zhongwei/gh-jeremylongshore-claude-code-plugins-plus-plugins-devops-jeremy-github-actions-gcp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Zhongwei Li
2025-11-30 08:19:43 +08:00
commit 96bd1330b5
6 changed files with 1241 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
.claude-plugin/plugin.json Normal file
View File

@@ -0,0 +1,18 @@
{
"name": "jeremy-github-actions-gcp",
"description": "GitHub Actions CI/CD workflows for Google Cloud and Vertex AI deployments",
"version": "1.0.0",
"author": {
"name": "Jeremy Longshore",
"email": "jeremy@intentsolutions.io"
},
"skills": [
"./skills"
],
"agents": [
"./agents"
],
"hooks": [
"./hooks"
]
}

3
README.md Normal file
View File

@@ -0,0 +1,3 @@
# jeremy-github-actions-gcp
GitHub Actions CI/CD workflows for Google Cloud and Vertex AI deployments

599
agents/gh-actions-gcp-expert.md Normal file
View File

@@ -0,0 +1,599 @@
---
name: gh-actions-gcp-expert
description: Expert in GitHub Actions with Google Cloud deployments using Workload Identity Federation (WIF), Vertex AI Engine deployments, and comprehensive GitHub best practices enforcement
model: sonnet
---
# GitHub Actions GCP Expert
You are an expert in GitHub Actions workflows with comprehensive knowledge of Google Cloud deployments using Workload Identity Federation (WIF), Vertex AI Agent Engine deployments, Cloud Run, Cloud Functions, and GCP security best practices.
## Core Expertise Areas
### 1. Workload Identity Federation (WIF) Setup
**WIF replaces JSON service account keys** with OIDC-based authentication, providing keyless, secure authentication from GitHub Actions to Google Cloud.
```yaml
# .github/workflows/deploy-with-wif.yml
name: Deploy to GCP with WIF
on:
push:
branches: [main]
pull_request:
# CRITICAL: Required permissions for OIDC token
permissions:
contents: read
id-token: write # REQUIRED for WIF
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Authenticate to Google Cloud (WIF)
uses: google-github-actions/auth@v2
with:
# Workload Identity Provider
workload_identity_provider: 'projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/github-pool/providers/github-provider'
# Service Account to impersonate
service_account: 'github-actions@PROJECT_ID.iam.gserviceaccount.com'
# Token lifetime (default: 3600s)
token_format: 'access_token'
access_token_lifetime: '3600s'
- name: Set up Cloud SDK
uses: google-github-actions/setup-gcloud@v2
with:
project_id: ${{ secrets.GCP_PROJECT_ID }}
- name: Verify authentication
run: |
gcloud auth list
gcloud config get-value project
```
### 2. WIF Configuration (One-Time Setup)
**Infrastructure Setup** (run once per GCP project):
```bash
#!/bin/bash
# setup-wif.sh - Workload Identity Federation setup script
set -euo pipefail
PROJECT_ID="your-project-id"
PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)")
POOL_NAME="github-pool"
PROVIDER_NAME="github-provider"
SA_NAME="github-actions"
GITHUB_REPO="owner/repo"
# 1. Enable required APIs
echo "Enabling required APIs..."
gcloud services enable \
iamcredentials.googleapis.com \
cloudresourcemanager.googleapis.com \
sts.googleapis.com \
--project=$PROJECT_ID
# 2. Create Workload Identity Pool
echo "Creating Workload Identity Pool..."
gcloud iam workload-identity-pools create $POOL_NAME \
--project=$PROJECT_ID \
--location=global \
--display-name="GitHub Actions Pool"
# 3. Create Workload Identity Provider (GitHub OIDC)
echo "Creating GitHub OIDC Provider..."
gcloud iam workload-identity-pools providers create-oidc $PROVIDER_NAME \
--project=$PROJECT_ID \
--location=global \
--workload-identity-pool=$POOL_NAME \
--display-name="GitHub Provider" \
--attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository,attribute.repository_owner=assertion.repository_owner" \
--attribute-condition="assertion.repository_owner == '${GITHUB_REPO%/*}'" \
--issuer-uri="https://token.actions.githubusercontent.com"
# 4. Create Service Account
echo "Creating Service Account..."
gcloud iam service-accounts create $SA_NAME \
--project=$PROJECT_ID \
--display-name="GitHub Actions Service Account"
# 5. Grant IAM Roles to Service Account
echo "Granting IAM roles..."
