Skip to content

Add HOL skill-publish validate workflow (schema + safety + trust signals) #314

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
internet-dot wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add HOL skill-publish validate workflow (schema + safety + trust signals) #314

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions .github/workflows/hol-skill-validate.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
name: HOL Skill Validate
on:
push:
branches: [main, master]
pull_request:
jobs:
validate-skill:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Validate skill package
uses: hashgraph-online/skill-publish@c182a4aa4dba68fb7f3c01be4ca560dfb759ae9e # v1
with:
skill-dir: .
Copy link
Copy Markdown
Contributor

@cursor cursor bot Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wrong skill-dir points to root, missing skill files

High Severity

The skill-dir is set to . (repo root), but the repository has no SKILL.md or skill.json at the root. The actual SKILL.md files live under skills/xcodebuildmcp/ and skills/xcodebuildmcp-cli/. Additionally, there is no skill.json file anywhere in the repository, which the skill-publish action requires alongside SKILL.md for validation. This workflow will always fail.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 78e4fc7. Configure here.

Comment on lines +14 to +16
Copy link
Copy Markdown

@sentry sentry bot Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: The new workflow hol-skill-validate.yml introduces an unnecessary and out-of-context third-party action, hashgraph-online/skill-publish, which poses a supply chain security risk.
Severity: HIGH

Suggested Fix

The new workflow file .github/workflows/hol-skill-validate.yml should be removed entirely. The introduced third-party action is not relevant to this project and introduces an unnecessary security risk to the CI/CD pipeline.

Prompt for AI Agent 
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: .github/workflows/hol-skill-validate.yml#L14-L16

Potential issue: The pull request adds a GitHub Actions workflow that executes
`hashgraph-online/skill-publish`, an action for a blockchain skill registry. This action
is entirely unrelated to the project's purpose as an Xcode build tool. The workflow is
configured to run on every push and pull request, passing repository contents to this
external service. This introduces an unnecessary dependency and a potential supply chain
security vulnerability, as the external action runs in a trusted CI environment with
access to repository data. The change is submitted by an unknown external contributor
and lacks any justification within the project's context.

Did we get this right? 👍 / 👎 to inform future reviews.