Releases: sbom-tool/gh-guard
Releases · sbom-tool/gh-guard
Release list
v0.2.0
GH-Guard v0.2.0
Major update: updated SHA pins, 5 new skills, /verify command, security hardening, and test infrastructure.
Highlights
- Updated all GitHub Action SHA pins — 4 outdated actions brought current across all 5 workflow templates
- New
/verifycommand — post-generation validation of syntax, SHA pins, and cross-file consistency - 5 new skills — hardening-detection, cargo-vet, security-findings, binary-releases, changelog
- Security fixes — added missing
persist-credentials: false, concurrency group on publish workflow, fixed version label mismatch - Test infrastructure —
validate-templates.shwith 15 passing tests + fixture project release.sh --dry-run— validate all pre-flight checks without executing
SHA Pin Updates
| Action | Old | New |
|---|---|---|
github/codeql-action |
89a39a4... (stale v4) |
0d579ff... (v4.32.6) |
actions/upload-artifact |
b7c566a... (v6.0.0) |
bbbca2d... (v7.0.0) |
actions/download-artifact |
fa0a91b... (stale v4) |
d3f86a1... (v4 latest) |
rust-lang/crates-io-auth-action |
c2f7455... (stale v1) |
b7e9a28... (v1.0.3) |
cargo-audit |
0.21.2 | 0.22.1 |
New Skills
| Skill | Purpose |
|---|---|
| hardening-detection | Single source of truth for level detection (extracted from audit/harden/migration-guide) |
| cargo-vet | Supply chain audits — human review attestation for third-party crates |
| security-findings | SARIF triage workflow for CodeQL, Scorecard, cargo-deny findings |
| binary-releases | Cross-platform binary distribution via cargo-dist, cross, or manual CI matrix |
| changelog | Automated changelog generation with git-cliff and conventional commits |
Security Fixes
- Added
persist-credentials: falsetocodeql.ymlcheckout step - Added
concurrencygroup topublish.yml(prevents parallel publishes) - Fixed
codeql-action/upload-sarifversion comment (# v3→# v4) - Added explicit
open-pull-requests-limitto github-actions dependabot entry - Updated stale SHA in
trusted-publishingskill documentation - Fixed overly broad permissions in
binary-releasesskill example - Added plugin's own
SECURITY.mdand.gitignore
Other Improvements
- Machine-readable
versions.jsonalongsideVERSIONS.md cargo metadatapreferred oversedfor placeholder detection in/generate- OIDC-beyond-crates.io section added to trusted-publishing skill (AWS/GCP/Azure)
- Monorepo scope note added to workspace-publishing skill
- Renovate recognized as alternative to Dependabot
- OSS-Fuzz recognized as alternative to local fuzz workflow
- Versioning policy documented in
CLAUDE.md - Example
/auditoutput inexamples/audit-output.md - Banner image added to README
Stats
- 5 commands (audit, harden, generate, check-updates, verify)
- 14 skills (9 existing + 5 new)
- 11 templates with all SHA pins verified 2026-03-10
- 15 validation tests passing