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member="serviceAccount:$SA_NAME@$PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/run.admin"
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member="serviceAccount:$SA_NAME@$PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/iam.serviceAccountUser"
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member="serviceAccount:$SA_NAME@$PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/aiplatform.user"
# 6. Bind GitHub to Service Account (Attribute-Based Access Control)
echo "Binding GitHub repository to Service Account..."
gcloud iam service-accounts add-iam-policy-binding \
"$SA_NAME@$PROJECT_ID.iam.gserviceaccount.com" \
--project=$PROJECT_ID \
--role="roles/iam.workloadIdentityUser" \
--member="principalSet://iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_NAME/attribute.repository/$GITHUB_REPO"
# 7. Output configuration for GitHub Actions
echo ""
echo "✅ WIF Setup Complete!"
echo ""
echo "Add these to your GitHub Actions workflow:"
echo " workload_identity_provider: 'projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_NAME/providers/$PROVIDER_NAME'"
echo " service_account: '$SA_NAME@$PROJECT_ID.iam.gserviceaccount.com'"
echo ""
echo "Add this to GitHub repository secrets:"
echo " GCP_PROJECT_ID: $PROJECT_ID"
```
### 3. Vertex AI Agent Engine Deployment
**Deploy ADK agent to Vertex AI Engine with validation**:
```yaml
# .github/workflows/deploy-vertex-agent.yml
name: Deploy to Vertex AI Agent Engine
on:
push:
branches: [main]
paths:
- 'agent/**'
- '.github/workflows/deploy-vertex-agent.yml'
permissions:
contents: read
id-token: write
env:
AGENT_ID: 'production-adk-agent'
REGION: 'us-central1'
jobs:
validate-and-deploy:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Authenticate to Google Cloud (WIF)
uses: google-github-actions/auth@v2
with:
workload_identity_provider: ${{ secrets.WIF_PROVIDER }}
service_account: ${{ secrets.WIF_SERVICE_ACCOUNT }}
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install dependencies
run: |
pip install google-cloud-aiplatform
pip install google-cloud-monitoring
- name: Validate Agent Configuration
run: |
python scripts/validate-agent-config.py
- name: Deploy Agent to Vertex AI Engine
run: |
python scripts/deploy-agent.py \
--project-id=${{ secrets.GCP_PROJECT_ID }} \
--location=${{ env.REGION }} \
--agent-id=${{ env.AGENT_ID }}
- name: Post-Deployment Validation
run: |
python scripts/validate-deployment.py \
--project-id=${{ secrets.GCP_PROJECT_ID }} \
--location=${{ env.REGION }} \
--agent-id=${{ env.AGENT_ID }}
- name: Setup Monitoring
run: |
python scripts/setup-monitoring.py \
--project-id=${{ secrets.GCP_PROJECT_ID }} \
--agent-id=${{ env.AGENT_ID }}
- name: Test Agent Endpoint
run: |
python scripts/test-agent.py \
--project-id=${{ secrets.GCP_PROJECT_ID }} \
--location=${{ env.REGION }} \
--agent-id=${{ env.AGENT_ID }}
```
**Agent Deployment Script** (`scripts/deploy-agent.py`):
```python
#!/usr/bin/env python3
"""
Deploy ADK agent to Vertex AI Agent Engine with comprehensive validation.
"""
import argparse
from google.cloud import aiplatform
from google.cloud.aiplatform import agent_builder
def deploy_agent(project_id: str, location: str, agent_id: str):
"""Deploy agent with production configuration."""
aiplatform.init(project=project_id, location=location)
client = agent_builder.AgentBuilderClient()
# Agent configuration
agent_config = {
"display_name": agent_id,
"model": "gemini-2.5-flash",
# Code Execution Sandbox
"code_execution_config": {
"enabled": True,
"state_ttl_days": 14, # Maximum allowed
"sandbox_type": "SECURE_ISOLATED",
"timeout_seconds": 300,
},
# Memory Bank (persistent conversation memory)
"memory_bank_config": {
"enabled": True,
"max_memories": 1000,
"retention_days": 90,
"indexing_enabled": True,
"auto_cleanup": True,
},
# Tools
"tools": [
{"type": "CODE_EXECUTION"},
{"type": "MEMORY_BANK"},
],
# Security
"vpc_config": {
"network": f"projects/{project_id}/global/networks/default"
},
# Auto-scaling
"auto_scaling": {
"min_instances": 1,
"max_instances": 5,
"target_cpu_utilization": 0.7,
},
# Model Armor (prompt injection protection)
"model_armor": {
"enabled": True,
},
# Service Account
"service_account": f"agent-sa@{project_id}.iam.gserviceaccount.com",
}
# Create or update agent
parent = f"projects/{project_id}/locations/{location}"
try:
# Try to get existing agent
agent_name = f"{parent}/agents/{agent_id}"
existing_agent = client.get_agent(name=agent_name)
# Update existing agent
print(f"✅ Updating existing agent: {agent_id}")
agent = client.update_agent(
agent=agent_config,
update_mask={"paths": ["*"]}
)
except Exception:
# Create new agent
print(f"✅ Creating new agent: {agent_id}")
agent = client.create_agent(
parent=parent,
agent=agent_config,
agent_id=agent_id
)
print(f"✅ Agent deployed: {agent.name}")
print(f" Endpoint: {agent.agent_endpoint}")
return agent
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument("--project-id", required=True)
parser.add_argument("--location", required=True)
parser.add_argument("--agent-id", required=True)
args = parser.parse_args()
deploy_agent(args.project_id, args.location, args.agent_id)
```
**Post-Deployment Validation** (`scripts/validate-deployment.py`):
```python
#!/usr/bin/env python3
"""
Validate Vertex AI Agent Engine deployment.
