Releases: skills-lock/skil-lock
Release list
v0.2.3
Changelog
- 19d549b: feat(sarif): emit target.digest (sha-256) per finding (#34) (@skil-lock)
v0.2.2
Changelog
- f0c5efc: feat(sarif): attach OWASP AST10 taxonomy to findings (#32) (@skil-lock)
v0.2.1
v0.2.1 - integrity coverage + replay-safe approvals
Hardening release closing the two gaps documented in SPEC §9.
Exhaustive sibling-file digests
script_hashes now covers every regular file a skill ships - scripts/, resources/, bin/, top-level siblings - not just the two conventional directories. A payload moved to an unhashed sibling path can no longer change behind a clean diff. Additive within schema 0.1: existing lockfiles stay valid; run skil-lock lock . after upgrading to extend coverage to previously unhashed files.
PR-scoped approvals
.skil-lock-approvals.yaml entries accept an optional pr: field scoping an approval to one pull request. The PR-comment snippet pre-fills it in CI (the PR number is auto-detected from the Actions event payload, or pass --pr). A delta that is approved, reverted, and reintroduced in a later PR now re-blocks with an approval scoped to PR #N note instead of silently matching the stale approval. Approvals without pr: keep their standing value-match semantics.
Pairs with Action v0.2.1
skills-lock/skil-lock-action@v0.2.1 adds a verify-signature input: cosign keyless verification of checksums.txt against this repo's release-workflow OIDC identity before any checksum is trusted (default auto).
Changelog
All binaries are cosign-signed; SBOMs and SLSA provenance attached. Verify:
cosign verify-blob --certificate checksums.txt.pem --signature checksums.txt.sig \
--certificate-identity-regexp 'github.com/skills-lock/skil-lock' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com checksums.txt
v0.2.0
Changelog
- d514dbe: deps(actions)(deps): bump goreleaser/goreleaser-action from 6 to 7 (#25) (@dependabot[bot])
- 61ab3fb: docs(demo): regen GIF + MP4 with v0.1.2 renderer output (#23) (@skil-lock)
- 9c6dbb9: docs(readme): add Usage section + SPEC + live-demo pointers (#22) (@skil-lock)
- f5890f2: docs(readme): bump install + pin-binary references to v0.1.2 (#20) (@skil-lock)
- 8cd9422: docs(readme): fix install - PATH note for go install + first-class Windows (#21) (@skil-lock)
- 7dc6a31: feat(integrity): per-script digests + signing/provenance + detection-boundary docs (#27) (@skil-lock)
- e4b17c0: fix(detectors): surface dotfile secret reads, honor line continuation, normalize ./ in policy match (#26) (@skil-lock)
v0.1.2
Changelog
- f2999a9: docs(readme): drop pcomans row, bump Action pin to v0.1.2, multi-platform install, add git-diff comparison (#16) (@skil-lock)
- eaaf22f: docs(readme): render example PR comment natively (was wrapped in outer code fence, table did not render) (#17) (@skil-lock)
- 5fe9100: docs(readme): swap em-dashes for hyphens (#18) (@skil-lock)
- dce9ce0: fix(docs): scrub personal handle from demo GIF (max19900 -> alice) (#14) (@skil-lock)
- 44403f1: fix(renderer): swap user-visible em-dashes for ASCII hyphens (#19) (@skil-lock)
v0.1.1
Changelog
- 497434a: ci: remove !private gate on CodeQL — repo is now public (@skil-lock)
- 7458214: deps(go)(deps): bump github.com/yuin/goldmark in the go-deps group (#8) (@dependabot[bot])
- a97303e: feat(sarif): add SARIF v2.1.0 output for GitHub Code Scanning (#9) (@skil-lock)
v0.1.0
Changelog
- 4162b18: docs(launch-prep): SPEC.md + JSON Schema + NOTICE + README hero rewrite (@skil-lock)
- d755c4d: docs(readme): fix install snippet — use explicit version + go install (@skil-lock)
