[2.0.0] - 2026-07-04
- Commit Range: ➡️
400b94b...f3375b2
Dependencies
-
400b94b— (deps) [dependency] Update dependency group### ️ Security -
f3375b2— 🚚 [refactor] Nest skill package payload
🚚 [refactor] Move SKILL.md, LICENSE.txt, agents, assets, references, and scripts under skills/github-manage-security-alerts so skill installers pull referenced resources with the skill payload.
🔧 [chore] Point npm package files, codexSkill.path, validation, Python tooling, Codecov, and release bundle generation at the nested skill directory.
📝 [docs] Refresh README, contributor guidance, PR template, issue template, and repository agent guidance with the new nested helper paths.
[1.1.0] - 2026-06-29
- Commit Range: ➡️
c9901b4...c9901b4
️ Security
c9901b4— 📝 [docs] Expand security alert skill references
📝 Split the long command catalog out of SKILL.md into focused command, triage, and GitHub MCP companion references so agents can load detailed guidance only when needed.
🛡️ Tighten alert handling guidance around token safety, secret redaction, dry-run mutations, untrusted alert text, and MCP-vs-persisted-alert routing.
🍱 Refresh packaged skill artwork and preserve accessible SVG title and description metadata.
👷 Include references/ in release bundles and validate all packaged reference guides before publishing.
[1.0.6] - 2026-06-29
- Commit Range: ➡️
461ae2f...487b02c
✨ Features
-
461ae2f— ✨ [feat] Update VSCode extension recommendations -
Added new extensions for improved Python development
-
Enhanced testing and debugging capabilities with additional tools
️ Bug Fixes
487b02c— 🔒️ [fix] Avoid plaintext URL literals in API guard
🔒️ Resolve Sonar hotspots by detecting absolute endpoint schemes through URL parsing instead of matching plaintext protocol prefixes.
🧪 Keep the HTTP rejection regression while constructing the insecure URL through urllib.parse.
01c204e— 🔒️ [fix] Require HTTPS for API requests
🔒️ Reject plaintext HTTP API URLs before building token-bearing requests, closing the Sonar hotspot around insecure transport.
🧹 Replace repeated JSON payload casts with existing expect_dict validation so Sonar no longer reports duplicated type literals.
🧪 Add HTTPS enforcement coverage and replace generator-based test raises with an explicit helper.
Chores
ca2c5c4— 🔧 [chore] (vscode) Remove deprecated Pyright extension from recommendations
CI/CD
280e822— 👷 [ci] Add Python Codecov coverage reporting
👷 [ci] Adds a pinned Python Tests workflow that installs Python dependencies, runs the pytest coverage/JUnit command, and uploads both test results and coverage.xml to Codecov with OIDC.
🧪 [test] Adds API, CLI, entrypoint, operation, and renderer coverage so the new Python coverage gate passes honestly above the requested 75% floor.
🐛 [fix] Tightens SSH remote parsing so git@host:owner/repo.git resolves to the correct repository name, and closes HTTPError bodies after reading API error responses.
🔧 [chore] Adds codecov.yml, pytest-cov, and coverage.py configuration for an enforced 75% local and Codecov project/patch target.
[1.0.5] - 2026-06-29
- Commit Range: ➡️
f96abeb...f96abeb
Chores
f96abeb— 🔧 [chore] (python) Harden tooling scripts
🔧 [chore] Add reusable npm wrappers for Ruff, unsafe Ruff checks, skillcheck history validation, and local Python virtual environment setup.
🔧 [chore] Expand Python tool configuration with explicit cache and exclude paths while preserving scripts/tests module resolution for MyPy, Pyright, Ruff, and pytest.
🧪 [test] Record the latest passing skillcheck history run and recommend debugpy/Pyright VS Code extensions for the strict Python workflow.
[1.0.4] - 2026-06-28
- Commit Range: ➡️
9f58859...9e3b8c9
✨ Features
-
9f58859— ✨ [feat] Update Dependabot configuration and add ncurc.json -
Enhance Dependabot settings for monthly updates with specific assignees and labels.
-
Introduce cooldown periods for package updates.
-
Add ncurc.json for managing npm-check-updates configurations.
-
Update package-lock.json to reflect dependency upgrades, including commander.
-
Modify release-skill.yml to use the latest actions/checkout version.
-
Add new npm scripts for updating dependencies.
️ Bug Fixes
9e3b8c9— 🐛 [fix] (package) Exclude generated Python artifacts
🐛 [fix] Prevent npm package contents from including Python bytecode caches or generated coverage/report directories when local validation has run before packaging.
📦️ [fix] Verify npm pack now contains only the intended skill docs, assets, package metadata, and source scripts.