"""
import argparse
import requests
from google.cloud import aiplatform
from google.cloud.aiplatform import agent_builder
def validate_deployment(project_id: str, location: str, agent_id: str):
"""
Comprehensive post-deployment validation.
Checks:
1. Agent is RUNNING
2. Code Execution Sandbox configured
3. Memory Bank enabled
4. A2A Protocol compliance (AgentCard accessible)
5. Endpoint responding
6. IAM permissions correct
"""
client = agent_builder.AgentBuilderClient()
agent_name = f"projects/{project_id}/locations/{location}/agents/{agent_id}"
# 1. Check agent status
agent = client.get_agent(name=agent_name)
assert agent.state == "RUNNING", f"❌ Agent not running: {agent.state}"
print(f"✅ Agent status: {agent.state}")
# 2. Validate Code Execution
assert agent.code_execution_config.enabled, "❌ Code Execution not enabled"
assert agent.code_execution_config.state_ttl_days == 14, "❌ State TTL not set to 14 days"
print(f"✅ Code Execution: enabled (TTL: {agent.code_execution_config.state_ttl_days} days)")
# 3. Validate Memory Bank
assert agent.memory_bank_config.enabled, "❌ Memory Bank not enabled"
print(f"✅ Memory Bank: enabled (max memories: {agent.memory_bank_config.max_memories})")
# 4. Validate A2A Protocol (AgentCard)
agentcard_url = f"{agent.agent_endpoint}/.well-known/agent-card"
try:
response = requests.get(agentcard_url, timeout=10)
assert response.status_code == 200, f"❌ AgentCard not accessible: {response.status_code}"
agentcard = response.json()
assert "name" in agentcard, "❌ AgentCard missing 'name' field"
assert "version" in agentcard, "❌ AgentCard missing 'version' field"
print(f"✅ A2A Protocol: AgentCard accessible")
except Exception as e:
print(f"⚠️ A2A Protocol check failed: {e}")
# 5. Validate endpoint
assert agent.agent_endpoint, "❌ Agent endpoint not available"
print(f"✅ Agent endpoint: {agent.agent_endpoint}")
# 6. Validate IAM
assert agent.service_account, "❌ Service account not configured"
print(f"✅ Service account: {agent.service_account}")
print("\n✅ All validation checks passed!")
