nitinjain999/platform-skills
Production-grade platform engineering handbook — Kubernetes, Terraform, Flux CD, GitHub Actions, AWS, and more.
67
84%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
README.mdexamples/demo/github-actions-supply-chain/
Demo: GitHub Actions Supply Chain
Status: Stable
A GitHub Actions workflow with four supply chain vulnerabilities. Platform-skills catches them all before the workflow is merged.
What's wrong with bad.yml
| Finding | Severity | Risk |
|---|---|---|
actions/checkout@main — unpinned action | Critical | Tag can be moved to malicious commit; SolarWinds-style attack |
permissions: write-all | Critical | Compromised step gets write access to entire repo |
aws-access-key-id in secrets — long-lived keys | High | Leaked key = permanent AWS access until manually rotated |
actions/setup-node@main — unpinned | High | Same supply chain risk as checkout |
aws-actions/configure-aws-credentials@main — unpinned | High | Same supply chain risk |
What changed in fixed.yml
- All actions pinned to commit SHA — immune to tag-move attacks
permissions: write-allreplaced withid-token: write+contents: read— minimal surface- Long-lived AWS secrets replaced with OIDC
role-to-assume— no stored credentials - Top-level
permissions: contents: readas safe default for all jobs
Prerequisites for fixed.yml
- Create an IAM role with a trust policy allowing the GitHub OIDC provider
- Set
vars.AWS_DEPLOY_ROLE_ARNandvars.S3_BUCKETas GitHub Actions variables (not secrets)
IAM trust policy snippet:
{
"Effect": "Allow",
"Principal": { "Federated": "arn:aws:iam::ACCOUNT:oidc-provider/token.actions.githubusercontent.com" },
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
"token.actions.githubusercontent.com:sub": "repo:ORG/REPO:ref:refs/heads/main"
}
}
}Try it yourself
Use $platform-skills to review this GitHub Actions workflow for supply chain security:
pinned actions, OIDC, least-privilege permissions, and secret handling..claude-plugin
.github
commands
docs
examples
agent-self-improve
argocd
awesome-docs
aws
cloudfront
functions
lambda-edge
functions
azure
compliance
conventional-commits
datadog
llm-observability
demo
documentation
dora
dynatrace
fluxcd
github-actions
composite-actions
configure-cloud
db-migrate
docker-build-push
k8s-deploy
notify-slack
pr-comment
release-tag
security-scan
setup-env
setup-terraform
terraform-plan
helm
web-service
templates
kubernetes
kyverno
mcp
observability
openshift
pr-review
ownership
runtime-security
supply-chain
terraform
references
scripts
skills
platform-skills
tests