Skip to content

v2.0.0

Latest

Choose a tag to compare

@github-actions github-actions released this 04 Jul 19:57
Immutable release. Only release title and notes can be modified.
f3375b2

[2.0.0] - 2026-07-04

Dependencies

  • 400b94b(deps) [dependency] Update dependency group### ️ Security

  • f3375b2 — 🚚 [refactor] Nest skill package payload

🚚 [refactor] Move SKILL.md, LICENSE.txt, agents, assets, references, and scripts under skills/github-manage-security-alerts so skill installers pull referenced resources with the skill payload.

🔧 [chore] Point npm package files, codexSkill.path, validation, Python tooling, Codecov, and release bundle generation at the nested skill directory.

📝 [docs] Refresh README, contributor guidance, PR template, issue template, and repository agent guidance with the new nested helper paths.

[1.1.0] - 2026-06-29

️ Security

  • c9901b4 — 📝 [docs] Expand security alert skill references

📝 Split the long command catalog out of SKILL.md into focused command, triage, and GitHub MCP companion references so agents can load detailed guidance only when needed.

🛡️ Tighten alert handling guidance around token safety, secret redaction, dry-run mutations, untrusted alert text, and MCP-vs-persisted-alert routing.

🍱 Refresh packaged skill artwork and preserve accessible SVG title and description metadata.

👷 Include references/ in release bundles and validate all packaged reference guides before publishing.

[1.0.6] - 2026-06-29

✨ Features

  • 461ae2f — ✨ [feat] Update VSCode extension recommendations

  • Added new extensions for improved Python development

  • Enhanced testing and debugging capabilities with additional tools

️ Bug Fixes

  • 487b02c — 🔒️ [fix] Avoid plaintext URL literals in API guard

🔒️ Resolve Sonar hotspots by detecting absolute endpoint schemes through URL parsing instead of matching plaintext protocol prefixes.

🧪 Keep the HTTP rejection regression while constructing the insecure URL through urllib.parse.

  • 01c204e — 🔒️ [fix] Require HTTPS for API requests

🔒️ Reject plaintext HTTP API URLs before building token-bearing requests, closing the Sonar hotspot around insecure transport.

🧹 Replace repeated JSON payload casts with existing expect_dict validation so Sonar no longer reports duplicated type literals.

🧪 Add HTTPS enforcement coverage and replace generator-based test raises with an explicit helper.

Chores

  • ca2c5c4 — 🔧 [chore] (vscode) Remove deprecated Pyright extension from recommendations

CI/CD

  • 280e822 — 👷 [ci] Add Python Codecov coverage reporting

👷 [ci] Adds a pinned Python Tests workflow that installs Python dependencies, runs the pytest coverage/JUnit command, and uploads both test results and coverage.xml to Codecov with OIDC.

🧪 [test] Adds API, CLI, entrypoint, operation, and renderer coverage so the new Python coverage gate passes honestly above the requested 75% floor.

🐛 [fix] Tightens SSH remote parsing so git@host:owner/repo.git resolves to the correct repository name, and closes HTTPError bodies after reading API error responses.

🔧 [chore] Adds codecov.yml, pytest-cov, and coverage.py configuration for an enforced 75% local and Codecov project/patch target.

[1.0.5] - 2026-06-29

Chores

  • f96abeb — 🔧 [chore] (python) Harden tooling scripts

🔧 [chore] Add reusable npm wrappers for Ruff, unsafe Ruff checks, skillcheck history validation, and local Python virtual environment setup.

🔧 [chore] Expand Python tool configuration with explicit cache and exclude paths while preserving scripts/tests module resolution for MyPy, Pyright, Ruff, and pytest.

🧪 [test] Record the latest passing skillcheck history run and recommend debugpy/Pyright VS Code extensions for the strict Python workflow.

[1.0.4] - 2026-06-28

✨ Features

  • 9f58859 — ✨ [feat] Update Dependabot configuration and add ncurc.json

  • Enhance Dependabot settings for monthly updates with specific assignees and labels.

  • Introduce cooldown periods for package updates.

  • Add ncurc.json for managing npm-check-updates configurations.

  • Update package-lock.json to reflect dependency upgrades, including commander.

  • Modify release-skill.yml to use the latest actions/checkout version.

  • Add new npm scripts for updating dependencies.

️ Bug Fixes

  • 9e3b8c9 — 🐛 [fix] (package) Exclude generated Python artifacts

🐛 [fix] Prevent npm package contents from including Python bytecode caches or generated coverage/report directories when local validation has run before packaging.

📦️ [fix] Verify npm pack now contains only the intended skill docs, assets, package metadata, and source scripts.

