alexei-led/deploying-infra
plugins/infra-ops/skills-pi/deploying-infra/SKILL.md
Sequential infrastructure deployment — detect infra type (Kubernetes, Terraform, Helm, Kustomize, GitHub Actions, Docker), validate configs, dry-run, show diff, apply only after user confirmation, and verify post-deploy health. Includes safety checks for destructive operations.
$ install --global
skillsauthnpx skillsauth add alexei-led/claude-code-config deploying-infraInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 11, 2026, 3:48 AM234.4s1 file scanned
SKILL.md
- description:
- Sequential infrastructure deployment — detect infra type (Kubernetes,
- name:
- deploying-infra
<!-- generated by scripts/build/generate-skills.py — edits to this file will be overwritten by `make build`. Edit the canonical SKILL.md (or add a SKILL.codex.md / SKILL.pi.md sidecar to diverge). -->
<!-- Pi platform guidance -->
<!-- Use Pi tool names exactly: read, bash, edit, write, ask_user_question, structured_output, todo, Agent, get_subagent_result, steer_subagent, web_search, web_answer, web_research. -->
<!-- Use Agent, get_subagent_result, and steer_subagent for delegated work. -->
<!-- Use ctx7 or npx ctx7@latest through bash when Context7 documentation lookup is required. -->
Deploy Infrastructure
Validate and deploy infrastructure changes safely. Dry-run is the default. Never apply changes, especially destructive ones, without explicit confirmation. Keep going through each step — do not skip validation or the confirmation gate.
Step 1: Parse arguments
Check $ARGUMENTS:
--dry-run(default if nothing specified) — validate and show diff only, stop before applying--apply— validate, show diff, confirm with user, then apply[environment]— target environment name (e.g.,staging,production)
If no arguments are supplied, treat as --dry-run.
Step 2: Detect infrastructure type
Use Glob to find infrastructure files. Do not guess — look at what is actually present.
**/*.tf— Terraform**/Chart.yaml— Helm chart**/kustomization.yaml— Kustomize.github/workflows/*.yml— GitHub Actions**/Dockerfile*,**/docker-compose*.yml— Docker
Read the relevant top-level config files to understand the scope of what will be deployed. If no infrastructure files are found, report it and stop.
Step 3: Validate configs
Run validation tools for each detected type. Read the output before proceeding — fix any validation errors before continuing.
Terraform:
terraform fmt -check
terraform validate
Helm:
helm lint .
helm template . --debug > /dev/null
Kustomize:
kustomize build overlays/<environment> | kubectl apply --dry-run=client -f -
Kubernetes (raw manifests):
kubectl apply --dry-run=client -f <manifests-dir>/
GitHub Actions:
actionlint .github/workflows/*.yml
Security checks to apply manually by reading the files:
- No hardcoded secrets, tokens, or credentials anywhere
- No
latestimage tags in K8s or Dockerfile - GitHub Actions: permissions are minimized (not
write-all), action versions are pinned to@vX.Y.Z - Terraform: state backend is configured, no destructive changes (
-/+ordestroy) without a note - Kubernetes: security contexts set, resource limits defined, liveness/readiness probes present
If CRITICAL issues are found, report them and stop. Ask the user how to proceed.
Step 4: Dry-run and show diff
Generate a preview of what would change:
Terraform:
terraform plan -out=tfplan
Helm:
helm diff upgrade <release-name> . -f values-<environment>.yaml
Kubernetes / Kustomize:
kubectl diff -f <manifests-dir>/
# or
kustomize build overlays/<environment> | kubectl diff -f -
Present the diff summary. Explicitly call out:
- Resources to be created (count and names)
- Resources to be modified
- Resources to be destroyed or replaced — flag these prominently
If --dry-run was specified, stop here and deliver the validation report.
Step 5: Confirm before applying
Ask the user in plain prose: "Here is what will change: [summary]. Should I apply these changes to [environment]?"
