playbooks

home / skills / jeremylongshore / claude-code-plugins-plus-skills / gh-actions-validator

gh-actions-validator skill

/plugins/devops/jeremy-github-actions-gcp/skills/gh-actions-validator

This skill audits and hardens GitHub Actions workflows for Google Cloud and Vertex AI using Workload Identity Federation to enforce least privilege.

npx playbooks add skill jeremylongshore/claude-code-plugins-plus-skills --skill gh-actions-validator

Review the files below or copy the command above to add this skill to your agents.

Files (5)
SKILL.md
2.7 KB
---
name: gh-actions-validator
description: |
  Validate use when validating GitHub Actions workflows for Google Cloud and Vertex AI deployments. Trigger with phrases like "validate github actions", "setup workload identity federation", "github actions security", "deploy agent with ci/cd", or "automate vertex ai deployment". Enforces Workload Identity Federation (WIF), validates OIDC permissions, ensures least privilege IAM, and implements security best practices.
allowed-tools: Read, Write, Edit, Grep, Glob, Bash(git:*), Bash(gcloud:*)
version: 1.0.0
author: Jeremy Longshore <[email protected]>
license: MIT
---

# Gh Actions Validator

## Overview

Validate and harden GitHub Actions workflows that deploy to Google Cloud (especially Vertex AI) using Workload Identity Federation (OIDC) instead of long-lived service account keys. Use this to audit existing workflows, propose a secure replacement, and add CI checks that prevent common credential and permission mistakes.

## Prerequisites

Before using this skill, ensure:
- GitHub repository with Actions enabled
- Google Cloud project with billing enabled
- gcloud CLI authenticated with admin permissions
- Understanding of Workload Identity Federation concepts
- GitHub repository secrets configured
- Appropriate IAM roles for CI/CD automation

## Instructions

1. **Audit Existing Workflows**: Scan .github/workflows/ for security issues
2. **Validate WIF Usage**: Ensure no JSON service account keys are used
3. **Check OIDC Permissions**: Verify id-token: write is present
4. **Review IAM Roles**: Confirm least privilege (no owner/editor roles)
5. **Add Security Scans**: Include secret detection and vulnerability scanning
6. **Validate Deployments**: Add post-deployment health checks
7. **Configure Monitoring**: Set up alerts for deployment failures
8. **Document WIF Setup**: Provide one-time WIF configuration commands

## Output

      - uses: actions/checkout@v4
      - name: Authenticate to GCP (WIF)
      - name: Deploy to Vertex AI
            --project=${{ secrets.GCP_PROJECT_ID }} \
            --region=us-central1
      - name: Validate Deployment

## Error Handling

See `{baseDir}/references/errors.md` for comprehensive error handling.

## Examples

See `{baseDir}/references/examples.md` for detailed examples.

## Resources

- Workload Identity Federation: https://cloud.google.com/iam/docs/workload-identity-federation
- GitHub OIDC: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments
- Vertex AI Agent Engine: https://cloud.google.com/vertex-ai/docs/agent-engine
- google-github-actions/auth: https://github.com/google-github-actions/auth
- WIF setup guide in {baseDir}/docs/wif-setup.md

Overview

This skill validates and hardens GitHub Actions workflows that deploy to Google Cloud and Vertex AI by enforcing Workload Identity Federation (WIF) and OIDC-based authentication. It scans workflows for long-lived service account keys, checks OIDC permissions, and recommends least-privilege IAM changes. Use it to audit existing CI/CD pipelines, add blocking CI checks, and produce a secure, repeatable WIF setup for deployments.

How this skill works

I scan the .github/workflows/ directory to detect uses of JSON service account keys, insecure permissions, or missing OIDC settings. I verify that jobs request id-token: write and that google-github-actions/auth is used for WIF-based authentication. I analyze IAM bindings referenced by the workflow and flag overly broad roles, then output concrete remediation steps and example workflow snippets that implement secure deployment to Vertex AI.

When to use it

  • Before migrating CI/CD from service account keys to Workload Identity Federation
  • During security audits of GitHub Actions that touch Google Cloud resources
  • When adding automated deployments to Vertex AI and enforcing least privilege
  • To add pre-merge checks that prevent credential leakage or excessive IAM roles
  • When onboarding new teams to secure GitHub-to-GCP deployment patterns

Best practices

  • Never commit JSON service account keys; use OIDC WIF with google-github-actions/auth
  • Request id-token: write in GitHub jobs and bind a narrow IAM role to the federation pool
  • Grant least privilege roles scoped to the deployment task (avoid owner/editor)
  • Add secret scanning and vulnerability scanning to the workflow as pre-deploy gates
  • Include post-deployment health checks and monitoring alerts for failures

Example use cases

  • Audit an existing repo to replace service account keys with Workload Identity Federation
  • Create a CI check that fails pull requests if workflows request excessive IAM roles
  • Build a secure Actions workflow that authenticates with google-github-actions/auth and deploys a Vertex AI agent
  • Automate WIF setup commands for a project and produce example workflow snippets
  • Integrate deployment health checks and alerting into the CI/CD pipeline

FAQ

Does this skill reject workflows that use service account keys?

Yes — it flags use of JSON keys as a high-risk finding and provides a WIF-based replacement snippet.

How do you verify OIDC permissions?

I check that jobs request id-token: write and that the workflow uses an OIDC-authenticated action such as google-github-actions/auth.