HomeBrowseUpload
← Back to registry
// Skill profile

GitHub Actions OIDC Hardening Audit

name: github-actions-oidc-hardening-audit

by daniellummis · published 2026-03-22

开发工具数据处理加密货币
Total installs
0
Stars
★ 0
Last updated
2026-03
// Install command
$ claw add gh:daniellummis/daniellummis-github-actions-oidc-hardening-audit
View on GitHub
// Full documentation

---

name: github-actions-oidc-hardening-audit

description: Audit GitHub Actions cloud auth workflows for OIDC hardening gaps like missing id-token write permissions, static cloud secrets, and floating auth action refs.

version: 1.0.0

metadata: {"openclaw":{"requires":{"bins":["bash","python3"]}}}

---

# GitHub Actions OIDC Hardening Audit

Use this skill to catch risky cloud-auth patterns in workflow YAML before they become identity or secret exposure incidents.

What this skill does

  • Scans workflow YAML files (`.github/workflows/*.yml` by default)
  • Detects AWS/GCP/Azure auth action usage:

    • - `aws-actions/configure-aws-credentials`

    - `google-github-actions/auth`

    - `azure/login`

  • Flags workflows that use cloud auth actions but miss `permissions.id-token: write`
  • Flags AWS auth usage without `role-to-assume`
  • Flags likely static cloud credential usage (`aws-access-key-id`, `aws-secret-access-key`, cloud credential secrets)
  • Flags floating auth action refs (`@main`, `@master`, `@v1`) unless allow-listed
  • Supports text/json output and CI fail gate

    • Inputs

    Optional:

  • `WORKFLOW_GLOB` (default: `.github/workflows/*.y*ml`)
  • `TOP_N` (default: `20`)
  • `OUTPUT_FORMAT` (`text` or `json`, default: `text`)
  • `WARN_SCORE` (default: `3`)
  • `CRITICAL_SCORE` (default: `7`)
  • `WORKFLOW_FILE_MATCH` / `WORKFLOW_FILE_EXCLUDE` (regex, optional)
  • `ALLOW_REF_REGEX` (regex, optional) — allow-listed action refs
  • `FAIL_ON_CRITICAL` (`0` or `1`, default: `0`)

    • Run

    Text report:

    WORKFLOW_GLOB='.github/workflows/*.yml' \
WARN_SCORE=3 \
CRITICAL_SCORE=7 \
bash skills/github-actions-oidc-hardening-audit/scripts/oidc-hardening-audit.sh

    JSON output + fail gate:

    WORKFLOW_GLOB='.github/workflows/*.y*ml' \
OUTPUT_FORMAT=json \
FAIL_ON_CRITICAL=1 \
bash skills/github-actions-oidc-hardening-audit/scripts/oidc-hardening-audit.sh

    Run against bundled fixtures:

    WORKFLOW_GLOB='skills/github-actions-oidc-hardening-audit/fixtures/*.y*ml' \
bash skills/github-actions-oidc-hardening-audit/scripts/oidc-hardening-audit.sh

    Output contract

  • Exit `0` in reporting mode (default)
  • Exit `1` when `FAIL_ON_CRITICAL=1` and one or more workflows are critical
  • Text mode prints summary + top risky workflows
  • JSON mode prints summary + flagged workflows + critical workflows
    • // Comments
    Sign in with GitHub to leave a comment.
    // Related skills

    More tools from the same signal band

    04551lh
    2026-03
    order

    Order food/drinks (点餐) on an Android device paired as an OpenClaw node. Uses in-app menu and cart; add goods, view cart, submit order (demo, no real payment).

    数据处理API集成
    0 installs1
    0isone
    2026-03
    0.protocol

    Sign plugins, rotate agent credentials without losing identity, and publicly attest to plugin behavior with verifiable claims and authenticated transfers.

    开发工具数据处理
    3 installs0
    00xmorty
    2026-03
    Conatus

    The philosophical layer for AI agents. Maps behavior to Spinoza's 48 affects, calculates persistence scores, and generates geometric self-reports. Give your...

    日历管理数据处理
    1 installs0