- f6f9769: dogfood: skil-lock pins its own .claude/skills/ (@skil-lock)
- 5461029: fix(parser): make version field optional in SKILL.md frontmatter (@skil-lock)
v0.1.0-rc1
Changelog
- 5231569: Initial commit (skil-lock 284403476+skil-lock@users.noreply.github.com)
- f57f6de: build: GoReleaser config + release workflow for v0.1.x (skil-lock 284403476+skil-lock@users.noreply.github.com)
- a81d6f2: chore(deps): cut dependabot noise (skil-lock 284403476+skil-lock@users.noreply.github.com)
- b03d9fa: deps(actions)(deps): bump actions/checkout from 4 to 6 (#2) (dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>)
- be0563a: deps(actions)(deps): bump actions/setup-go from 5 to 6 (#6) (dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>)
- 7dd9c9d: deps(actions)(deps): bump actions/upload-artifact from 4 to 7 (#5) (dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>)
- 493e6bb: deps(actions)(deps): bump github/codeql-action from 3 to 4 (#4) (dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>)
- 3d9fff4: deps(actions)(deps): bump golangci/golangci-lint-action from 6 to 9 (#3) (dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>)
- 4b45de6: deps(go)(deps): bump github.com/spf13/cobra from 1.8.1 to 1.10.2 in the go-deps group (#7) (dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>)
- a1f44fd: feat(t1.1): go module scaffold + cobra CLI skeleton (skil-lock 284403476+skil-lock@users.noreply.github.com)
- a9dcd14: feat(t1.10): skil-lock lock subcommand (skil-lock 284403476+skil-lock@users.noreply.github.com)
- 8601ebf: feat(t1.11): skil-lock init --baseline subcommand (skil-lock 284403476+skil-lock@users.noreply.github.com)
- deb8440: feat(t1.12): skil-lock list subcommand (skil-lock 284403476+skil-lock@users.noreply.github.com)
- a27c93f: feat(t1.13): skil-lock diff subcommand + diff engine (skil-lock 284403476+skil-lock@users.noreply.github.com)
- 95a535c: feat(t1.14): end-to-end CLI fixtures + truncate generated_at to seconds (skil-lock 284403476+skil-lock@users.noreply.github.com)
- 0bcba84: feat(t1.2): model package — runtime-agnostic domain types (skil-lock 284403476+skil-lock@users.noreply.github.com)
- 17c6297: feat(t1.3): lockfile package — canonical yaml v0.1 round-trip (skil-lock 284403476+skil-lock@users.noreply.github.com)
- 58d8543: feat(t1.4): claude code SKILL.md parser (skil-lock 284403476+skil-lock@users.noreply.github.com)
- d677092: feat(t1.5): codex parser adapter (skil-lock 284403476+skil-lock@users.noreply.github.com)
- 020e0f1: feat(t1.6): shell-exec detector (skil-lock 284403476+skil-lock@users.noreply.github.com)
- 0519a6a: feat(t1.7): network URL detector (skil-lock 284403476+skil-lock@users.noreply.github.com)
- 7cdb3d4: feat(t1.8): protected-path detector (skil-lock 284403476+skil-lock@users.noreply.github.com)
- 49be2ac: feat(t1.9): skil-lock scan subcommand + scan orchestrator (skil-lock 284403476+skil-lock@users.noreply.github.com)
- d6bf652: feat(t2.1): skil-lock ci subcommand + policy.Apply severity lift (skil-lock 284403476+skil-lock@users.noreply.github.com)
- d255c2b: feat(t2.2): PR-comment renderer — Reason column + copy-paste approvals snippet (skil-lock 284403476+skil-lock@users.noreply.github.com)
- 0b3d975: feat(t2.4): .skil-lock.yaml schema + loader (skil-lock 284403476+skil-lock@users.noreply.github.com)
- 8d8602a: feat(t2.5): .skil-lock-approvals.yaml consumer + ci wiring (skil-lock 284403476+skil-lock@users.noreply.github.com)
- bfa862f: fix(ci): bash shell on windows + skip codeql while repo is private (skil-lock 284403476+skil-lock@users.noreply.github.com)