Skip to content

Releases: sbom-tool/gh-guard

Release list

v0.2.0

Choose a tag to compare

@matrosov matrosov released this 10 Mar 18:01

GH-Guard v0.2.0

Major update: updated SHA pins, 5 new skills, /verify command, security hardening, and test infrastructure.

Highlights

  • Updated all GitHub Action SHA pins — 4 outdated actions brought current across all 5 workflow templates
  • New /verify command — post-generation validation of syntax, SHA pins, and cross-file consistency
  • 5 new skills — hardening-detection, cargo-vet, security-findings, binary-releases, changelog
  • Security fixes — added missing persist-credentials: false, concurrency group on publish workflow, fixed version label mismatch
  • Test infrastructurevalidate-templates.sh with 15 passing tests + fixture project
  • release.sh --dry-run — validate all pre-flight checks without executing

SHA Pin Updates

Action Old New
github/codeql-action 89a39a4... (stale v4) 0d579ff... (v4.32.6)
actions/upload-artifact b7c566a... (v6.0.0) bbbca2d... (v7.0.0)
actions/download-artifact fa0a91b... (stale v4) d3f86a1... (v4 latest)
rust-lang/crates-io-auth-action c2f7455... (stale v1) b7e9a28... (v1.0.3)
cargo-audit 0.21.2 0.22.1

New Skills

Skill Purpose
hardening-detection Single source of truth for level detection (extracted from audit/harden/migration-guide)
cargo-vet Supply chain audits — human review attestation for third-party crates
security-findings SARIF triage workflow for CodeQL, Scorecard, cargo-deny findings
binary-releases Cross-platform binary distribution via cargo-dist, cross, or manual CI matrix
changelog Automated changelog generation with git-cliff and conventional commits

Security Fixes

  • Added persist-credentials: false to codeql.yml checkout step
  • Added concurrency group to publish.yml (prevents parallel publishes)
  • Fixed codeql-action/upload-sarif version comment (# v3# v4)
  • Added explicit open-pull-requests-limit to github-actions dependabot entry
  • Updated stale SHA in trusted-publishing skill documentation
  • Fixed overly broad permissions in binary-releases skill example
  • Added plugin's own SECURITY.md and .gitignore

Other Improvements

  • Machine-readable versions.json alongside VERSIONS.md
  • cargo metadata preferred over sed for placeholder detection in /generate
  • OIDC-beyond-crates.io section added to trusted-publishing skill (AWS/GCP/Azure)
  • Monorepo scope note added to workspace-publishing skill
  • Renovate recognized as alternative to Dependabot
  • OSS-Fuzz recognized as alternative to local fuzz workflow
  • Versioning policy documented in CLAUDE.md
  • Example /audit output in examples/audit-output.md
  • Banner image added to README

Stats

  • 5 commands (audit, harden, generate, check-updates, verify)
  • 14 skills (9 existing + 5 new)
  • 11 templates with all SHA pins verified 2026-03-10
  • 15 validation tests passing