v1.0.0 — truecopy as a CI gate
The first release under the truecopy name (renamed from canon-action; the old name still redirects). @v1 now installs truecopy v0.8.0 with the current action.
- verify — fail the build if any pinned skill drifted, turned poisonous, or is signed by an untrusted key
- scan — poison-scan a manifest, skill directory, or a cloned marketplace repo, no lock required
- Fixed: pre-rename repos with a committed
canon.locknow verify correctly through the action — thelockinput no longer forces--lock truecopy.lockand defeats truecopy's own fallback - Zero third-party action dependencies · OpenSSF Scorecard + CodeQL · workflows pinned by SHA
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- uses: askalf/truecopy-action@v1Pin askalf/truecopy-action@v1 to track patches, or @<full-sha> for an airtight supply chain.
Full changelog: v0.1.0...v1.0.0