Documentation

  • ee9eb55 — 📝 [docs] (skill) Clarify skillcheck graph examples

📝 [docs] Rename heuristic capability headings to example-oriented headings so skillcheck no longer treats Quick start snippets as orphaned graph capabilities.

📝 [docs] Document shared CLI options and list-command output shapes for code scanning, Dependabot, malware, and secret scanning examples.

🧹 [chore] Add semantic skillcheck settings and commit the validation history ledger showing the warning count dropping to zero.

Chores

  • aac8c97 — 🔧 [chore] (python) Add strict lint and type gates

🔧 [chore] Add pyproject configuration for Ruff, MyPy, Pyright, and pytest with strict checking across scripts and tests.

🔨 [chore] Add package scripts for Python bootstrap, formatting, linting, type checking, tests, compileall, and aggregate checks.

🚨 [fix] Update the CLI modules to satisfy strict Ruff, MyPy, and Pyright diagnostics without weakening GitHub API error handling or token handling.

🧪 [test] Add pytest coverage for shared parsing helpers and render output behavior.

🧑‍💻 [chore] Add VS Code Python extension recommendations and strict workspace analysis settings.

  • 5689a16 — 🔧 [chore] Update Dependabot configuration by removing npm ecosystem settings

[1.0.3] - 2026-06-27

️ Security

  • 0f71084 — 🐛 [fix] Harden skill packaging and discovery

🔒️ [fix] Tighten the security-alert skill guidance so secret scanning values stay redacted by default, document web-base URL overrides, and require reviewed findings before bulk updates.

🛠️ [fix] Accept inline SKILL metadata in the package validator and add a narrow skillcheck config for intentional frontmatter extensions.

🔧 [chore] Add shared Prettier, remark, and package-json lint configuration with package metadata and provenance needed for publishing.

📝 [docs] Fix Markdown heading levels, README release-list formatting, and the stale commit-instruction filename.

  • 83ba098 — 👷 [ci] Use shared workflow callers

👷 [ci] Switches the Dependabot auto-merge caller to workflow-templates@main and replaces local security and maintenance workflows with shared reusable callers.

⬆️ [build] Updates eslint-config-nick2bad4u to the published caller override version and records any peer dependency needed for the shared ESLint config to load.

Chores

  • c29efce — Update github agent instruction paths

CI/CD

  • 409ecfe — Update Dependabot auto-merge workflow pin

  • b2aefb9 — Add Dependabot auto-merge workflow

[1.0.2] - 2026-05-29

Documentation

  • 8f448ce — Document universal skill installs

[1.0.1] - 2026-05-29

Dependencies

[dependabot]actions: [dependency] Update github/codeql-action 4.35.1

  • 01b42fe(deps) [dependency] Update github/codeql-action

️ Security

  • 3a67b25 — Reduce security alert operation complexity

️ Other Changes

  • b0be409 — Use git-cliff release notes and npm publish

  • a4e9105 — Add SonarLint project binding

  • 668fe12 — Fix SonarCloud findings

  • 0355d9b — Rename npm package for skill publishing

  • 24d6de4 — Move skill package to repository root

  • e5bf4a8 — Allow npm package publishing

  • 67473a4 — Use staged npm publishing for skill releases

  • 6f1b87b — Add npm trusted publishing release setup

  • 46f6aee — Clean up repository automation guidance

  • f469e1c — Add Codex skill metadata

[1.0.0] - 2026-03-23

️ Bug Fixes

  • 3aefc05 — 🔥 [fix] Remove deprecated sonar management scripts

  • Deleted sonar_manage_issues.py, sonar_manage_project.py, and sonar_manage_render.py files as they are no longer needed.

  • This cleanup reduces codebase complexity and maintenance overhead.

Dependencies

  • 2ce0fca(deps) [dependency] Update actions/upload-artifact

️ Security

  • dca1a87 — ✨ [feat] Update repository references and documentation for GitHub Security Alerts Skill

  • 📝 (funding) Update funding configuration to reflect new repository name

  • 📝 (issue_template) Modify bug report and question templates for GitHub context

  • 📝 (config) Change security vulnerability report URL to new repository

  • 📝 (readme) Revise README to describe GitHub Security Alerts Skill features and usage

  • 📝 (contributing) Update contributing guidelines to reflect new skill name and commands

  • 📝 (security) Revise security policy to align with GitHub token usage

  • 📝 (changelog) Document changes in changelog for clarity

  • 📝 (release) Update release workflow asset naming to match new repository

️ Other Changes

⭐ Contributors

Thanks to all the contributors for their hard work!

License

This project is licensed under the Unlicense.
This changelog was automatically generated with git-cliff.