David Abutbul f76824bdb6 ci(skills): pin clawhub CLI by hash via committed lockfile ...

Scorecard flags the skill-release workflow's npm install of the clawhub
CLI (code-scanning alerts #25/#26): version pinning alone carries no
integrity guarantee. Install it with npm ci from a committed
package-lock.json instead, so every package (clawhub + 35 transitive
deps) is verified against its sha512 hash at install time.

The publish-payload patch step now resolves the module from the local
node_modules instead of npm root -g.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

2026-06-11 14:39:56 +03:00

..

archive-traffic.yml

fix(traffic): require a traffic-capable PAT for the archive workflow (#265)

2026-06-11 08:25:56 +03:00

ci.yml

ci(skills): publish release trust packets + expand skill installer awareness (vercel) (#262)

2026-06-10 13:22:22 +03:00

codeql.yml

chore(deps): bump github/codeql-action from 4.35.4 to 4.36.0 (#245)

2026-05-27 14:39:47 +03:00

community-advisory.yml

chore(deps): bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 (#181)

2026-05-11 10:43:12 +03:00

deploy-pages.yml

feat(advisories): add provisional GHSA feed (#242)

2026-05-24 21:41:59 +03:00

i18n-qa.yml

feat(i18n): add multilingual wiki scaffolding, language switcher, and… (#212)

2026-04-29 09:00:31 +03:00

pages-verify.yml

feat(advisories): add provisional GHSA feed (#242)

2026-05-24 21:41:59 +03:00

poll-ghsa-without-cve.yml

feat(advisories): add provisional GHSA feed (#242)

2026-05-24 21:41:59 +03:00

poll-nvd-cves.yml

fix(workflow): filter dispatched codeql runs with jq (#260)

2026-06-10 11:23:30 +03:00

scorecard.yml

chore(deps): bump github/codeql-action from 4.35.4 to 4.36.0 (#245)

2026-05-27 14:39:47 +03:00

skill-release.yml

ci(skills): pin clawhub CLI by hash via committed lockfile

2026-06-11 14:39:56 +03:00

wiki-sync.yml

Codex/wiki sync revert working (#79)

2026-02-26 00:37:50 +02:00