Documentation
ee9eb55— 📝 [docs] (skill) Clarify skillcheck graph examples
📝 [docs] Rename heuristic capability headings to example-oriented headings so skillcheck no longer treats Quick start snippets as orphaned graph capabilities.
📝 [docs] Document shared CLI options and list-command output shapes for code scanning, Dependabot, malware, and secret scanning examples.
🧹 [chore] Add semantic skillcheck settings and commit the validation history ledger showing the warning count dropping to zero.
Chores
aac8c97— 🔧 [chore] (python) Add strict lint and type gates
🔧 [chore] Add pyproject configuration for Ruff, MyPy, Pyright, and pytest with strict checking across scripts and tests.
🔨 [chore] Add package scripts for Python bootstrap, formatting, linting, type checking, tests, compileall, and aggregate checks.
🚨 [fix] Update the CLI modules to satisfy strict Ruff, MyPy, and Pyright diagnostics without weakening GitHub API error handling or token handling.
🧪 [test] Add pytest coverage for shared parsing helpers and render output behavior.
🧑💻 [chore] Add VS Code Python extension recommendations and strict workspace analysis settings.
5689a16— 🔧 [chore] Update Dependabot configuration by removing npm ecosystem settings
[1.0.3] - 2026-06-27
- Commit Range: ➡️
c29efce...0f71084
️ Security
0f71084— 🐛 [fix] Harden skill packaging and discovery
🔒️ [fix] Tighten the security-alert skill guidance so secret scanning values stay redacted by default, document web-base URL overrides, and require reviewed findings before bulk updates.
🛠️ [fix] Accept inline SKILL metadata in the package validator and add a narrow skillcheck config for intentional frontmatter extensions.
🔧 [chore] Add shared Prettier, remark, and package-json lint configuration with package metadata and provenance needed for publishing.
📝 [docs] Fix Markdown heading levels, README release-list formatting, and the stale commit-instruction filename.
83ba098— 👷 [ci] Use shared workflow callers
👷 [ci] Switches the Dependabot auto-merge caller to workflow-templates@main and replaces local security and maintenance workflows with shared reusable callers.
⬆️ [build] Updates eslint-config-nick2bad4u to the published caller override version and records any peer dependency needed for the shared ESLint config to load.
Chores
c29efce— Update github agent instruction paths
CI/CD
[1.0.2] - 2026-05-29
- Commit Range: ➡️
8f448ce...8f448ce
Documentation
8f448ce— Document universal skill installs
[1.0.1] - 2026-05-29
- Commit Range: ➡️
01b42fe...b0be409
Dependencies
[dependabot]actions: [dependency] Update github/codeql-action 4.35.1
01b42fe— (deps) [dependency] Update github/codeql-action
️ Security
3a67b25— Reduce security alert operation complexity
️ Other Changes
-
b0be409— Use git-cliff release notes and npm publish -
a4e9105— Add SonarLint project binding -
668fe12— Fix SonarCloud findings -
0355d9b— Rename npm package for skill publishing -
24d6de4— Move skill package to repository root -
e5bf4a8— Allow npm package publishing -
67473a4— Use staged npm publishing for skill releases -
6f1b87b— Add npm trusted publishing release setup -
46f6aee— Clean up repository automation guidance -
f469e1c— Add Codex skill metadata
[1.0.0] - 2026-03-23
- Commit Range: ➡️
d6e33c6...2ce0fca
️ Bug Fixes
-
3aefc05— 🔥 [fix] Remove deprecated sonar management scripts -
Deleted
sonar_manage_issues.py,sonar_manage_project.py, andsonar_manage_render.pyfiles as they are no longer needed. -
This cleanup reduces codebase complexity and maintenance overhead.
Dependencies
2ce0fca— (deps) [dependency] Update actions/upload-artifact
️ Security
-
dca1a87— ✨ [feat] Update repository references and documentation for GitHub Security Alerts Skill -
📝 (funding) Update funding configuration to reflect new repository name
-
📝 (issue_template) Modify bug report and question templates for GitHub context
-
📝 (config) Change security vulnerability report URL to new repository
-
📝 (readme) Revise README to describe GitHub Security Alerts Skill features and usage
-
📝 (contributing) Update contributing guidelines to reflect new skill name and commands
-
📝 (security) Revise security policy to align with GitHub token usage
-
📝 (changelog) Document changes in changelog for clarity
-
📝 (release) Update release workflow asset naming to match new repository
️ Other Changes
d6e33c6— Initial commit
⭐ Contributors
Thanks to all the contributors for their hard work!
License
This project is licensed under the Unlicense.
This changelog was automatically generated with git-cliff.