Skip to content

v1.0.1 — gate your agent skills in CI

Latest

Choose a tag to compare

@askalf askalf released this 12 Jul 15:37
5c6fcf0

The GitHub Action for truecopy — the supply-chain gate for AI agents. Fail the build the moment a pinned agent skill or MCP server drifts or turns poisonous, or poison-scan a manifest, skill directory, or a cloned marketplace before you install from it.

name: truecopy
on: [push, pull_request]
permissions:
  contents: read
jobs:
  verify:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
      - uses: askalf/truecopy-action@v1
  • verify — gate truecopy.lock: exit 1 if any pinned skill drifted, turned poisonous, or is signed by an untrusted key
  • scan — poison-scan a manifest, skill dir, or a --marketplace repo, no lock required
  • Zero third-party action dependencies · OpenSSF Scorecard + CodeQL · workflows pinned by SHA

Pin askalf/truecopy-action@v1 to track patches, or @<full-sha> for an airtight supply chain.


v1.0.1 is a patch over v1.0.0: it shortens the action.yml description for GitHub Marketplace validation — no behavior change.

Full changelog: v1.0.0...v1.0.1