Gh Actions Validator
Overview
Validate and harden GitHub Actions workflows that deploy to Google Cloud (especially Vertex AI) using Workload Identity Federation (OIDC) instead of long-lived service account keys. Use this to audit existing workflows, propose a secure replacement, and add CI checks that prevent common credential and permission mistakes.
Prerequisites
Before using this skill, ensure:
- GitHub repository with Actions enabled
- Google Cloud project with billing enabled
- gcloud CLI authenticated with admin permissions
- Understanding of Workload Identity Federation concepts
- GitHub repository secrets configured
- Appropriate IAM roles for CI/CD automation
Instructions
- Audit Existing Workflows: Scan .github/workflows/ for security issues
- Validate WIF Usage: Ensure no JSON service account keys are used
- Check OIDC Permissions: Verify id-token: write is present
- Review IAM Roles: Confirm least privilege (no owner/editor roles)
- Add Security Scans: Include secret detection and vulnerability scanning
- Validate Deployments: Add post-deployment health checks
- Configure Monitoring: Set up alerts for deployment failures
- Document WIF Setup: Provide one-time WIF configuration commands
Output
- uses: actions/checkout@v4
- name: Authenticate to GCP (WIF)
- name: Deploy to Vertex AI
--project=${{ secrets.GCP_PROJECT_ID }} \
--region=us-central1
- name: Validate Deployment
Error Handling
See ${CLAUDE_SKILL_DIR}/references/errors.md for comprehensive error handling.
Examples
See ${CLAUDE_SKILL_DIR}/references/examples.md for detailed examples.
Resources
- Workload Identity Federation: https://cloud.google.com/iam/docs/workload-identity-federation
- GitHub OIDC: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments
- Vertex AI Agent Engine: https://cloud.google.com/vertex-ai/docs/agent-engine
- google-github-actions/auth: https://github.com/google-github-actions/auth
- WIF setup guide in ${CLAUDE_SKILL_DIR}/docs/wif-setup.md