Releases: askalf/truecopy-action
Release list
v1.0.1 — gate your agent skills in CI
The GitHub Action for truecopy — the supply-chain gate for AI agents. Fail the build the moment a pinned agent skill or MCP server drifts or turns poisonous, or poison-scan a manifest, skill directory, or a cloned marketplace before you install from it.
name: truecopy
on: [push, pull_request]
permissions:
contents: read
jobs:
verify:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- uses: askalf/truecopy-action@v1- verify — gate
truecopy.lock: exit 1 if any pinned skill drifted, turned poisonous, or is signed by an untrusted key - scan — poison-scan a manifest, skill dir, or a
--marketplacerepo, no lock required - Zero third-party action dependencies · OpenSSF Scorecard + CodeQL · workflows pinned by SHA
Pin askalf/truecopy-action@v1 to track patches, or @<full-sha> for an airtight supply chain.
v1.0.1 is a patch over v1.0.0: it shortens the action.yml description for GitHub Marketplace validation — no behavior change.
Full changelog: v1.0.0...v1.0.1
v1.0.0 — truecopy as a CI gate
The first release under the truecopy name (renamed from canon-action; the old name still redirects). @v1 now installs truecopy v0.8.0 with the current action.
- verify — fail the build if any pinned skill drifted, turned poisonous, or is signed by an untrusted key
- scan — poison-scan a manifest, skill directory, or a cloned marketplace repo, no lock required
- Fixed: pre-rename repos with a committed
canon.locknow verify correctly through the action — thelockinput no longer forces--lock truecopy.lockand defeats truecopy's own fallback - Zero third-party action dependencies · OpenSSF Scorecard + CodeQL · workflows pinned by SHA
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- uses: askalf/truecopy-action@v1Pin askalf/truecopy-action@v1 to track patches, or @<full-sha> for an airtight supply chain.
Full changelog: v0.1.0...v1.0.0
v0.1.0 — canon as a CI gate
First release: composite action wrapping canon — verify gates canon.lock for drift/poisoning/publisher trust; scan poison-scans manifests, skill dirs, or a cloned marketplace repo. Zero third-party action dependencies; canon installed at the ref you pin (canon-ref, default v0.6.1). Use askalf/canon-action@v1.