npm - @intentsolutionsio/jeremy-github-actions-gcp - Versions diffs - 2.1.0 → 2.1.2 - Mend

@intentsolutionsio/jeremy-github-actions-gcp 2.1.0 → 2.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/README.md +21 -1
package/agents/gh-actions-gcp-expert.md +5 -0
package/package.json +1 -1
package/skills/gh-actions-validator/SKILL.md +16 -5
package/skills/gh-actions-validator/references/errors.md +5 -0
package/skills/gh-actions-validator/references/examples.md +1 -0

package/README.md CHANGED Viewed

@@ -25,14 +25,17 @@ This plugin ensures secure, production-ready CI/CD pipelines for Vertex AI Agent
 ## Components
 ### Agent
 - **gh-actions-gcp-expert**: Expert in GitHub Actions for Vertex AI / GCP deployments
 ### Skills (Auto-Activating)
 - **gh-actions-validator**: Validates and enforces GitHub Actions best practices
   - **Tool Permissions**: Read, Write, Edit, Grep, Glob, Bash
   - **Version**: 1.0.0 (2026 schema compliant)
 ### Hooks
 - **PreToolUse**: Validates workflow files before writing/editing
   - Triggers on: `.github/workflows/*.yml`, `.github/workflows/*.yaml`
   - Runs: `scripts/validate-workflow.sh`
@@ -58,6 +61,7 @@ The skill auto-activates and enforces best practices.
 ### 1. Workload Identity Federation (WIF) Mandatory
 ❌ **NEVER ALLOWED - JSON Service Account Keys**:
 ```yaml
 # ❌ FORBIDDEN
 - uses: google-github-actions/auth@v2
@@ -66,6 +70,7 @@ The skill auto-activates and enforces best practices.
 ```
 ✅ **REQUIRED - WIF with OIDC**:
 ```yaml
 # ✅ ENFORCED
 permissions:
@@ -89,10 +94,12 @@ permissions:
 ### 3. IAM Least Privilege
 ❌ **Overly Permissive Roles Blocked**:
 - `roles/owner` - ❌ Blocked
 - `roles/editor` - ❌ Blocked
 ✅ **Least Privilege Roles Required**:
 - `roles/run.admin` - Cloud Run deployments
 - `roles/iam.serviceAccountUser` - Service account impersonation
 - `roles/aiplatform.user` - Vertex AI operations
@@ -100,6 +107,7 @@ permissions:
 ### 4. Post-Deployment Validation
 For Vertex AI deployments, validation is **REQUIRED**:
 ```yaml
 - name: Post-Deployment Validation
   run: |
@@ -108,6 +116,7 @@ For Vertex AI deployments, validation is **REQUIRED**:
 ```
 **Validation Checklist**:
 - ✅ Agent state is RUNNING
 - ✅ Code Execution Sandbox enabled (7-14 day TTL)
 - ✅ Memory Bank configured
@@ -120,6 +129,7 @@ For Vertex AI deployments, validation is **REQUIRED**:
 ### 5. Security Scanning
 **Recommended** (warnings if missing):
 ```yaml
 - name: Scan for secrets
   uses: trufflesecurity/trufflehog@main
@@ -279,7 +289,7 @@ jobs:
 The plugin includes a **PreToolUse** hook that validates workflow files **before** they're written:
-```bash
+```text
 # Automatically runs on .github/workflows/*.yml files
 scripts/validate-workflow.sh <workflow-file>
@@ -300,6 +310,7 @@ scripts/validate-workflow.sh <workflow-file>
 **Problem**: Using insecure JSON service account keys in workflows
 **Solution**: Plugin enforces WIF and blocks JSON keys
 ```
 User: "Create deployment workflow for Vertex AI"
@@ -315,6 +326,7 @@ Plugin provides:
 **Problem**: Need production-ready CI/CD for ADK agents
 **Solution**: Comprehensive deployment pipeline with validation
 ```
 User: "Deploy my ADK agent to Vertex AI Engine"
@@ -332,6 +344,7 @@ Plugin provides:
 **Problem**: Workflows missing security scanning or using weak IAM
 **Solution**: Hook validation + skill enforcement
 ```
 User: "Update my deployment workflow"
@@ -346,24 +359,29 @@ Plugin validates:
 ## Integration with Other Plugins
 ### jeremy-adk-orchestrator
 - Provides CI/CD for ADK agent deployments
 - Automates A2A protocol validation
 ### jeremy-vertex-validator
 - GitHub Actions calls validator for post-deployment checks
 - Production readiness scoring
 ### jeremy-vertex-engine
 - CI/CD triggers vertex-engine-inspector
 - Continuous health monitoring
 ### jeremy-adk-terraform
 - GitHub Actions deploys Terraform infrastructure
 - Automated provisioning
 ## Best Practices Summary
 ### Security (ENFORCED)
 ✅ Workload Identity Federation (WIF) - no JSON keys
 ✅ OIDC permissions (`id-token: write`)
 ✅ IAM least privilege (no owner/editor)
@@ -373,6 +391,7 @@ Plugin validates:
 ✅ Vulnerability scanning (Trivy)
 ### Vertex AI Specific (ENFORCED)
 ✅ Code Execution Sandbox (7-14 day TTL)
 ✅ Memory Bank enabled
 ✅ A2A Protocol compliance
@@ -382,6 +401,7 @@ Plugin validates:
 ✅ Alerting policies
 ### CI/CD (RECOMMENDED)
 ✅ Conditional job execution
 ✅ Dependency caching
 ✅ Concurrent jobs

package/agents/gh-actions-gcp-expert.md CHANGED Viewed

@@ -542,6 +542,7 @@ jobs:
 ## When to Use This Agent
 Activate this agent when you need:
 - GitHub Actions workflow creation for GCP deployments
 - Workload Identity Federation (WIF) setup
 - Vertex AI Agent Engine deployment automation
@@ -564,6 +565,7 @@ Activate this agent when you need:
 ## Best Practices
 ### Security
 ✅ **Always use WIF** instead of JSON service account keys
 ✅ **Least privilege IAM** - Grant minimal required permissions
 ✅ **Attribute-based access control** - Restrict by repository/branch
@@ -572,12 +574,14 @@ Activate this agent when you need:
 ✅ **VPC Service Controls** for enterprise isolation
 ### Performance
 ✅ **Auto-scaling** configuration (min/max instances)
 ✅ **Caching** for Docker builds and dependencies
 ✅ **Concurrent job execution** when possible
 ✅ **Matrix builds** for testing across environments
 ### Reliability
 ✅ **Post-deployment validation** to ensure successful deployment
 ✅ **Health check endpoints** for services
 ✅ **Retry logic** with exponential backoff
@@ -585,6 +589,7 @@ Activate this agent when you need:
 ✅ **Monitoring setup** as part of deployment
 ### Cost Optimization
 ✅ **Preemptible runners** for non-critical jobs
 ✅ **Conditional job execution** (only run on relevant path changes)
 ✅ **Artifact caching** to reduce build times

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@intentsolutionsio/jeremy-github-actions-gcp",
-  "version": "2.1.0",
+  "version": "2.1.2",
   "description": "GitHub Actions CI/CD workflows for Google Cloud and Vertex AI deployments",
   "keywords": [
     "github-actions",

package/skills/gh-actions-validator/SKILL.md CHANGED Viewed

@@ -1,13 +1,23 @@
 ---
 name: gh-actions-validator
-description: |
-  Validate use when validating GitHub Actions workflows for Google Cloud and Vertex AI deployments. Trigger with phrases like "validate github actions", "setup workload identity federation", "github actions security", "deploy agent with ci/cd", or "automate vertex ai deployment". Enforces Workload Identity Federation (WIF), validates OIDC permissions, ensures least privilege IAM, and implements security best practices.
+description: 'Validate use when validating GitHub Actions workflows for Google Cloud
+  and Vertex AI deployments. Trigger with phrases like "validate github actions",
+  "setup workload identity federation", "github actions security", "deploy agent with
+  ci/cd", or "automate vertex ai deployment". Enforces Workload Identity Federation
+  (WIF), validates OIDC permissions, ensures least privilege IAM, and implements security
+  best practices.
+  '
 allowed-tools: Read, Write, Edit, Grep, Glob, Bash(git:*), Bash(gcloud:*)
 version: 1.0.0
 author: Jeremy Longshore <jeremy@intentsolutions.io>
 license: MIT
-compatible-with: claude-code, codex, openclaw
-tags: [devops, deployment, gcp, security]
+tags:
+- devops
+- deployment
+- gcp
+- security
+compatibility: Designed for Claude Code, also compatible with Codex and OpenClaw
 ---
 # Gh Actions Validator
@@ -18,6 +28,7 @@ Validate and harden GitHub Actions workflows that deploy to Google Cloud (especi
 ## Prerequisites
 Before using this skill, ensure:
 - GitHub repository with Actions enabled
 - Google Cloud project with billing enabled
 - gcloud CLI authenticated with admin permissions
@@ -59,4 +70,4 @@ See `${CLAUDE_SKILL_DIR}/references/examples.md` for detailed examples.
 - GitHub OIDC: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments
 - Vertex AI Agent Engine: https://cloud.google.com/vertex-ai/docs/agent-engine
 - google-github-actions/auth: https://github.com/google-github-actions/auth
-- WIF setup guide in ${CLAUDE_SKILL_DIR}/docs/wif-setup.md
+- WIF setup guide in ${CLAUDE_SKILL_DIR}/docs/wif-setup.md

package/skills/gh-actions-validator/references/errors.md CHANGED Viewed

@@ -1,22 +1,27 @@
 # Error Handling Reference
 **WIF Authentication Failed**
 - Error: "Failed to generate Google Cloud access token"
 - Solution: Verify WIF provider and service account email are correct
 **OIDC Token Error**
 - Error: "Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable"
 - Solution: Add `id-token: write` permission to workflow
 **IAM Permission Denied**
 - Error: "does not have required permission"
 - Solution: Grant service account minimum required roles (run.admin, aiplatform.user)
 **Attribute Condition Failed**
 - Error: "Token does not match attribute condition"
 - Solution: Update attribute mapping to include repository restriction
 **Deployment Validation Failed**
 - Error: "Agent not in RUNNING state"
 - Solution: Check agent configuration and deployment logs

package/skills/gh-actions-validator/references/examples.md CHANGED Viewed

@@ -1,6 +1,7 @@
 # Examples
 **Example: Harden an existing deployment workflow**
 - Input: `.github/workflows/deploy.yml` that uses `credentials_json` or a downloaded service account key.
 - Output: a WIF-based workflow using `google-github-actions/auth@v2`, minimal IAM roles, and a guardrail job that fails PRs when JSON keys appear in workflows.