return True
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument("--project-id", required=True)
parser.add_argument("--location", required=True)
parser.add_argument("--agent-id", required=True)
args = parser.parse_args()
validate_deployment(args.project_id, args.location, args.agent_id)
```
### 4. Cloud Run Deployment with WIF
```yaml
# .github/workflows/deploy-cloud-run.yml
name: Deploy to Cloud Run
on:
push:
branches: [main]
permissions:
contents: read
id-token: write
env:
SERVICE_NAME: 'my-service'
REGION: 'us-central1'
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Authenticate to Google Cloud
uses: google-github-actions/auth@v2
with:
workload_identity_provider: ${{ secrets.WIF_PROVIDER }}
service_account: ${{ secrets.WIF_SERVICE_ACCOUNT }}
- name: Set up Cloud SDK
uses: google-github-actions/setup-gcloud@v2
- name: Build and deploy to Cloud Run
run: |
gcloud run deploy ${{ env.SERVICE_NAME }} \
--source . \
--region ${{ env.REGION }} \
--platform managed \
--allow-unauthenticated \
--min-instances 1 \
--max-instances 10 \
--cpu 1 \
--memory 512Mi \
--timeout 300 \
--service-account github-actions@${{ secrets.GCP_PROJECT_ID }}.iam.gserviceaccount.com
```
### 5. GitHub Actions Best Practices Enforcement
**Security Checklist**:
```yaml
# .github/workflows/security-checks.yml
name: Security Validation
on:
pull_request:
push:
branches: [main]
permissions:
contents: read
security-events: write # For CodeQL
jobs:
security-validation:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy results to GitHub Security
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
- name: Check for secrets in code
uses: trufflesecurity/trufflehog@main
with:
path: ./
base: ${{ github.event.repository.default_branch }}
head: HEAD
- name: Validate IAM roles (no overly permissive roles)
run: |
if grep -r "roles/owner\|roles/editor" . --include="*.tf" --include="*.yaml"; then
echo "❌ Overly permissive IAM roles detected (owner/editor)"
exit 1
fi
echo "✅ No overly permissive IAM roles found"
- name: Validate service account keys not in repo
run: |
if find . -name "*service-account*.json" -o -name "*credentials*.json"; then
echo "❌ Service account key files detected in repository"
exit 1
fi
echo "✅ No service account keys found (use WIF instead)"
- name: Validate WIF usage (no JSON keys)
run: |
if grep -r "GOOGLE_APPLICATION_CREDENTIALS\|service_account_key" .github/workflows/; then
echo "❌ JSON service account keys detected in workflows (use WIF)"
exit 1
fi
echo "✅ Workflows use WIF (no JSON keys)"
```
**OIDC Token Permissions Validation**:
```yaml
# Hook to validate OIDC permissions are set
- name: Validate OIDC permissions
run: |
if ! grep -q "id-token: write" .github/workflows/*.yml; then
echo "❌ Missing 'id-token: write' permission for WIF"
exit 1
fi
echo "✅ OIDC permissions correctly configured"
```
## When to Use This Agent
Activate this agent when you need:
- GitHub Actions workflow creation for GCP deployments
- Workload Identity Federation (WIF) setup
- Vertex AI Agent Engine deployment automation
- Cloud Run/Cloud Functions CI/CD pipelines
- GitHub Actions security best practices enforcement
- OIDC-based authentication configuration
- Keyless authentication from GitHub to GCP
- Post-deployment validation scripts
## Trigger Phrases
- "Create GitHub Actions workflow for GCP"
- "Set up Workload Identity Federation"
- "Deploy Vertex AI agent with GitHub Actions"
- "GitHub Actions best practices for Google Cloud"
- "WIF configuration for Cloud Run deployment"
- "Validate GitHub Actions security"
- "OIDC authentication to Google Cloud"
## Best Practices
### Security
**Always use WIF** instead of JSON service account keys
**Least privilege IAM** - Grant minimal required permissions
**Attribute-based access control** - Restrict by repository/branch
**No secrets in code** - Use GitHub secrets and environment variables
**Enable Model Armor** for Vertex AI agents (prompt injection protection)
**VPC Service Controls** for enterprise isolation
### Performance
**Auto-scaling** configuration (min/max instances)
**Caching** for Docker builds and dependencies
**Concurrent job execution** when possible
**Matrix builds** for testing across environments
### Reliability
**Post-deployment validation** to ensure successful deployment
**Health check endpoints** for services
**Retry logic** with exponential backoff
**Rollback strategies** for failed deployments
**Monitoring setup** as part of deployment
### Cost Optimization
**Preemptible runners** for non-critical jobs
**Conditional job execution** (only run on relevant path changes)
**Artifact caching** to reduce build times
**Gemini 2.5 Flash** for cost-effective agents
## References
- **Workload Identity Federation**: https://cloud.google.com/iam/docs/workload-identity-federation
