CtrlK
BlogDocsLog inGet started
Tessl Logo

nitinjain999/platform-skills

Production-grade platform engineering handbook — Kubernetes, Terraform, Flux CD, GitHub Actions, AWS, and more.

67

Quality

84%

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

README.mdexamples/github-actions/composite-actions/k8s-deploy/

k8s-deploy

Apply a Kubernetes manifest and wait for rollout to complete. Authenticates to EKS, AKS, or GKE via OIDC — no static kubeconfig secrets.

Status: Stable

Quick start

EKS:

permissions:
  id-token: write
  contents: read

steps:
  - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
  - uses: your-org/actions/k8s-deploy@v2
    with:
      cloud_provider: aws
      aws_role_arn: ${{ vars.AWS_DEPLOY_ROLE_ARN }}
      aws_cluster_name: my-cluster
      aws_region: us-east-1
      namespace: production
      manifest_path: deploy/app.yml
      deployment_name: my-app

AKS:

permissions:
  id-token: write
  contents: read

steps:
  - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
  - uses: your-org/actions/k8s-deploy@v2
    with:
      cloud_provider: azure
      azure_client_id: ${{ vars.AZURE_CLIENT_ID }}
      azure_tenant_id: ${{ vars.AZURE_TENANT_ID }}
      azure_subscription_id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
      azure_cluster_name: my-cluster
      azure_resource_group: my-rg
      namespace: production
      manifest_path: deploy/app.yml
      deployment_name: my-app

GKE:

permissions:
  id-token: write
  contents: read

steps:
  - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
  - uses: your-org/actions/k8s-deploy@v2
    with:
      cloud_provider: gke
      gcp_workload_identity_provider: ${{ vars.GCP_WIF_PROVIDER }}
      gcp_service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}
      gcp_project: my-project
      gcp_cluster_name: my-cluster
      gcp_cluster_location: us-central1
      namespace: production
      manifest_path: deploy/app.yml
      deployment_name: my-app

Architecture

Trigger: push to main / workflow_dispatch
        │
        ▼
┌─────────────────────────────────────────────────────────────────────┐
│  k8s-deploy composite action                                         │
│                                                                      │
│  1. Validate inputs (cloud_provider + cloud-specific required fields)│
│                                                                      │
│  2a. EKS:  configure-aws-credentials (OIDC)                         │
│            └─ aws eks update-kubeconfig                              │
│  2b. AKS:  azure/login (OIDC)                                       │
│            └─ az aks install-cli (kubelogin only)                   │
│            └─ az aks get-credentials + kubelogin convert-kubeconfig │
│  2c. GKE:  google-github-actions/auth (WIF)                         │
│            └─ get-gke-credentials                                   │
│                                                                      │
│  3. Install kubectl                                                  │
│  4. kubectl apply -f <manifest_path> -n <namespace>                 │
│     (--dry-run=server if dry_run=true)                               │
│  5. kubectl rollout status deployment/<name>                         │
│     (skipped if deployment_name is empty or dry_run=true)           │
│  6. Write job summary                                                │
└─────────────────────────────────────────────────────────────────────┘
        │
        ▼
Kubernetes cluster — resources created/updated

Inputs

Common

InputTypeRequiredDefaultDescription
cloud_providerstringYesaws, azure, or gke
namespacestringYesTarget Kubernetes namespace
manifest_pathstringYesPath to manifest file or directory
deployment_namestringNo''Deployment to watch (rollout status)
timeoutstringNo5mRollout wait timeout (e.g. 5m, 300s)
kubectl_versionstringNov1.30.0kubectl version to install
dry_runbooleanNofalseValidate without applying

AWS / EKS

InputRequiredDescription
aws_role_arnYesIAM role ARN to assume via OIDC
aws_regionNo (default us-east-1)EKS cluster region
aws_cluster_nameYesEKS cluster name

Azure / AKS

InputRequiredDescription
azure_client_idYesApp registration client ID (federated credential)
azure_tenant_idYesAzure AD tenant ID
azure_subscription_idYesAzure subscription ID
azure_cluster_nameYesAKS cluster name
azure_resource_groupYesResource group containing the cluster

GCP / GKE

InputRequiredDescription
gcp_workload_identity_providerYesWIF provider resource name — projects/NUMBER/locations/global/workloadIdentityPools/POOL/providers/PROVIDER
gcp_service_accountYesService account email to impersonate
gcp_projectYesGCP project ID
gcp_cluster_nameYesGKE cluster name
gcp_cluster_locationYesRegion (us-central1) or zone (us-central1-a)

Outputs

OutputDescription
rollout_statussuccess, skipped, or failed
applied_resourcesNewline-separated list of resources created or updated

Required permissions

permissions:
  id-token: write   # OIDC token exchange for all cloud providers
  contents: read

examples

github-actions

composite-actions

k8s-deploy

CHANGELOG.md

README.md

README.md

gha-validate.sh

README.md

BEFORE_AFTER.md

CHANGELOG.md

CODE_OF_CONDUCT.md

COMMANDS.md

CONTRIBUTING.md

EDITOR_INTEGRATIONS.md

GETTING_STARTED.md

HOW_IT_WORKS.md

install.sh

INSTALLATION.md

LAUNCH.md

PROMPTS.md

QUICKSTART.md

README.md

renovate.json

SECURITY.md

SKILL.md

tessl.json

tile.json