Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

rubicanjr/gcp-patterns

Name: gcp-patterns
Author: rubicanjr

skills/gcp-patterns/SKILL.md

npx skillsauth add rubicanjr/FinCognis gcp-patterns

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

GCP Patterns

Cloud Run Deployment

Dockerfile for Cloud Run

FROM node:20-slim AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci --production=false
COPY . .
RUN npm run build

FROM node:20-slim
WORKDIR /app
RUN addgroup --system app && adduser --system --ingroup app app
COPY --from=builder /app/dist ./dist
COPY --from=builder /app/node_modules ./node_modules
COPY --from=builder /app/package.json ./
USER app
EXPOSE 8080
ENV PORT=8080 NODE_ENV=production
CMD ["node", "dist/server.js"]

Cloud Run Service YAML

apiVersion: serving.knative.dev/v1
kind: Service
metadata:
  name: order-service
  annotations:
    run.googleapis.com/launch-stage: GA
spec:
  template:
    metadata:
      annotations:
        autoscaling.knative.dev/minScale: "1"
        autoscaling.knative.dev/maxScale: "100"
        run.googleapis.com/cpu-throttling: "false"
        run.googleapis.com/startup-cpu-boost: "true"
    spec:
      containerConcurrency: 80
      timeoutSeconds: 300
      serviceAccountName: [email protected]
      containers:
        - image: gcr.io/project-id/order-service:latest
          ports:
            - containerPort: 8080
          resources:
            limits:
              cpu: "2"
              memory: 1Gi
          env:
            - name: DB_CONNECTION
              valueFrom:
                secretKeyRef:
                  key: latest
                  name: db-connection-string
          startupProbe:
            httpGet:
              path: /healthz
              port: 8080
            initialDelaySeconds: 5
            periodSeconds: 3

Deploy Command

gcloud run deploy order-service \
  --image gcr.io/$PROJECT_ID/order-service:$GIT_SHA \
  --region us-central1 \
  --service-account order-service@$PROJECT_ID.iam.gserviceaccount.com \
  --set-secrets "DB_URL=db-connection:latest" \
  --min-instances 1 \
  --max-instances 100 \
  --cpu 2 --memory 1Gi \
  --concurrency 80 \
  --no-allow-unauthenticated

BigQuery Optimization

-- Use partitioning and clustering
CREATE TABLE `project.dataset.events`
PARTITION BY DATE(event_timestamp)
CLUSTER BY user_id, event_type
AS SELECT * FROM `project.dataset.raw_events`;

-- Always filter on partition column
SELECT event_type, COUNT(*) as cnt
FROM `project.dataset.events`
WHERE event_timestamp BETWEEN '2025-01-01' AND '2025-01-31'
  AND event_type = 'purchase'
GROUP BY event_type;

-- Use approximate functions for large datasets
SELECT APPROX_COUNT_DISTINCT(user_id) as unique_users
FROM `project.dataset.events`
WHERE DATE(event_timestamp) = CURRENT_DATE();

-- Avoid SELECT * (scans all columns, costs more)
-- Use column selection and LIMIT for exploration

Pub/Sub Patterns

from google.cloud import pubsub_v1
from google.api_core import retry
import json

# Publisher with ordering and retry
publisher = pubsub_v1.PublisherClient()
topic_path = publisher.topic_path("project-id", "order-events")

def publish_event(event: dict, ordering_key: str = "") -> str:
    data = json.dumps(event).encode("utf-8")
    future = publisher.publish(
        topic_path,
        data,
        ordering_key=ordering_key,
        event_type=event["type"],
    )
    return future.result(timeout=30)

# Subscriber with exactly-once processing
subscriber = pubsub_v1.SubscriberClient()
subscription_path = subscriber.subscription_path("project-id", "order-events-sub")

def callback(message: pubsub_v1.types.PubsubMessage) -> None:
    try:
        event = json.loads(message.data.decode("utf-8"))
        idempotency_key = message.message_id

        if already_processed(idempotency_key):
            message.ack()
            return

        process_event(event)
        mark_processed(idempotency_key)
        message.ack()
    except Exception as e:
        logger.error(f"Failed to process message: {e}")
        message.nack()

subscriber.subscribe(subscription_path, callback=callback)

IAM Best Practices

Principles:
  - Least privilege: grant minimum permissions needed
  - Service accounts per service (not shared)
  - No user accounts in production workloads
  - Prefer predefined roles over primitive roles

Per-Service Pattern:
  order-service:
    roles:
      - roles/cloudsql.client          # DB access
      - roles/pubsub.publisher         # Publish events
      - roles/secretmanager.secretAccessor  # Read secrets
    # NOT: roles/editor (too broad)

Workload Identity (GKE):
  - Bind K8s SA to GCP SA
  - No key files, automatic credential rotation

Checklist

[ ] Cloud Run services use dedicated service accounts
[ ] Secrets stored in Secret Manager, not env vars
[ ] BigQuery tables partitioned and clustered
[ ] Pub/Sub subscribers implement idempotent processing
[ ] Health check endpoints configured for all services
[ ] Min instances set for latency-sensitive services
[ ] IAM follows least privilege (no primitive roles)
[ ] Cloud Armor WAF in front of public endpoints
[ ] VPC connector for private resource access

Anti-Patterns

Using default compute service account (overprivileged)
SELECT * on BigQuery (scans all columns, high cost)
Pub/Sub without dead letter queue (messages lost on repeated failure)
Hardcoding project ID instead of using environment detection
Not setting concurrency limits on Cloud Run (OOM under load)
Using Cloud Run for long-running background jobs (use Cloud Tasks)
Storing secrets in environment variables instead of Secret Manager

rubicanjr/gcp-patterns

skills/gcp-patterns/SKILL.md

Cloud Run deployment, BigQuery optimization, Pub/Sub patterns, IAM best practices

devops

Updated Apr 22, 2026

$ install --global

skillsauth

npx skillsauth add rubicanjr/FinCognis gcp-patterns

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 16, 2026, 1:49 AM5.3s1 file scanned

SKILL.md

name:: gcp-patterns
description:: Cloud Run deployment, BigQuery optimization, Pub/Sub patterns, IAM best practices

GCP Patterns

Cloud Run Deployment

Dockerfile for Cloud Run

FROM node:20-slim AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci --production=false
COPY . .
RUN npm run build

FROM node:20-slim
WORKDIR /app
RUN addgroup --system app && adduser --system --ingroup app app
COPY --from=builder /app/dist ./dist
COPY --from=builder /app/node_modules ./node_modules
COPY --from=builder /app/package.json ./
USER app
EXPOSE 8080
ENV PORT=8080 NODE_ENV=production
CMD ["node", "dist/server.js"]

Cloud Run Service YAML

apiVersion: serving.knative.dev/v1
kind: Service
metadata:
  name: order-service
  annotations:
    run.googleapis.com/launch-stage: GA
spec:
  template:
    metadata:
      annotations:
        autoscaling.knative.dev/minScale: "1"
        autoscaling.knative.dev/maxScale: "100"
        run.googleapis.com/cpu-throttling: "false"
        run.googleapis.com/startup-cpu-boost: "true"
    spec:
      containerConcurrency: 80
      timeoutSeconds: 300
      serviceAccountName: [email protected]
      containers:
        - image: gcr.io/project-id/order-service:latest
          ports:
            - containerPort: 8080
          resources:
            limits:
              cpu: "2"
              memory: 1Gi
          env:
            - name: DB_CONNECTION
              valueFrom:
                secretKeyRef:
                  key: latest
                  name: db-connection-string
          startupProbe:
            httpGet:
              path: /healthz
              port: 8080
            initialDelaySeconds: 5
            periodSeconds: 3

Deploy Command

gcloud run deploy order-service \
  --image gcr.io/$PROJECT_ID/order-service:$GIT_SHA \
  --region us-central1 \
  --service-account order-service@$PROJECT_ID.iam.gserviceaccount.com \
  --set-secrets "DB_URL=db-connection:latest" \
  --min-instances 1 \
  --max-instances 100 \
  --cpu 2 --memory 1Gi \
  --concurrency 80 \
  --no-allow-unauthenticated

BigQuery Optimization

-- Use partitioning and clustering
CREATE TABLE `project.dataset.events`
PARTITION BY DATE(event_timestamp)
CLUSTER BY user_id, event_type
AS SELECT * FROM `project.dataset.raw_events`;

