Write a GitHub Actions composite action that runs linting, testing, and SBOM generation as reusable steps and publishes the composite action to a shared internal repository
Create an action.yaml in the composite action repository defining inputs, outputs, and a runs block with using: composite and steps listing shell commands or third-party action references
For each step in the composite action, set the shell field explicitly since composite actions require it, and propagate input values into steps using the inputs context with the correct syntax
Add an output that captures a value produced during the steps, such as a generated SBOM file path or test result summary, using the outputs context and an echo step that writes to GITHUB_OUTPUT
Tag the composite action repository with a semantic version tag and reference it from a caller workflow using the repository path at the tag, validating that inputs pass correctly
Test the composite action in a matrix build across multiple runner OS types to confirm shell compatibility for each step
Known gotchas
Composite actions cannot use the secrets context directly; secrets must be passed as explicit inputs from the caller workflow, which means the action interface must declare each secret as an input and callers must pass it — this is intentional for auditability but frequently surprises first-time authors
Environment variables set with env at the composite action level are not automatically inherited by steps that call other actions; they must be re-declared in the step env block or passed as inputs
Composite action steps run in the caller's runner environment; if the composite action assumes a specific tool is installed, it must include a setup step rather than relying on the caller's runner image
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp