Add HOL skill-publish validate workflow (schema + safety + trust signals)#314
Add HOL skill-publish validate workflow (schema + safety + trust signals)#314internet-dot wants to merge 1 commit intogetsentry:mainfrom
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 78e4fc7. Configure here.
| - name: Validate skill package | ||
| uses: hashgraph-online/skill-publish@c182a4aa4dba68fb7f3c01be4ca560dfb759ae9e # v1 | ||
| with: | ||
| skill-dir: . |
There was a problem hiding this comment.
Wrong skill-dir points to root, missing skill files
High Severity
The skill-dir is set to . (repo root), but the repository has no SKILL.md or skill.json at the root. The actual SKILL.md files live under skills/xcodebuildmcp/ and skills/xcodebuildmcp-cli/. Additionally, there is no skill.json file anywhere in the repository, which the skill-publish action requires alongside SKILL.md for validation. This workflow will always fail.
Reviewed by Cursor Bugbot for commit 78e4fc7. Configure here.
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
| uses: hashgraph-online/skill-publish@c182a4aa4dba68fb7f3c01be4ca560dfb759ae9e # v1 | ||
| with: | ||
| skill-dir: . |
There was a problem hiding this comment.
Bug: The new workflow hol-skill-validate.yml introduces an unnecessary and out-of-context third-party action, hashgraph-online/skill-publish, which poses a supply chain security risk.
Severity: HIGH
Suggested Fix
The new workflow file .github/workflows/hol-skill-validate.yml should be removed entirely. The introduced third-party action is not relevant to this project and introduces an unnecessary security risk to the CI/CD pipeline.
Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.
Location: .github/workflows/hol-skill-validate.yml#L14-L16
Potential issue: The pull request adds a GitHub Actions workflow that executes
`hashgraph-online/skill-publish`, an action for a blockchain skill registry. This action
is entirely unrelated to the project's purpose as an Xcode build tool. The workflow is
configured to run on every push and pull request, passing repository contents to this
external service. This introduces an unnecessary dependency and a potential supply chain
security vulnerability, as the external action runs in a trusted CI environment with
access to repository data. The change is submitted by an unknown external contributor
and lacks any justification within the project's context.
Did we get this right? 👍 / 👎 to inform future reviews.
1 participant
Add HOL skill-publish validate workflow
getsentry/XcodeBuildMCP — MCP server and CLI for iOS and macOS projects
5043 stars
This PR adds a GitHub Actions workflow that runs the skill-publish action in validate mode.
What it does
After merge
The workflow runs on push to main/master and pull requests. Results show schema validity, trust signals, and safety score.
To publish to the registry later, you will need an RB_API_KEY and credits.