dotnet-cli-release-pipeline
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFE
Full Analysis
- [CREDENTIALS_UNSAFE]: The workflow examples properly utilize GitHub Actions Secrets (e.g.,
NUGET_API_KEY,TAP_GITHUB_TOKEN) to handle sensitive authentication tokens, avoiding hardcoded credentials. - [EXTERNAL_DOWNLOADS]: The skill references several official and well-known GitHub Actions, including
actions/checkout,actions/setup-dotnet, andsoftprops/action-gh-release, to manage the build and release lifecycle. These are standard tools from trusted or well-known sources. - [PROMPT_INJECTION]: The workflow mitigates risks associated with indirect injection from system-provided variables (like
GITHUB_REF_NAME) by implementing a restrictive regex filter on the tag trigger (v[0-9]+.[0-9]+.[0-9]+*), ensuring only valid version tags initiate the release process. - [REMOTE_CODE_EXECUTION]: The skill incorporates community actions for release distribution (Homebrew, winget). The documentation explicitly advises users to pin these third-party actions to a specific commit SHA for production environments to enhance supply-chain security and prevent execution of untrusted code updates.
Audit Metadata