Skip to content

Releases: askalf/truecopy-action

v1.0.1 — gate your agent skills in CI

Choose a tag to compare

@askalf askalf released this 12 Jul 15:37
5c6fcf0

The GitHub Action for truecopy — the supply-chain gate for AI agents. Fail the build the moment a pinned agent skill or MCP server drifts or turns poisonous, or poison-scan a manifest, skill directory, or a cloned marketplace before you install from it.

name: truecopy
on: [push, pull_request]
permissions:
  contents: read
jobs:
  verify:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
      - uses: askalf/truecopy-action@v1
  • verify — gate truecopy.lock: exit 1 if any pinned skill drifted, turned poisonous, or is signed by an untrusted key
  • scan — poison-scan a manifest, skill dir, or a --marketplace repo, no lock required
  • Zero third-party action dependencies · OpenSSF Scorecard + CodeQL · workflows pinned by SHA

Pin askalf/truecopy-action@v1 to track patches, or @<full-sha> for an airtight supply chain.


v1.0.1 is a patch over v1.0.0: it shortens the action.yml description for GitHub Marketplace validation — no behavior change.

Full changelog: v1.0.0...v1.0.1

v1.0.0 — truecopy as a CI gate

Choose a tag to compare

@askalf askalf released this 12 Jul 15:21
c715b08

The first release under the truecopy name (renamed from canon-action; the old name still redirects). @v1 now installs truecopy v0.8.0 with the current action.

  • verify — fail the build if any pinned skill drifted, turned poisonous, or is signed by an untrusted key
  • scan — poison-scan a manifest, skill directory, or a cloned marketplace repo, no lock required
  • Fixed: pre-rename repos with a committed canon.lock now verify correctly through the action — the lock input no longer forces --lock truecopy.lock and defeats truecopy's own fallback
  • Zero third-party action dependencies · OpenSSF Scorecard + CodeQL · workflows pinned by SHA
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- uses: askalf/truecopy-action@v1

Pin askalf/truecopy-action@v1 to track patches, or @<full-sha> for an airtight supply chain.

Full changelog: v0.1.0...v1.0.0

v0.1.0 — canon as a CI gate

Choose a tag to compare

@askalf askalf released this 04 Jul 14:43
903c1bc

First release: composite action wrapping canonverify gates canon.lock for drift/poisoning/publisher trust; scan poison-scans manifests, skill dirs, or a cloned marketplace repo. Zero third-party action dependencies; canon installed at the ref you pin (canon-ref, default v0.6.1). Use askalf/canon-action@v1.