gh-actions-validator
Validate use when validating GitHub Actions workflows for Google Cloud and Vertex AI deployments. Trigger with phrases like "validate github actions", "setup workload identity federation", "github actions security", "deploy agent with ci/cd", or "automate vertex ai deployment". Enforces Workload Identity Federation (WIF), validates OIDC permissions, ensures least privilege IAM, and implements security best practices.
53
61%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/devops/jeremy-github-actions-gcp/skills/gh-actions-validator/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly defines its niche at the intersection of GitHub Actions, Google Cloud, and Vertex AI security validation. It provides explicit trigger phrases, concrete capabilities, and clear 'when to use' guidance. The only minor issue is the slightly awkward opening 'Validate use when validating' which is redundant, but it doesn't materially impact functionality.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'Enforces Workload Identity Federation (WIF)', 'validates OIDC permissions', 'ensures least privilege IAM', and 'implements security best practices'. These are concrete, domain-specific capabilities. | 3 / 3 |
Completeness | Clearly answers both 'what' (validates GitHub Actions workflows, enforces WIF, validates OIDC permissions, ensures least privilege IAM) and 'when' (explicit trigger phrases provided with 'Trigger with phrases like...' and 'Use when validating GitHub Actions workflows'). | 3 / 3 |
Trigger Term Quality | Includes a rich set of natural trigger phrases: 'validate github actions', 'setup workload identity federation', 'github actions security', 'deploy agent with ci/cd', 'automate vertex ai deployment'. These cover multiple natural ways a user might phrase their request. | 3 / 3 |
Distinctiveness Conflict Risk | Highly specific niche combining GitHub Actions + Google Cloud/Vertex AI + security validation (WIF, OIDC, IAM). This is unlikely to conflict with generic CI/CD skills or generic cloud deployment skills due to the very specific technology combination. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
22%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides a reasonable structural outline for GitHub Actions validation but fails to deliver actionable, executable content. The instructions are abstract directives without concrete commands, code snippets, or validation logic. The Output section contains incomplete YAML fragments, and critical details are deferred to referenced files that don't exist in the bundle.
Suggestions
Replace the abstract instruction steps with concrete, executable commands (e.g., a grep command to scan for service account key usage, specific gcloud commands for WIF setup, a complete validated workflow YAML).
Add a complete, copy-paste-ready example GitHub Actions workflow YAML that demonstrates WIF authentication and Vertex AI deployment with all security best practices applied.
Include explicit validation checkpoints with pass/fail criteria, such as 'Run `grep -r GOOGLE_CREDENTIALS .github/workflows/` — if any matches found, replace with WIF auth' and error recovery steps.
Either provide the referenced bundle files (errors.md, examples.md, wif-setup.md) or inline the essential content so the skill is self-contained and functional.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The prerequisites section includes unnecessary items Claude would know or infer (e.g., 'Understanding of Workload Identity Federation concepts', 'GitHub repository with Actions enabled'). The overview is somewhat verbose but not egregiously so. Some padding could be trimmed. | 2 / 3 |
Actionability | The instructions are vague directives ('Audit Existing Workflows', 'Validate WIF Usage') without concrete commands, code, or executable steps. The Output section contains incomplete YAML fragments that are not copy-paste ready or executable. No actual validation logic, scripts, or specific commands are provided. | 1 / 3 |
Workflow Clarity | While steps are numbered, they lack specific commands, validation checkpoints, and feedback loops. For a skill involving security auditing and deployment validation, there are no explicit verification steps, no error recovery paths, and no clear criteria for pass/fail at each stage. | 1 / 3 |
Progressive Disclosure | References to external files (errors.md, examples.md, wif-setup.md) are present and one-level deep, which is good structure. However, no bundle files exist to back these references, and the main SKILL.md itself lacks sufficient standalone content—it delegates too much to non-existent files while providing almost no actionable content in the body. | 2 / 3 |
Total | 6 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
69c73e9
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.