-- Always filter on partition column
SELECT event_type, COUNT(*) as cnt
FROM `project.dataset.events`
WHERE event_timestamp BETWEEN '2025-01-01' AND '2025-01-31'
  AND event_type = 'purchase'
GROUP BY event_type;

-- Use approximate functions for large datasets
SELECT APPROX_COUNT_DISTINCT(user_id) as unique_users
FROM `project.dataset.events`
WHERE DATE(event_timestamp) = CURRENT_DATE();

-- Avoid SELECT * (scans all columns, costs more)
-- Use column selection and LIMIT for exploration

Pub/Sub Patterns

from google.cloud import pubsub_v1
from google.api_core import retry
import json

# Publisher with ordering and retry
publisher = pubsub_v1.PublisherClient()
topic_path = publisher.topic_path("project-id", "order-events")

def publish_event(event: dict, ordering_key: str = "") -> str:
    data = json.dumps(event).encode("utf-8")
    future = publisher.publish(
        topic_path,
        data,
        ordering_key=ordering_key,
        event_type=event["type"],
    )
    return future.result(timeout=30)

# Subscriber with exactly-once processing
subscriber = pubsub_v1.SubscriberClient()
subscription_path = subscriber.subscription_path("project-id", "order-events-sub")

def callback(message: pubsub_v1.types.PubsubMessage) -> None:
    try:
        event = json.loads(message.data.decode("utf-8"))
        idempotency_key = message.message_id

        if already_processed(idempotency_key):
            message.ack()
            return

        process_event(event)
        mark_processed(idempotency_key)
        message.ack()
    except Exception as e:
        logger.error(f"Failed to process message: {e}")
        message.nack()

subscriber.subscribe(subscription_path, callback=callback)

IAM Best Practices

Principles:
  - Least privilege: grant minimum permissions needed
  - Service accounts per service (not shared)
  - No user accounts in production workloads
  - Prefer predefined roles over primitive roles

Per-Service Pattern:
  order-service:
    roles:
      - roles/cloudsql.client          # DB access
      - roles/pubsub.publisher         # Publish events
      - roles/secretmanager.secretAccessor  # Read secrets
    # NOT: roles/editor (too broad)

Workload Identity (GKE):
  - Bind K8s SA to GCP SA
  - No key files, automatic credential rotation

Checklist

[ ] Cloud Run services use dedicated service accounts
[ ] Secrets stored in Secret Manager, not env vars
[ ] BigQuery tables partitioned and clustered
[ ] Pub/Sub subscribers implement idempotent processing
[ ] Health check endpoints configured for all services
[ ] Min instances set for latency-sensitive services
[ ] IAM follows least privilege (no primitive roles)
[ ] Cloud Armor WAF in front of public endpoints
[ ] VPC connector for private resource access

Anti-Patterns

Using default compute service account (overprivileged)
SELECT * on BigQuery (scans all columns, high cost)
Pub/Sub without dead letter queue (messages lost on repeated failure)
Hardcoding project ID instead of using environment detection
Not setting concurrency limits on Cloud Run (OOM under load)
Using Cloud Run for long-running background jobs (use Cloud Tasks)
Storing secrets in environment variables instead of Secret Manager

Related Skills

rubicanjr/workflow-router

development

VerifiedTrustedCommunity

Goal-based workflow orchestration - routes tasks to specialist agents based on user goals

SKILL.mdUpdated Apr 24, 2026

rubicanjr/workflow-router

rubicanjr/wiring

tools

VerifiedTrustedCommunity

Wiring Verification

SKILL.mdUpdated Apr 24, 2026

rubicanjr/websocket-patterns

development

VerifiedTrustedCommunity

Connection management, room patterns, reconnection strategies, message buffering, and binary protocol design.

SKILL.mdUpdated Apr 24, 2026

rubicanjr/websocket-patterns

rubicanjr/visual-verdict

development

VerifiedTrustedCommunity

Screenshot comparison QA for frontend development. Takes a screenshot of the current implementation, scores it across multiple visual dimensions, and returns a structured PASS/REVISE/FAIL verdict with concrete fixes. Use when implementing UI from a design reference or verifying visual correctness.

SKILL.mdUpdated Apr 24, 2026

rubicanjr/visual-verdict

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/rubicanjr/FinCognis.git

# Copy into Claude Code skills folder (global)
cp -r FinCognis/skills/gcp-patterns ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

rubicanjr/FinCognis

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT