gh-actions-validator
Validate use when validating GitHub Actions workflows for Google Cloud and Vertex AI deployments. Trigger with phrases like "validate github actions", "setup workload identity federation", "github actions security", "deploy agent with ci/cd", or "automate vertex ai deployment". Enforces Workload Identity Federation (WIF), validates OIDC permissions, ensures least privilege IAM, and implements security best practices.
Install with Tessl CLI
npx tessl i github:jeremylongshore/claude-code-plugins-plus-skills --skill gh-actions-validator77
Quality
67%
Does it follow best practices?
Impact
98%
1.19xAverage score across 3 eval scenarios
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/devops/jeremy-github-actions-gcp/skills/gh-actions-validator/SKILL.mdDiscovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly defines its specialized niche at the intersection of GitHub Actions, Google Cloud security, and Vertex AI deployments. It provides explicit trigger phrases, lists concrete validation capabilities, and has minimal conflict risk due to its specific technical focus. The description follows best practices with third-person voice and actionable language.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'Enforces Workload Identity Federation (WIF)', 'validates OIDC permissions', 'ensures least privilege IAM', and 'implements security best practices'. These are concrete, actionable capabilities. | 3 / 3 |
Completeness | Clearly answers both what (validates workflows, enforces WIF, validates OIDC, ensures IAM) AND when (explicit 'Trigger with phrases like...' clause providing clear usage guidance). Has explicit trigger guidance. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger phrases users would say: 'validate github actions', 'setup workload identity federation', 'github actions security', 'deploy agent with ci/cd', 'automate vertex ai deployment'. These match real user language patterns. | 3 / 3 |
Distinctiveness Conflict Risk | Highly specific niche combining GitHub Actions + Google Cloud/Vertex AI + security validation. The combination of WIF, OIDC, and Vertex AI deployment creates a distinct scope unlikely to conflict with generic CI/CD or cloud skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
35%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides a reasonable structural outline for GitHub Actions validation but fails to deliver actionable, executable guidance. The instructions read like a checklist of concepts rather than concrete steps with commands. The incomplete Output section and reliance on external references without sufficient core content significantly reduce its utility.
Suggestions
Add concrete, executable commands for each instruction step (e.g., 'grep -r GOOGLE_APPLICATION_CREDENTIALS .github/workflows/' for auditing, specific gcloud commands for WIF setup)
Provide a complete, copy-paste ready GitHub Actions workflow YAML example demonstrating proper WIF authentication
Add explicit validation checkpoints with success/failure criteria (e.g., 'Run: gcloud auth list --filter=account:github-actions@ && echo SUCCESS || echo FAILED')
Remove generic prerequisites Claude already knows and replace with specific requirements like 'GCP project ID' and 'Workload Identity Pool name'
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill includes some unnecessary prerequisites that Claude would know (like 'understanding of WIF concepts') and the instructions are somewhat padded, but it's not excessively verbose. The output section is incomplete/truncated which wastes tokens without providing value. | 2 / 3 |
Actionability | The instructions are vague directives ('Audit Existing Workflows', 'Validate WIF Usage') without concrete commands or executable code. The Output section shows incomplete YAML fragments that aren't copy-paste ready. No actual validation commands, gcloud commands, or complete workflow examples are provided. | 1 / 3 |
Workflow Clarity | Steps are listed in sequence but lack validation checkpoints and feedback loops. For a security validation skill involving destructive/risky operations, there's no explicit 'if validation fails, do X' guidance. The numbered steps describe what to do but not how to verify success at each stage. | 2 / 3 |
Progressive Disclosure | References to external files (errors.md, examples.md, wif-setup.md) are present, but the main content is thin and the references use placeholder syntax ({baseDir}) rather than actual paths. The structure exists but the core content that should be in SKILL.md is insufficient. | 2 / 3 |
Total | 7 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.