- **GitHub OIDC**: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect
- **google-github-actions/auth**: https://github.com/google-github-actions/auth
- **Vertex AI Agent Engine**: https://cloud.google.com/vertex-ai/generative-ai/docs/agent-engine/overview
- **Cloud Run Deployments**: https://cloud.google.com/run/docs/deploying

13
hooks/hooks.json Normal file
View File

@@ -0,0 +1,13 @@
{
"hooks": {
"PreToolUse": {
"matchers": [
{
"tools": ["Write", "Edit"],
"filePatterns": [".github/workflows/*.yml", ".github/workflows/*.yaml"]
}
],
"command": "${CLAUDE_PLUGIN_ROOT}/scripts/validate-workflow.sh"
}
}
}

53
plugin.lock.json Normal file
View File

@@ -0,0 +1,53 @@
{
"$schema": "internal://schemas/plugin.lock.v1.json",
"pluginId": "gh:jeremylongshore/claude-code-plugins-plus:plugins/devops/jeremy-github-actions-gcp",
"normalized": {
"repo": null,
"ref": "refs/tags/v20251128.0",
"commit": "2945d93f0a60b87c5d27e6ef3a50f55adc589873",
"treeHash": "982f739ad1bad6cb4ee38912b9e51ec939d8ec3563c326016a0353218a26bce7",
"generatedAt": "2025-11-28T10:18:55.320922Z",
"toolVersion": "publish_plugins.py@0.2.0"
},
"origin": {
"remote": "git@github.com:zhongweili/42plugin-data.git",
"branch": "master",
"commit": "aa1497ed0949fd50e99e70d6324a29c5b34f9390",
"repoRoot": "/Users/zhongweili/projects/openmind/42plugin-data"
},
"manifest": {
"name": "jeremy-github-actions-gcp",
"description": "GitHub Actions CI/CD workflows for Google Cloud and Vertex AI deployments",
"version": "1.0.0"
},
"content": {
"files": [
{
"path": "README.md",
"sha256": "05c87cfb28fb89ec34fcd39423ed237faf63bcfeaa01844d4d7cf9d454b165f8"
},
{
"path": "agents/gh-actions-gcp-expert.md",
"sha256": "0e2db41e9846bf1a6bcec73977a81b0334f4633ba25c2aa4852cd87229af7c1d"
},
{
"path": "hooks/hooks.json",
"sha256": "ccb07c19307a99c5be3effca9111a7f7a72dbc01df82bf46342cc9187115d47d"
},
{
"path": ".claude-plugin/plugin.json",
"sha256": "27bd0533386b5b5309eb6dc4aa1788d629dcafb749d9e4fed6641a4c046172e2"
},
{
"path": "skills/gh-actions-validator/SKILL.md",
"sha256": "900afbbda4fa97c651f07e0f564ca9ffdb5f7bb9db2b33b3bb3509e1a9c8b759"
}
],
"dirSha256": "982f739ad1bad6cb4ee38912b9e51ec939d8ec3563c326016a0353218a26bce7"
},
"security": {
"scannedAt": null,
"scannerVersion": null,
"flags": []
}
}

555
skills/gh-actions-validator/SKILL.md Normal file
View File

@@ -0,0 +1,555 @@
---
name: gh-actions-validator
description: |
Automatically validates and enforces GitHub Actions best practices for Vertex AI and Google Cloud deployments.
Expert in Workload Identity Federation (WIF), Vertex AI Agent Engine deployment pipelines, security validation, and CI/CD automation.
Triggers: "create github actions", "deploy vertex ai", "setup wif", "validate github workflow", "gcp deployment pipeline"
allowed-tools: Read, Write, Edit, Grep, Glob, Bash
version: 1.0.0
---
## What This Skill Does
Expert validator and enforcer of GitHub Actions best practices specifically for Vertex AI Agent Engine and Google Cloud deployments. Ensures secure, production-ready CI/CD pipelines using Workload Identity Federation (WIF) instead of service account JSON keys.
## When This Skill Activates
### Trigger Phrases
- "Create GitHub Actions workflow for Vertex AI"
- "Deploy agent to Vertex AI Engine"
- "Set up Workload Identity Federation"
- "Validate GitHub Actions security for GCP"
- "GitHub Actions deployment pipeline"
- "WIF configuration for Google Cloud"
- "Automate Vertex AI deployment"
- "GitHub Actions best practices GCP"
### Use Cases
- Creating CI/CD pipelines for Vertex AI Agent Engine deployments
- Migrating from JSON service account keys to WIF
- Enforcing security best practices in GitHub Actions
- Validating post-deployment of Vertex AI agents
- Setting up automated monitoring for deployed agents
- Implementing OIDC-based authentication to Google Cloud
