Improve GCP workload identity federation evidence

[wowsofine]

Pull Request Checklist

• Skill follows the format specification in CONTRIBUTING.md
• At least one real framework is cited with correct control IDs
• All framework references verified against primary sources (not blogs or AI output)
• Prompt Injection Safety Notice section included
• injection-hardened: true set in frontmatter
• allowed-tools scoped to minimum necessary permissions
• Tested with Codex against the gcp-review skill files
• No prohibited patterns per SECURITY.md
• index.yaml update not required because this improves an existing skill

What This PR Does

This improves the gcp-review skill by adding Workload Identity Federation and external OIDC boundary evidence checks.

The current skill already covers user-managed service account keys and service account impersonation roles. This PR adds the modern keyless identity path: workload identity pools/providers, attribute_mapping, attribute_condition, broad principalSet patterns, roles/iam.workloadIdentityUser, external roles/iam.serviceAccountTokenCreator grants, and GitHub Actions OIDC claim binding.

It also adds an Identity Federation Evidence matrix to the main report template and updates common pitfalls so reviewers do not treat WIF as automatically safe simply because it removes long-lived keys.

Framework References

• CIS Google Cloud Platform Foundation Benchmark v2.0.0, Section 1 IAM review context
• Google Cloud IAM and Workload Identity Federation provider behavior
• Terraform Google provider resources for workload identity pools/providers and service account IAM bindings

Testing

• git diff --check -- skills/cloud/gcp-review/SKILL.md skills/cloud/gcp-review/benchmark-checklist.md
• frontmatter required-field check
• Markdown fence balance check for both modified files
• content marker check for Workload Identity Federation, attribute_condition, principalSet, roles/iam.workloadIdentityUser, and roles/iam.serviceAccountTokenCreator
• Common Pitfalls numbering check

Bounty Tier

• Minor ($50) - Doc update, small logic tweak, typo fix
• Moderate ($100) - New edge case coverage, FP reduction with evidence
• Substantial ($150) - Rewritten detection logic, major coverage expansion

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: GitHub Sponsors or maintainer-confirmed private method

[wowsofine]

Bounty claim note: requesting consideration for the moderate improver bounty (USD 100).

This PR adds Workload Identity Federation and external OIDC boundary evidence checks to the GCP review skill, including attribute conditions, principalSet scope, WorkloadIdentityUser bindings, external TokenCreator grants, and CI claim binding. Local validation is listed in the PR description.