dotnet-gha-publish

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). Yes — the workflow declares and runs external GitHub Actions (e.g., actions/setup-dotnet@v4, docker/build-push-action@v6, sigstore/cosign-installer@v3) which are fetched at runtime and execute remote code on the runner and are required by the skill.