, CircleCI, Cloud Build, Buildkite, and Jenkins.
- How do I install /relay-audit?
- Install Tonone for Claude Code via tonone.ai/get-started. /relay-audit ships with the Relay agent. Tonone is free and MIT-licensed.