gh-deploy-pipeline
Pass
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill enforces robust security architectures for CI/CD, specifically promoting OpenID Connect (OIDC) for cloud authentication and GitHub Environments for secret scoping, which eliminates the need for long-lived repository secrets.
- [SAFE]: All external dependencies are sourced from well-known, official GitHub Actions provided by organizations such as GitHub (
actions/*), Docker (docker/*), AWS (aws-actions/*), and VoidZero (voidzero-dev/*). These are recommended to be pinned to full commit SHAs for maximum security. - [SAFE]: The pipeline design implements strict artifact provenance, ensuring that build artifacts are created in a low-privilege environment and promoted to deployment without being rebuilt, which prevents 're-build' attacks where source code changes between test and deploy.
- [SAFE]: The skill includes explicit security guardrails and troubleshooting documentation that warns against common vulnerabilities such as secret logging,
pull_request_targetabuse, and unauthorized manual deployments.
Audit Metadata