For production environments, make the confirmation explicit: "This will apply to PRODUCTION. Confirm?"
Do not proceed until you have a clear yes. If the user wants to review something first, do that and ask again.
Step 6: Apply changes
Log the deployment start, then apply:
echo "$(date -Iseconds) DEPLOY_START env=<environment>" >> .deploy.log
Terraform:
terraform apply tfplan
Helm:
helm upgrade --install <release-name> . -f values-<environment>.yaml
Kustomize:
kustomize build overlays/<environment> | kubectl apply -f -
Kubernetes (raw manifests):
kubectl apply -f <manifests-dir>/ --recursive
echo "$(date -Iseconds) DEPLOY_END status=$?" >> .deploy.log
Step 7: Verify post-deploy health
Check that the deployment is healthy:
# Kubernetes rollout
kubectl rollout status deployment/<name> --timeout=300s
kubectl get pods -l app=<name>
# Helm
helm status <release-name>
# Terraform
terraform show | head -50
If the rollout fails or pods are not healthy, provide the rollback command immediately:
# Kubernetes
kubectl rollout undo deployment/<name>
# Helm
helm rollback <release-name>
# Terraform (point to last known-good state)
terraform apply -target=<resource>
Output format
DEPLOYMENT COMPLETE
===================
Environment: <env>
Type: <terraform|helm|kustomize|k8s|gha>
Mode: <dry-run|applied>
Changes:
- <resource>: <created|modified|destroyed>
Status: HEALTHY | DEGRADED | FAILED
Rollback: <command if applicable>
For dry-run mode, replace "DEPLOYMENT COMPLETE" with "VALIDATION COMPLETE" and omit the rollback line.
Related Skills
alexei-led/writing-shell
tools
VerifiedTrustedCommunity
Idiomatic shell development for POSIX sh, Bash, Zsh, Fish, hooks, CI shell steps, and scriptable CLI glue. Use when writing or changing `.sh`, `.bash`, `.zsh`, `.fish`, `.bats`, shell functions, shell pipelines, or command-runner recipes. Emphasizes portability, quoting, safe filesystem/process handling, non-TUI CLI tools, ShellCheck, shfmt, Bats, and ShellSpec. NOT for Python, TypeScript, Go, web code, or infrastructure operations.
33SKILL.mdUpdated Jun 5, 2026
alexei-led/spec-flow
tools
VerifiedTrustedCommunity
Use when planning, executing, checkpointing, finishing, or inspecting lightweight spec-driven work. Runs one task at a time using `.spec/` markdown files and the bundled `specctl` helper. NOT for broad product discovery beyond a short requirement interview.
33SKILL.mdUpdated Jun 5, 2026
alexei-led/operating-infra
testing
VerifiedTrustedCommunity
Author, inspect, troubleshoot, and review infrastructure across IaC, Kubernetes, cloud resources, containers, CI/CD, and Linux hosts. Use when changing Terraform/OpenTofu, Kubernetes, Helm, Kustomize, Dockerfiles, GitHub Actions, AWS, GCP, Cloud Run, BigQuery, IAM, logs, instances, or service health. NOT for deploy/apply/rollback workflows (see deploying-infra). NOT for shell scripts or generic command pipelines (see writing-shell).
33SKILL.mdUpdated Jun 5, 2026
alexei-led/configuring-git-hygiene
development
VerifiedTrustedCommunity
Configure safe git workflow hygiene: pre-commit/pre-push hooks, Gitleaks secret scanning, .gitignore rules, local git config, and guardrails. Use when setting up git hooks, gitleaks/git leaks, staged pre-commit checks, pre-push validation, core.hooksPath, .gitignore, or git config best practices. NOT for creating commits (use committing-code), cleaning branches/worktrees (use cleanup-git), or creating worktrees (use using-git-worktrees).
33SKILL.mdUpdated Jun 5, 2026