From jeremy-github-actions-gcp
Validates GitHub Actions workflows for secure Google Cloud and Vertex AI deployments using Workload Identity Federation, OIDC, least-privilege IAM, and security scans.
How this skill is triggered — by the user, by Claude, or both
Slash command
/jeremy-github-actions-gcp:gh-actions-validatorThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Validate and harden GitHub Actions workflows that deploy to Google Cloud (especially Vertex AI) using Workload Identity Federation (OIDC) instead of long-lived service account keys. Use this to audit existing workflows, propose a secure replacement, and add CI checks that prevent common credential and permission mistakes.
Validate and harden GitHub Actions workflows that deploy to Google Cloud (especially Vertex AI) using Workload Identity Federation (OIDC) instead of long-lived service account keys. Use this to audit existing workflows, propose a secure replacement, and add CI checks that prevent common credential and permission mistakes.
Before using this skill, ensure:
- uses: actions/checkout@v4
- name: Authenticate to GCP (WIF)
- name: Deploy to Vertex AI
--project=${{ secrets.GCP_PROJECT_ID }} \
--region=us-central1
- name: Validate Deployment
See ${CLAUDE_SKILL_DIR}/references/errors.md for comprehensive error handling.
See ${CLAUDE_SKILL_DIR}/references/examples.md for detailed examples.
npx claudepluginhub ia23a-lachnita/claude-code-plugins-plus-fix-skills --plugin jeremy-github-actions-gcp5plugins reuse this skill
First indexed Jul 10, 2026
Validates and hardens GitHub Actions workflows deploying to Google Cloud (Vertex AI). Enforces Workload Identity Federation (WIF/OIDC) instead of service account keys, audits IAM roles, and adds CI security checks.
Authors, reviews, and hardens GitHub Actions workflows with secure triggers, least-privilege permissions, and current action versions. Validates against official documentation.
Hardens GitHub Actions CI/CD workflows against supply-chain attacks by SHA-pinning actions, enforcing least-privilege token permissions, verifying toolchain installs, and adding OpenSSF Scorecard/SLSA provenance.