AgentSkillsCN

gh-actions-validator

在验证GitHub Actions工作流用于Google Cloud与Vertex AI部署时使用。通过“validate github actions”、“setup workload identity federation”、“github actions安全”、“deploy agent with ci/cd”或“automate vertex ai部署”等短语触发。强制实施Workload Identity Federation (WIF),验证OIDC权限,确保最小权限IAM,并实施安全最佳实践。

SKILL.md
--- frontmatter
name: gh-actions-validator
description: |
  Validate use when validating GitHub Actions workflows for Google Cloud and Vertex AI deployments. Trigger with phrases like "validate github actions", "setup workload identity federation", "github actions security", "deploy agent with ci/cd", or "automate vertex ai deployment". Enforces Workload Identity Federation (WIF), validates OIDC permissions, ensures least privilege IAM, and implements security best practices.
allowed-tools: Read, Write, Edit, Grep, Glob, Bash(git:*), Bash(gcloud:*)
version: 1.0.0
author: Jeremy Longshore <jeremy@intentsolutions.io>
license: MIT

Gh Actions Validator

Overview

Validate and harden GitHub Actions workflows that deploy to Google Cloud (especially Vertex AI) using Workload Identity Federation (OIDC) instead of long-lived service account keys. Use this to audit existing workflows, propose a secure replacement, and add CI checks that prevent common credential and permission mistakes.

Prerequisites

Before using this skill, ensure:

  • GitHub repository with Actions enabled
  • Google Cloud project with billing enabled
  • gcloud CLI authenticated with admin permissions
  • Understanding of Workload Identity Federation concepts
  • GitHub repository secrets configured
  • Appropriate IAM roles for CI/CD automation

Instructions

  1. Audit Existing Workflows: Scan .github/workflows/ for security issues
  2. Validate WIF Usage: Ensure no JSON service account keys are used
  3. Check OIDC Permissions: Verify id-token: write is present
  4. Review IAM Roles: Confirm least privilege (no owner/editor roles)
  5. Add Security Scans: Include secret detection and vulnerability scanning
  6. Validate Deployments: Add post-deployment health checks
  7. Configure Monitoring: Set up alerts for deployment failures
  8. Document WIF Setup: Provide one-time WIF configuration commands

Output

code
  - uses: actions/checkout@v4
  - name: Authenticate to GCP (WIF)
  - name: Deploy to Vertex AI
        --project=${{ secrets.GCP_PROJECT_ID }} \
        --region=us-central1
  - name: Validate Deployment

Error Handling

See {baseDir}/references/errors.md for comprehensive error handling.

Examples

See {baseDir}/references/examples.md for detailed examples.

Resources