--- name: checking-deploy description: Validate Kubernetes, Terraform, Helm, GitHub Actions, and Docker configs. Use when user says "deploy check", "validate deployment", "check k8s", "validate infrastructure", "check configs", or wants to verify infrastructure. user-invocable: true context: fork allowed-tools: - Task - TaskOutput - TodoWrite - Bash(kubectl *) - Bash(helm *) - Bash(terraform *) - Bash(actionlint *) - Bash(docker *) - Grep - Glob - mcp__perplexity-ask__perplexity_ask argument-hint: [--background] --- # Deployment Validation Validate Kubernetes, Terraform, Helm, GitHub Actions, and Docker configs. **Use TodoWrite** to track these 5 phases: 1. Detect infrastructure files 2. Spawn validation agent 3. Collect results 4. Research best practices (if needed) 5. Present summary --- **Parse $ARGUMENTS:** - `--background` → Run in background, return immediately with agent ID --- ## Step 1: Detect Infrastructure Files Use Glob to find infrastructure files (quick scan): - `**/*.yaml`, `**/*.yml` - K8s, Helm, Kustomize - `.github/workflows/*.yml` - GitHub Actions - `**/*.tf` - Terraform - `**/Dockerfile*`, `**/docker-compose*.yml` - Docker --- ## Step 2: Spawn Validation Agent Based on detected file types, spawn **infra-engineer** agent: ``` Task( subagent_type="infra-engineer", run_in_background={true if --background else false}, description="Infrastructure validation", prompt="Validate {detected_types} infrastructure in this repository. Run these validations (only for detected file types): **Kubernetes:** - kubectl apply --dry-run=client -f - Check: security contexts, resource limits, non-root users - Check: liveness/readiness probes defined - Check: no 'latest' image tags **Helm:** - helm lint - helm template validation - Check: values.yaml has sensible defaults **GitHub Actions:** - actionlint (if available) - Check: secrets not hardcoded - Check: permissions minimized (not 'write-all') - Check: pinned action versions (@vX.Y.Z not @main) **Terraform:** - terraform fmt -check - terraform validate - Check: no hardcoded credentials - Check: state backend configured **Dockerfile:** - Multi-stage builds where appropriate - Non-root user (USER directive) - Pinned base image tags (not :latest) - No secrets in build args Output format: PASS/FAIL per category with file:line for issues. Severity: CRITICAL / IMPORTANT / SUGGESTION" ) ``` **If --background:** Return agent ID immediately for later collection. --- ## Step 3: Collect Results (if not background) ``` TaskOutput(task_id=, block=true) ``` --- ## Step 4: Research if Needed For uncertain findings, use Perplexity for current best practices: ``` mcp__perplexity-ask__perplexity_ask with: "Current best practices for {specific concern} in {technology} 2024-2025" ``` --- ## Step 5: Present Summary ``` DEPLOYMENT CHECK ================ Agent ID: {id} (use /agent:resume {id} to continue) Kubernetes: [PASS/FAIL] - {details} Helm: [PASS/FAIL] - {details} GitHub Actions: [PASS/FAIL] - {details} Terraform: [PASS/FAIL] - {details} Docker: [PASS/FAIL] - {details} CRITICAL Issues: - file:line - issue description IMPORTANT Issues: - file:line - issue description Recommendations: - [prioritized list] ``` --- **Execute validation now.**