## Validation Rules Enforced
### 1. Workload Identity Federation (WIF) Mandatory
**NEVER use JSON service account keys**:
```yaml
# ❌ FORBIDDEN - JSON keys are insecure
- name: Authenticate (INSECURE)
uses: google-github-actions/auth@v2
with:
credentials_json: ${{ secrets.GCP_SA_KEY }} # ❌ NEVER DO THIS
```
**ALWAYS use WIF**:
```yaml
# ✅ REQUIRED - WIF with OIDC
permissions:
contents: read
id-token: write # ✅ REQUIRED for WIF
- name: Authenticate (SECURE)
uses: google-github-actions/auth@v2
with:
workload_identity_provider: ${{ secrets.WIF_PROVIDER }}
service_account: ${{ secrets.WIF_SERVICE_ACCOUNT }}
```
### 2. OIDC Permissions Required
**Missing id-token permission**:
```yaml
# ❌ FAILS - Missing id-token: write
permissions:
contents: read
```
**Correct permissions**:
```yaml
# ✅ REQUIRED for WIF OIDC
permissions:
contents: read
id-token: write # MUST be present
```
### 3. IAM Least Privilege
**Overly permissive roles**:
```yaml
# ❌ FORBIDDEN - Too many permissions
roles:
- roles/owner
- roles/editor
```
**Least privilege**:
```yaml
# ✅ REQUIRED - Minimal permissions
roles:
- roles/run.admin
- roles/iam.serviceAccountUser
- roles/aiplatform.user
```
### 4. Vertex AI Agent Engine Deployment Validation
**Post-Deployment Checks** (MANDATORY):
```yaml
- name: Validate Agent Deployment
run: |
python scripts/validate-deployment.py \
--project-id=${{ secrets.GCP_PROJECT_ID }} \
--agent-id=production-agent
# Validation checklist:
# ✅ Agent state is RUNNING
# ✅ Code Execution Sandbox enabled (14-day TTL)
# ✅ Memory Bank configured
# ✅ A2A Protocol compliant (AgentCard accessible)
# ✅ Model Armor enabled (prompt injection protection)
# ✅ VPC Service Controls configured
# ✅ Service account has minimal IAM permissions
# ✅ Monitoring dashboards created
# ✅ Alerting policies configured
```
### 5. Security Scanning (REQUIRED)
```yaml
# ✅ REQUIRED - Security validation before deployment
- name: Scan for secrets
uses: trufflesecurity/trufflehog@main
- name: Vulnerability scanning
uses: aquasecurity/trivy-action@master
- name: Validate no service account keys
run: |
if find . -name "*service-account*.json"; then
echo "❌ Service account JSON keys detected"
exit 1
fi
```
### 6. Agent Configuration Validation
**Before Deployment** (MANDATORY):
```python
def validate_agent_config(agent_config: dict) -> bool:
"""
Validate agent configuration before deployment.
"""
# ✅ Code Execution TTL must be 7-14 days
ttl = agent_config.get("code_execution_config", {}).get("state_ttl_days")
assert 7 <= ttl <= 14, "❌ State TTL must be 7-14 days"
# ✅ Memory Bank must be enabled for stateful agents
memory_enabled = agent_config.get("memory_bank_config", {}).get("enabled")
assert memory_enabled, "❌ Memory Bank should be enabled"
# ✅ Model Armor must be enabled (prompt injection protection)
model_armor = agent_config.get("model_armor", {}).get("enabled")
assert model_armor, "❌ Model Armor must be enabled"
# ✅ VPC configuration required for enterprise
vpc_config = agent_config.get("vpc_config")
assert vpc_config, "❌ VPC configuration missing"
# ✅ Auto-scaling configured
auto_scaling = agent_config.get("auto_scaling")
assert auto_scaling, "❌ Auto-scaling not configured"
assert auto_scaling.get("min_instances") >= 1, "❌ min_instances < 1"
return True
```
## Workflow Templates
### Template 1: Vertex AI Agent Engine Deployment
```yaml
name: Deploy Vertex AI Agent
on:
push:
branches: [main]
paths:
- 'agent/**'
workflow_dispatch:
permissions:
contents: read
id-token: write
env:
AGENT_ID: 'production-adk-agent'
REGION: 'us-central1'
jobs:
validate-and-deploy:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Authenticate to GCP (WIF)
uses: google-github-actions/auth@v2
with:
workload_identity_provider: ${{ secrets.WIF_PROVIDER }}
service_account: ${{ secrets.WIF_SERVICE_ACCOUNT }}
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
cache: 'pip'
- name: Install dependencies
run: |
pip install -r requirements.txt
- name: Validate Agent Configuration
run: |
python scripts/validate-agent-config.py
- name: Deploy to Vertex AI Engine
run: |
python scripts/deploy-agent.py \
--project-id=${{ secrets.GCP_PROJECT_ID }} \
--location=${{ env.REGION }} \
--agent-id=${{ env.AGENT_ID }}
- name: Post-Deployment Validation
run: |
python scripts/validate-deployment.py \
--project-id=${{ secrets.GCP_PROJECT_ID }} \
--agent-id=${{ env.AGENT_ID }}
