Releases: skills-lock/skil-lock-action
Release list
v0.2.1
v0.2.1
- New input:
verify-signature— when enabled, the Action cosign-verifieschecksums.txtagainst the release workflow's OIDC identity before trusting any downloaded binary (keyless, no key management). Requires apin-binaryof v0.2.0 or later; warns and falls back to checksum-only verification otherwise. - Installs cosign via SHA-pinned
sigstore/cosign-installer(GitHub runners no longer ship cosign). - Docs: usage examples bumped to
pin-binary: v0.2.1.
Full CLI changes in skil-lock v0.2.1.
v0.2.0
v0.2.0 — integrity hardening
Pairs with skil-lock CLI v0.2.0. Closes an integrity gap surfaced by an external security review: a bundled script's body could previously be rewritten without moving the lockfile.
What's new (CLI v0.2.0)
- Per-bundled-script content digests — a rewritten script body (e.g.
scripts/extract.sh) now produces a blocking diff instead of slipping past an unchangedcontent_hash. Approvals are bound to the new digest, so a stale approval can't be replayed. - Signed releases — cosign keyless signatures + SLSA build provenance + SBOMs (verify with
cosign verify-blob; see SECURITY.md). - Documented detection boundary — the README states exactly what is and isn't gated.
- Hardening: symlinked/irregular bundle files no longer abort a scan; CI blocks when a skill fails to parse.
Action usage
- uses: skills-lock/skil-lock-action@v0.2.0
with:
pin-binary: v0.2.0
sarif: true # optional; requires security-events: writeNo breaking changes to Action inputs.
v0.1.2
v0.1.2 — PR comment now renders cleanly
Bug-fix release. The Action's PR-comment step now posts the actual capability-delta markdown body instead of a literal file path. SARIF upload (the v0.1.1 feature) is unchanged and was verified live on a real PR (skills-lock/example-claude-code-skills#1).
Upgrade
- uses: skills-lock/skil-lock-action@v0.1.2
with:
pin-binary: v0.1.1
sarif: true # optional; requires security-events: writepin-binary stays at v0.1.1 — the CLI binary itself did not change. Workflows currently using @v0.1.0 or @v0.1.1 should bump to @v0.1.2.
Notes
- No breaking changes.
- No new inputs.
Details (for the curious)
The PR-comment upsert step was passing gh api -f body=@$BODY, relying on a curl-style file-reference syntax that gh CLI does not implement. As a result, comments posted by v0.1.0 and v0.1.1 contained the literal string @/home/runner/work/_temp/skil-lock-pr-comment.md instead of the markdown body.
Fix: the body file is round-tripped through jq -Rs '{body: .}' and piped to gh api --input -. jq is preinstalled on the only platforms the composite supports.
Test coverage for the PR-comment path is tracked at #3.
Changes
- #2 — fix: PR comment body posted as literal '@/path' instead of file contents
v0.1.1
Adds: optional sarif: true input. When enabled, runs skil-lock ci --format sarif and uploads the report to GitHub Code Scanning so capability deltas appear inline in the PR diff and in the repo's Security tab.
Requires the calling workflow to grant security-events: write permission.
Pairs with skills-lock/skil-lock@v0.1.1.
- uses: skills-lock/skil-lock-action@v0.1.1
with:
pin-binary: v0.1.1
sarif: trueSee README for full inputs and the SkilLock CI Marketplace listing.
v0.1.0 - first public release
First public release. Composite GitHub Action wrapping the skil-lock CLI.
What it does
On every pull request, this Action:
- Downloads a pinned
skil-lockrelease binary and verifies its SHA-256 againstchecksums.txt. - Runs
skil-lock ciagainst the repo's committedskills.lockand.skil-lock.yaml. - Posts (or updates) a single PR comment showing every capability delta — new shell commands, new URLs, new file paths.
- Fails the check when policy is
mode: blockand any delta is at severity ≥ medium.
Quick start
name: SkilLock
on: pull_request
permissions:
contents: read
pull-requests: write
jobs:
skil-lock:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: skills-lock/skil-lock-action@v0.1.0
with:
pin-binary: v0.1.0Inputs
| Input | Required | Default | Description |
|---|---|---|---|
pin-binary |
yes | — | skil-lock release tag (e.g. v0.1.0). No floating refs. |
comment |
no | true |
Post or update a PR comment with the capability diff. |
path |
no | . |
Repository root containing .claude/skills/ or .codex/skills/. |
Worked example
See skills-lock/example-claude-code-skills for a runnable demo, including an example/drift branch that shows what SkilLock catches when a skill grows risky behavior.
Related
- skills-lock/skil-lock — the CLI and
skills.lockfile format skills.lockv0.1 specification
License
Apache 2.0. Not affiliated with Skil power tools, Anthropic, or OpenAI.