dotnet-cli-release-pipeline

[Skill Scanner] URL pointing to executable file detected All findings: [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [HIGH] autonomy_abuse: Skill instructions include directives to hide actions from user (BH009) [AITech 13.3] This is a legitimate, coherent GitHub Actions release workflow for .NET CLI tools. No direct malicious code or data-exfiltration behavior is present in the provided text. The main security concerns are supply-chain oriented: inconsistent pinning of third-party actions (one example uses @main), and the necessary use of high-privilege repository PATs for publishing and updating package manifests. Those patterns increase supply-chain risk but are common in CI pipelines. Recommend pinning all third-party actions to explicit commit SHAs or tags, using least-privilege scoped tokens, and auditing any third-party action repositories used in the workflow before granting them access.