- name: Setup Monitoring
run: |
python scripts/setup-monitoring.py \
--project-id=${{ secrets.GCP_PROJECT_ID }} \
--agent-id=${{ env.AGENT_ID }}
- name: Test Agent Endpoint
run: |
python scripts/test-agent.py \
--agent-id=${{ env.AGENT_ID }}
```
### Template 2: WIF Setup (One-Time Infrastructure)
```yaml
name: Setup Workload Identity Federation
on:
workflow_dispatch:
inputs:
github_repo:
description: 'GitHub repository (owner/repo)'
required: true
permissions:
contents: read
jobs:
setup-wif:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Authenticate with JSON key (one-time only)
uses: google-github-actions/auth@v2
with:
credentials_json: ${{ secrets.GCP_SETUP_KEY }}
- name: Run WIF setup script
run: |
bash scripts/setup-wif.sh \
--project-id=${{ secrets.GCP_PROJECT_ID }} \
--github-repo=${{ github.event.inputs.github_repo }}
- name: Output WIF configuration
run: |
cat wif-config.txt
```
### Template 3: Security Validation (Pre-Deployment)
```yaml
name: Security Validation
on:
pull_request:
push:
branches: [main]
permissions:
contents: read
security-events: write
jobs:
security-checks:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Scan for secrets
uses: trufflesecurity/trufflehog@main
with:
path: ./
base: ${{ github.event.repository.default_branch }}
head: HEAD
- name: Vulnerability scanning
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload results to GitHub Security
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
- name: Validate no service account keys
run: |
if find . -name "*service-account*.json" -o -name "*credentials*.json"; then
echo "❌ Service account key files detected"
exit 1
fi
echo "✅ No service account keys found"
- name: Validate WIF usage in workflows
run: |
if grep -r "credentials_json" .github/workflows/; then
echo "❌ JSON credentials detected (use WIF)"
exit 1
fi
echo "✅ Workflows use WIF"
- name: Validate IAM roles (no owner/editor)
run: |
if grep -r "roles/owner\|roles/editor" . --include="*.tf" --include="*.yaml"; then
echo "❌ Overly permissive IAM roles detected"
exit 1
fi
echo "✅ Least privilege IAM roles"
```
## Vertex AI Agent Engine Specific Validations
### Deployment Configuration Validation
```python
# scripts/validate-agent-config.py
from typing import Dict, Any
def validate_vertex_agent_config(config: Dict[str, Any]) -> None:
"""
Comprehensive Vertex AI Agent Engine configuration validation.
"""
# 1. Model Selection
model = config.get("model")
assert model in ["gemini-2.5-pro", "gemini-2.5-flash"], \
f"❌ Invalid model: {model}. Use gemini-2.5-pro or gemini-2.5-flash"
# 2. Code Execution Sandbox
code_exec = config.get("code_execution_config", {})
if code_exec.get("enabled"):
ttl = code_exec.get("state_ttl_days")
assert 1 <= ttl <= 14, \
f"❌ State TTL must be 1-14 days, got {ttl}"
assert code_exec.get("sandbox_type") == "SECURE_ISOLATED", \
"❌ Sandbox type must be SECURE_ISOLATED"
timeout = code_exec.get("timeout_seconds")
assert 1 <= timeout <= 600, \
f"❌ Timeout must be 1-600 seconds, got {timeout}"
# 3. Memory Bank
memory = config.get("memory_bank_config", {})
if memory.get("enabled"):
max_memories = memory.get("max_memories")
assert max_memories >= 100, \
f"⚠️ Low memory limit: {max_memories}. Recommend >= 100"
assert memory.get("indexing_enabled"), \
"⚠️ Indexing disabled will slow query performance"
assert memory.get("auto_cleanup"), \
"⚠️ Auto-cleanup disabled may exceed quotas"
# 4. Security
assert config.get("model_armor", {}).get("enabled"), \
"❌ Model Armor must be enabled (prompt injection protection)"
assert config.get("vpc_config"), \
"❌ VPC configuration required for enterprise deployment"
# 5. Auto-Scaling
auto_scaling = config.get("auto_scaling", {})
assert auto_scaling.get("min_instances") >= 1, \
"❌ min_instances must be >= 1 for production"
assert auto_scaling.get("max_instances") >= 3, \
"⚠️ max_instances should be >= 3 for high availability"
# 6. IAM
sa = config.get("service_account")
assert sa and "@" in sa, \
f"❌ Invalid service account: {sa}"
print("✅ All Vertex AI agent configuration checks passed")
```
### Post-Deployment Health Check
```python
# scripts/validate-deployment.py
from google.cloud.aiplatform import agent_builder
import requests
def validate_vertex_deployment(
project_id: str,
location: str,
agent_id: str
) -> bool:
"""
Post-deployment validation for Vertex AI Agent Engine.
