From bd6403073e4148ecf4039afc5a23e2006e4575c7 Mon Sep 17 00:00:00 2001 From: David Abutbul Date: Tue, 23 Jun 2026 00:24:51 +0300 Subject: [PATCH] fix(release): resolve metadata review comments --- .github/workflows/skill-release.yml | 1 - scripts/test-skill-release-workflow.mjs | 9 ++++++++- scripts/test-skill-trust-packet.mjs | 2 +- skills/hermes-attestation-guardian/SKILL.md | 2 +- 4 files changed, 10 insertions(+), 4 deletions(-) diff --git a/.github/workflows/skill-release.yml b/.github/workflows/skill-release.yml index 03518ed..c12d9cf 100644 --- a/.github/workflows/skill-release.yml +++ b/.github/workflows/skill-release.yml @@ -833,7 +833,6 @@ jobs: actions: read contents: read issues: write - pull-requests: write steps: - name: Download SkillSpector reports continue-on-error: true diff --git a/scripts/test-skill-release-workflow.mjs b/scripts/test-skill-release-workflow.mjs index 3dcdc76..2d076ec 100644 --- a/scripts/test-skill-release-workflow.mjs +++ b/scripts/test-skill-release-workflow.mjs @@ -250,10 +250,17 @@ assert.match( assert.match( workflow, - /comment-skillspector-report:[\s\S]*needs: release[\s\S]*issues: write[\s\S]*pull-requests: write[\s\S]*actions\/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8\.0\.1/, + /comment-skillspector-report:[\s\S]*needs: release[\s\S]*issues: write[\s\S]*actions\/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8\.0\.1/, 'Skill release workflow must download generated SkillSpector reports in a separate PR comment job with comment permissions', ); +const commentJob = workflow.match(/[ ]{2}comment-skillspector-report:[\s\S]*?\n[ ]{2}[a-z][^:\n]*:/)?.[0] || ""; +assert.doesNotMatch( + commentJob, + /pull-requests: write/, + 'SkillSpector PR comment publishing should not request redundant pull-requests write permissions', +); + assert.match( workflow, /comment-skillspector-report:[\s\S]*if: always\(\) && github\.event_name == 'pull_request' && needs\.release\.result != 'cancelled'[\s\S]*Download SkillSpector reports[\s\S]*continue-on-error: true/, diff --git a/scripts/test-skill-trust-packet.mjs b/scripts/test-skill-trust-packet.mjs index db93750..655975c 100644 --- a/scripts/test-skill-trust-packet.mjs +++ b/scripts/test-skill-trust-packet.mjs @@ -62,7 +62,7 @@ try { const hermesResult = runTrustPacket( "skills/hermes-attestation-guardian", hermesOutputDir, - "hermes-attestation-guardian-v0.1.4", + "hermes-attestation-guardian-v0.1.5", ); assert.equal( hermesResult.status, diff --git a/skills/hermes-attestation-guardian/SKILL.md b/skills/hermes-attestation-guardian/SKILL.md index bf7a940..315b09c 100644 --- a/skills/hermes-attestation-guardian/SKILL.md +++ b/skills/hermes-attestation-guardian/SKILL.md @@ -31,7 +31,7 @@ For standalone installs, verify the signed release manifest before trusting `SKI set -euo pipefail SKILL_NAME="hermes-attestation-guardian" -VERSION="0.1.4" +VERSION="0.1.5" REPO="prompt-security/clawsec" TAG="${SKILL_NAME}-v${VERSION}" BASE="https://github.com/${REPO}/releases/download/${TAG}"