gh-actions-validator

# Gh Actions Validator ## Overview Validate and harden GitHub Actions workflows that deploy to Google Cloud (especially Vertex AI) using Workload Identity Federation (OIDC) instead of long-lived service account keys. Use this to audit existing workflows, propose a secure replacement, and add CI checks that prevent common credential and permission mistakes. ## Prerequisites Before using this skill, ensure: - GitHub repository with Actions enabled - Google Cloud project with billing enabled - gcloud CLI authenticated with admin permissions - Understanding of Workload Identity Federation concepts - GitHub repository secrets configured - Appropriate IAM roles for CI/CD automation ## Instructions 1. **Audit Existing Workflows**: Scan .github/workflows/ for security issues 2. **Validate WIF Usage**: Ensure no JSON service account keys are used 3. **Check OIDC Permissions**: Verify id-token: write is present 4. **Review IAM Roles**: Confirm least privilege (no owner/editor roles) 5. **Add Security Scans**: Include secret detection and vulnerability scanning 6. **Validate Deployments**: Add post-deployment health checks 7. **Configure Monitoring**: Set up alerts for deployment failures 8. **Document WIF Setup**: Provide one-time WIF configuration commands ## Output - uses: actions/checkout@v4 - name: Authenticate to GCP (WIF) - name: Deploy to Vertex AI --project=${{ secrets.GCP_PROJECT_ID }} \ --region=us-central1 - name: Validate Deployment ## Error Handling See `{baseDir}/references/errors.md` for comprehensive error handling. ## Examples See `{baseDir}/references/examples.md` for detailed examples. ## Resources - Workload Identity Federation: https://cloud.google.com/iam/docs/workload-identity-federation - GitHub OIDC: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments - Vertex AI Agent Engine: https://cloud.google.com/vertex-ai/docs/agent-engine - google-github-actions/auth: https://github.com/google-github-actions/auth - WIF setup guide in {baseDir}/docs/wif-setup.md