Skip to content
AI Learning Playground Blog
X
English

Level 9 Practice: Automate Weekly Article Generation and Vulnerability Monitoring 24/7

About This Tutorial

Section titled “About This Tutorial”

If you want to understand the concepts and mechanics first, see the Level 9 concept guide.

The parallel implementation infrastructure from Level 8 is now in place. The next goal is a portfolio that keeps growing even while I’m away. I’ll build two automation pipelines using GitHub Actions.

Who this is for: Anyone who has completed up to Level 8 and knows the basics of GitHub Actions (how to write workflow files).

Estimated time: 15 min read + 60 min hands-on

Carrying Over from the Previous Level

Section titled “Carrying Over from the Previous Level”

Level 8 completed parallel implementation of three features. my-portfolio now has dark mode, a projects page, and an RSS feed, and a PR-based development flow is in place.

Two things I want to automate:

  1. Weekly blog generation: Every Monday morning, automatically generate a blog post from last week’s trends and open a PR.
  2. Vulnerability monitoring: Run npm audit daily, and when a high-risk vulnerability is detected, create an Issue and send a Slack notification.

Step 1: Confirm the Directory Structure

Section titled “Step 1: Confirm the Directory Structure”
my-portfolio/
├── .github/
│   └── workflows/           # ← add files here
├── scripts/
│   ├── parallel_features.sh
│   ├── review_pr.sh
│   └── collect_and_blog.sh
└── ...

Step 2: Create the Weekly Blog Generation Workflow

Section titled “Step 2: Create the Weekly Blog Generation Workflow”

Create .github/workflows/weekly-blog.yml. Every Monday at 9:00 AM JST, Claude generates an article and opens a PR.

name: Weekly Blog Generation

on:
  schedule:
    - cron: "0 0 * * 1"   # UTC 0:00 = JST 9:00, every Monday
  workflow_dispatch:        # can also be triggered manually

jobs:
  generate-blog:
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write

    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-node@v4
        with:
          node-version: 20

      - name: Install Claude Code
        run: npm install -g @anthropic-ai/claude-code

      - name: Generate weekly blog post
        env:
          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          BRANCH="auto/blog-$(date +%Y%m%d)"
          git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"
          git checkout -b "${BRANCH}"

          claude --print --dangerously-skip-permissions -p "
          Generate one blog post for my-portfolio at src/content/posts/.

          Requirements:
          1. Choose a practical topic related to TypeScript, Next.js, or React
          2. Filename: src/content/posts/$(date +%Y-%m-%d)-weekly-tips.md
          3. Include title, date (today's date), description, and tags in frontmatter
          4. Body should be 800–1200 words and include at least one code example
          5. Add '---\n_This article was auto-generated by Claude Code._' at the end

          After generating the article, run git add and git commit.
          Commit message: 'feat: add weekly blog post $(date +%Y-%m-%d)'
          "

          git push origin "${BRANCH}"

          gh pr create \
            --title "Weekly Blog: $(date +%Y-%m-%d)" \
            --body "This is an auto-generated weekly article by Claude Code. Please review and merge." \
            --base main \
            --head "${BRANCH}"

Register ANTHROPIC_API_KEY in GitHub Secrets to enable the workflow:

gh secret set ANTHROPIC_API_KEY --body "sk-ant-..."

Step 3: Create the Vulnerability Monitoring Workflow

Section titled “Step 3: Create the Vulnerability Monitoring Workflow”

Create .github/workflows/vulnerability-check.yml. Every day at 8:00 AM JST, it runs npm audit, and if a high-risk vulnerability is found, Claude analyzes the cause and creates an Issue.

name: Daily Vulnerability Check

on:
  schedule:
    - cron: "0 23 * * *"   # UTC 23:00 = JST 8:00, every day
  workflow_dispatch:

jobs:
  audit:
    runs-on: ubuntu-latest
    permissions:
      issues: write

    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-node@v4
        with:
          node-version: 20

      - name: Install dependencies
        run: npm ci

      - name: Run npm audit and save results
        id: audit
        run: |
          npm audit --json > audit-result.json || true
          HIGH=$(jq '.metadata.vulnerabilities.high // 0' audit-result.json)
          CRITICAL=$(jq '.metadata.vulnerabilities.critical // 0' audit-result.json)
          echo "high=${HIGH}" >> $GITHUB_OUTPUT
          echo "critical=${CRITICAL}" >> $GITHUB_OUTPUT

