nitinjain999/platform-skills
Production-grade platform engineering handbook — Kubernetes, Terraform, Flux CD, GitHub Actions, AWS, and more.
67
Quality
84%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Securityby
Passed
No known issues
gha-validate.shexamples/github-actions/
#!/usr/bin/env bash
# Offline validator for examples/github-actions/
# Run from the repository root: bash examples/github-actions/gha-validate.sh
# Requires: bash. actionlint used when available.
set -euo pipefail
ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
GHA_DIR="$ROOT_DIR/examples/github-actions"
ERRORS=0
pass() { echo " PASS: $1"; }
fail() { echo " FAIL: $1"; ERRORS=$((ERRORS + 1)); }
echo ""
echo "=== GitHub Actions example structure ==="
EXPECTED_FILES=(
"README.md"
"terraform-cicd.yml"
"container-build.yml"
"flux-sync.yml"
"reusable-workflows/terraform-plan.yml"
"composite-actions/setup-terraform/action.yml"
"composite-actions/configure-cloud/action.yml"
)
for f in "${EXPECTED_FILES[@]}"; do
if [ -f "$GHA_DIR/$f" ]; then
pass "$f exists"
else
fail "$f missing"
fi
done
echo ""
echo "=== Security patterns ==="
while IFS= read -r workflow; do
name="${workflow#$GHA_DIR/}"
# Actions must NOT use mutable refs — must be pinned to full SHA
# Rejects: @v1, @v1.2.3 (semver tags) and @main, @master, @develop (branch names)
if grep -qE "uses: [a-zA-Z0-9_/-]+@(v[0-9]|main|master|develop)" "$workflow" 2>/dev/null; then
fail "$name: action(s) pinned to mutable ref — pin to full SHA instead (uses: owner/repo@<sha> # vX.Y.Z)"
else
pass "$name: no mutable version tag pins detected"
fi
# Must NOT use pull_request_target with code checkout from external sources
if grep -q "pull_request_target" "$workflow" 2>/dev/null; then
if grep -q "ref: \${{ github.event.pull_request.head" "$workflow" 2>/dev/null; then
fail "$name: pull_request_target with PR head checkout — SECURITY RISK (arbitrary code execution)"
else
pass "$name: pull_request_target present but no dangerous head checkout"
fi
fi
# Workflows must declare permissions
if grep -q "^on:" "$workflow" 2>/dev/null && grep -q "permissions:" "$workflow" 2>/dev/null; then
pass "$name: has permissions block"
elif grep -q "^on:" "$workflow" 2>/dev/null; then
fail "$name: missing top-level or job-level permissions block — default is write-all"
fi
# Must NOT use latest or mutable container tags
if grep -qE "image: [a-zA-Z0-9._/-]+:latest" "$workflow" 2>/dev/null; then
fail "$name: container image uses :latest tag — pin to a digest or version"
else
pass "$name: no :latest container tags"
fi
# OIDC: if id-token: write is present, should use OIDC not static keys
if grep -q "id-token: write" "$workflow" 2>/dev/null; then
if grep -qE "AWS_ACCESS_KEY_ID|AWS_SECRET_ACCESS_KEY" "$workflow" 2>/dev/null; then
fail "$name: OIDC configured but static AWS credentials also present — remove static keys"
else
pass "$name: OIDC configured without static credentials"
fi
fi
done < <(find "$GHA_DIR" \( -name "*.yml" -o -name "*.yaml" \) | sort)
echo ""
echo "=== Secrets handling ==="
# Check for hardcoded secrets patterns across all workflow files
if grep -rqE "(password|secret|token|key)[[:space:]]*[:=][[:space:]]*['\"][^'\"$\{]{8,}" "$GHA_DIR/" 2>/dev/null; then
fail "Possible hardcoded secret detected in workflow files — use \${{ secrets.NAME }} instead"
else
pass "No hardcoded secrets patterns detected"
fi
echo ""
echo "=== actionlint (if available) ==="
if command -v actionlint >/dev/null 2>&1; then
echo " INFO: actionlint found — running on all workflow files"
if actionlint "$GHA_DIR"/*.yml "$GHA_DIR"/reusable-workflows/*.yml >/dev/null 2>&1; then
pass "actionlint passed"
else
fail "actionlint found issues — run 'actionlint examples/github-actions/*.yml' for details"
fi
else
echo " INFO: actionlint not found — skipping (install: https://github.com/rhysd/actionlint)"
fi
echo ""
if [ "$ERRORS" -gt 0 ]; then
echo "FAIL: $ERRORS validation error(s)"
exit 1
fi
echo "PASS: all GitHub Actions example checks passed".claude-plugin
.github
commands
awesome-docs.mdaws-profile.mdaws.mdchaos.mdcommit.mdcompliance.mdcomposite-actions.mddatadog.mddebug.mddocument.mddora.mddynatrace.mdfluxcd.mdgitops.mdhelmcheck.mdkeda.mdkyverno.mdlinkerd.mdlinux.mdmcp.mdobservability.mdopa.mdpr-review.mdproduct.mdrenovate.mdreview.mdruntime-security.mdself-improve.mdsupply-chain.mdterraform.mdtriage.md
docs
examples
agent-self-improve
argocd
awesome-docs
aws
cloudfront
functions
lambda-edge
functions
azure
compliance
conventional-commits
datadog
llm-observability
demo
documentation
dora
dynatrace
fluxcd
github-actions
composite-actions
configure-cloud
db-migrate
docker-build-push
k8s-deploy
notify-slack
pr-comment
release-tag
security-scan
setup-env
setup-terraform
terraform-plan
helm
web-service
templates
kubernetes
kyverno
mcp
observability
openshift
pr-review
ownership
runtime-security
supply-chain
terraform
references
agent-self-improve.mdargocd.mdawesome-docs.mdaws-cloudfront.mdaws-mcp-profiles.mdaws-waf.mdaws.mdazure.mdchaos.mdcompliance.mdcomposite-actions.mdconventional-commits.mddatadog.mddocumentation.mddora.mddynatrace.mdfluxcd-helmrelease.mdfluxcd-kustomization.mdfluxcd-mcp.mdfluxcd-migration.mdfluxcd-notifications.mdfluxcd-operator.mdfluxcd-resourcesets.mdfluxcd-security.mdfluxcd-sources.mdfluxcd-terraform.mdfluxcd-troubleshooting.mdfluxcd.mdgithub-actions.mdhelm.mdkeda.mdkubernetes.mdkyverno.mdlinkerd.mdlinux-networking.mdllm-observability.mdmcp.mdobservability.mdopa.mdopenshift.mdplatform-mindset.mdplatform-operating-model.mdpr-review.mdrenovate.mdruntime-security.mdsecrets.mdsupply-chain.mdterraform.md
scripts
skills
platform-skills
tests