fix(release): resolve metadata review comments

2026-06-23 02:11:22 +03:00 · 2026-06-23 00:24:51 +03:00
parent 6d155d747b
commit bd6403073e
4 changed files with 10 additions and 4 deletions
@@ -833,7 +833,6 @@ jobs:
      actions: read
      contents: read
      issues: write
-      pull-requests: write
    steps:
      - name: Download SkillSpector reports
        continue-on-error: true
@@ -250,10 +250,17 @@ assert.match(

 assert.match(
  workflow,
-  /comment-skillspector-report:[\s\S]*needs: release[\s\S]*issues: write[\s\S]*pull-requests: write[\s\S]*actions\/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8\.0\.1/,
+  /comment-skillspector-report:[\s\S]*needs: release[\s\S]*issues: write[\s\S]*actions\/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8\.0\.1/,
  'Skill release workflow must download generated SkillSpector reports in a separate PR comment job with comment permissions',
 );

+const commentJob = workflow.match(/[ ]{2}comment-skillspector-report:[\s\S]*?\n[ ]{2}[a-z][^:\n]*:/)?.[0] || "";
+assert.doesNotMatch(
+  commentJob,
+  /pull-requests: write/,
+  'SkillSpector PR comment publishing should not request redundant pull-requests write permissions',
+);
+
 assert.match(
  workflow,
  /comment-skillspector-report:[\s\S]*if: always\(\) && github\.event_name == 'pull_request' && needs\.release\.result != 'cancelled'[\s\S]*Download SkillSpector reports[\s\S]*continue-on-error: true/,
@@ -62,7 +62,7 @@ try {
  const hermesResult = runTrustPacket(
    "skills/hermes-attestation-guardian",
    hermesOutputDir,
-    "hermes-attestation-guardian-v0.1.4",
+    "hermes-attestation-guardian-v0.1.5",
  );
  assert.equal(
    hermesResult.status,
@@ -31,7 +31,7 @@ For standalone installs, verify the signed release manifest before trusting `SKI
 set -euo pipefail

 SKILL_NAME="hermes-attestation-guardian"
-VERSION="0.1.4"
+VERSION="0.1.5"
 REPO="prompt-security/clawsec"
 TAG="${SKILL_NAME}-v${VERSION}"
 BASE="https://github.com/${REPO}/releases/download/${TAG}"