      - name: Install Claude Code
        if: ${{ steps.audit.outputs.high != '0' || steps.audit.outputs.critical != '0' }}
        run: npm install -g @anthropic-ai/claude-code

      - name: Claude analyzes vulnerabilities and creates an Issue
        if: ${{ steps.audit.outputs.high != '0' || steps.audit.outputs.critical != '0' }}
        env:
          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          AUDIT_SUMMARY=$(cat audit-result.json | jq '{
            high: .metadata.vulnerabilities.high,
            critical: .metadata.vulnerabilities.critical,
            advisories: [.advisories | to_entries[] | .value | {
              title: .title,
              severity: .severity,
              module_name: .module_name,
              recommendation: .recommendation
            }]
          }')

          ISSUE_BODY=$(claude --print --dangerously-skip-permissions -p "
          Analyze the following npm audit results.

          ${AUDIT_SUMMARY}

          Write an Issue body in the following format (Markdown):
          1. Summary of detected vulnerabilities (count by severity)
          2. Description and impact of each vulnerability (package name and version)
          3. Recommended fix steps (include npm update / npm audit fix commands)
          4. Urgency assessment (needs immediate action vs. can wait for next sprint)
          ")

          gh issue create \
            --title "🚨 Vulnerabilities detected: high=${{ steps.audit.outputs.high }}, critical=${{ steps.audit.outputs.critical }} ($(date +%Y-%m-%d))" \
            --body "${ISSUE_BODY}" \
            --label "security,automated"

      - name: Notify Slack
        if: ${{ steps.audit.outputs.critical != '0' }}
        env:
          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
        run: |
          curl -X POST "${SLACK_WEBHOOK_URL}" \
            -H "Content-Type: application/json" \
            -d '{
              "text": "🚨 *Critical vulnerabilities detected in my-portfolio*\ncritical: ${{ steps.audit.outputs.critical }} found\nCheck GitHub Issues for details."
            }'

The last Slack notification step can be omitted if you are not using Slack.

Step 4: Push the Workflows and Verify

Section titled “Step 4: Push the Workflows and Verify”
git add .github/workflows/weekly-blog.yml .github/workflows/vulnerability-check.yml
git commit -m "ci: add weekly blog generation and vulnerability check workflows"
git push origin main

Trigger a manual test run for each workflow:

# Manually trigger weekly blog generation
gh workflow run weekly-blog.yml

# Manually trigger vulnerability check
gh workflow run vulnerability-check.yml

Check the results:

# List recent workflow runs
gh run list --limit 5

# View logs for a specific run
gh run view --log

Step 5: Review the Generated PR and Issue

Section titled “Step 5: Review the Generated PR and Issue”

When the workflows succeed, the following are auto-created.

Weekly blog PR:

gh pr list
# → Shows a PR like "Weekly Blog: 2026-04-07"

Vulnerability Issue (if vulnerabilities exist):

gh issue list --label "security"
# → Shows an Issue like "🚨 Vulnerabilities detected: ..."

Review the PR and merge if it looks good. For the vulnerability Issue, follow the instructions to run npm audit fix.

Step 6: Tune the Notification and Review Flow

Section titled “Step 6: Tune the Notification and Review Flow”

Auto-generated content must always be reviewed by a human. Add the following rules to CLAUDE.md:

## Automation Rules

### Weekly blog generation
- PRs are auto-created every Monday
- Never merge without reviewing first
- Close the PR if the content is inappropriate

### Vulnerability monitoring
- Respond to critical Issues within 24 hours
- Respond to high Issues within the current week
- If a false positive, add the "false-positive" label and close the Issue

The my-portfolio at This Point

Section titled “The my-portfolio at This Point”
  • Two automation pipelines are running via GitHub Actions
  • Blog posts are generated weekly and queued as PRs awaiting review
  • npm audit runs daily and auto-creates Issues when vulnerabilities are detected
my-portfolio/
├── .github/
│   └── workflows/
│       ├── weekly-blog.yml          # ← newly added
│       └── vulnerability-check.yml  # ← newly added
├── scripts/
│   ├── parallel_features.sh
│   ├── review_pr.sh
│   └── collect_and_blog.sh
└── ...

Next Level

Section titled “Next Level”

Level 10 Practice: Have Claude Design the Agent Architecture for Your Next Product