The GitHub Action for truecopy — the supply-chain gate for AI agents. Fail the build the moment a pinned agent skill or MCP server drifts or turns poisonous, or poison-scan a manifest, skill directory, or a cloned marketplace before you install from it.
name: truecopy
on: [push, pull_request]
permissions:
contents: read
jobs:
verify:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- uses: askalf/truecopy-action@v1- verify — gate
truecopy.lock: exit 1 if any pinned skill drifted, turned poisonous, or is signed by an untrusted key - scan — poison-scan a manifest, skill dir, or a
--marketplacerepo, no lock required - Zero third-party action dependencies · OpenSSF Scorecard + CodeQL · workflows pinned by SHA
Pin askalf/truecopy-action@v1 to track patches, or @<full-sha> for an airtight supply chain.
v1.0.1 is a patch over v1.0.0: it shortens the action.yml description for GitHub Marketplace validation — no behavior change.
Full changelog: v1.0.0...v1.0.1