Can I use this for non-AI Google Cloud deployments?

Yes, while it contains specialized logic for Vertex AI, the core validation rules for WIF, IAM, and security scanning apply to any GCP deployment via GitHub Actions.

Does it help with Vertex AI Agent Engine specifics?

Absolutely. It validates Agent state, Code Execution Sandbox TTLs (7-14 days), Memory Bank settings, and ensures Model Armor is enabled for prompt injection protection.

Why does this skill enforce Workload Identity Federation (WIF)?

WIF eliminates the need for long-lived, insecure service account JSON keys by using short-lived tokens, significantly reducing the risk of credential leakage.

What specific security tools does it integrate?

The skill automatically configures and validates the presence of TruffleHog for secret scanning and Trivy for vulnerability detection within your YAML workflows.

GitHub Actions GCP Validator

Name: GitHub Actions GCP Validator
Author: jeremylongshore

byjeremylongshore

•

883

Deployment & DevOps

Validates and enforces security best practices for GitHub Actions workflows targeting Vertex AI and Google Cloud.

About

This skill acts as an automated auditor and generator for GitHub Actions pipelines, specifically optimized for Google Cloud and Vertex AI environments. It ensures production readiness by mandating Workload Identity Federation (WIF) over insecure JSON keys, enforcing OIDC permissions, and implementing comprehensive security scanning. Beyond simple CI/CD setup, it provides deep validation for Vertex AI Agent Engine deployments, including post-deployment health checks, VPC configurations, and IAM least privilege auditing to ensure your AI agents are deployed securely and efficiently.

Key Features

Workload Identity Federation (WIF) enforcement and automation
Security scanning integration using TruffleHog and Trivy
Vertex AI Agent Engine deployment configuration validation
IAM least privilege auditing for GCP service accounts
Automated OIDC permission verification for GitHub workflows
883 GitHub stars

Use Cases

Migrating legacy GitHub Actions from service account keys to secure WIF
Enforcing organizational security policies in Google Cloud deployment pipelines
Setting up production-grade CI/CD for Vertex AI agents and models

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add jeremylongshore/claude-code-plugins-plus-skills gh-actions-validator

For use in Claude.ai and ChatGPT

Download Skill

GitHub