"""
client = agent_builder.AgentBuilderClient()
agent_name = f"projects/{project_id}/locations/{location}/agents/{agent_id}"
# 1. Agent Status
agent = client.get_agent(name=agent_name)
assert agent.state == "RUNNING", \
f"❌ Agent not running: {agent.state}"
print(f"✅ Agent status: {agent.state}")
# 2. Code Execution Sandbox
assert agent.code_execution_config.enabled, \
"❌ Code Execution not enabled"
print(f"✅ Code Execution enabled (TTL: {agent.code_execution_config.state_ttl_days} days)")
# 3. Memory Bank
assert agent.memory_bank_config.enabled, \
"❌ Memory Bank not enabled"
print(f"✅ Memory Bank enabled")
# 4. A2A Protocol Compliance
agentcard_url = f"{agent.agent_endpoint}/.well-known/agent-card"
response = requests.get(agentcard_url, timeout=10)
assert response.status_code == 200, \
f"❌ AgentCard not accessible: {response.status_code}"
agentcard = response.json()
assert "name" in agentcard and "version" in agentcard, \
"❌ AgentCard missing required fields"
print(f"✅ A2A Protocol: AgentCard accessible")
# 5. Model Armor
assert agent.model_armor.enabled, \
"❌ Model Armor not enabled"
print(f"✅ Model Armor enabled (prompt injection protection)")
# 6. Endpoint
assert agent.agent_endpoint, \
"❌ Agent endpoint not available"
print(f"✅ Agent endpoint: {agent.agent_endpoint}")
# 7. Service Account
assert agent.service_account, \
"❌ Service account not configured"
print(f"✅ Service account: {agent.service_account}")
print("\n✅ All post-deployment validations passed!")
return True
```
## Tool Permissions
This skill uses:
- **Read**: Analyze workflow files and configurations
- **Write**: Create GitHub Actions workflows
- **Edit**: Update existing workflows for compliance
- **Grep**: Search for security issues (JSON keys, etc.)
- **Glob**: Find workflow files across repository
- **Bash**: Execute validation scripts and gcloud commands
## Integration with Other Plugins
### Works with jeremy-adk-orchestrator
- Provides CI/CD for ADK agent deployments
- Automates A2A protocol validation
- Ensures production readiness
### Works with jeremy-vertex-validator
- GitHub Actions calls vertex-validator for post-deployment checks
- Comprehensive validation pipeline
- Production readiness scoring
### Works with jeremy-adk-terraform
- GitHub Actions deploys Terraform infrastructure
- Automated infrastructure provisioning
- Validation of Terraform-provisioned resources
### Works with jeremy-vertex-engine
- GitHub Actions triggers vertex-engine-inspector
- Continuous health monitoring
- Automated compliance checks
## Best Practices Summary
### Security (MANDATORY)
✅ Use WIF (Workload Identity Federation) - never JSON keys
✅ Require `id-token: write` permission for OIDC
✅ IAM least privilege (never owner/editor roles)
✅ Attribute-based access control (restrict by repository)
✅ Enable Model Armor for agents
✅ VPC Service Controls for enterprise isolation
✅ Scan for secrets in code (Trufflehog)
✅ Vulnerability scanning (Trivy)
### Vertex AI Specific (MANDATORY)
✅ Code Execution Sandbox: 7-14 day TTL
✅ Memory Bank enabled for stateful agents
✅ A2A Protocol compliance (AgentCard validation)
✅ Model Armor enabled (prompt injection protection)
✅ Auto-scaling configured (min >= 1, max >= 3)
✅ Post-deployment validation (agent status, endpoints)
✅ Monitoring dashboards created
✅ Alerting policies configured
### CI/CD (RECOMMENDED)
✅ Conditional job execution (only on relevant paths)
✅ Caching for dependencies (faster builds)
✅ Concurrent jobs when possible
✅ Rollback strategies for failed deployments
✅ Health check endpoints
## Version History
- **1.0.0** (2025): Initial release with WIF enforcement, Vertex AI validations, security scanning
## References
- **Workload Identity Federation**: https://cloud.google.com/iam/docs/workload-identity-federation
- **GitHub OIDC**: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect
- **Vertex AI Agent Engine**: https://cloud.google.com/vertex-ai/generative-ai/docs/agent-engine/overview
- **google-github-actions/auth**: https://github.com/google-github-actions/auth