dotnet-gha-publish
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill references several official GitHub Actions from trusted organizations including Microsoft (microsoft/sbom-action), Docker (docker/login-action, docker/build-push-action), and GitHub (actions/checkout, actions/setup-dotnet). It also uses the official Sigstore installer for container signing.
- [COMMAND_EXECUTION]: Uses standard .NET CLI commands (dotnet pack, dotnet nuget push, dotnet publish) and docker CLI for artifact management. All shell steps utilize 'set -euo pipefail' to ensure script failures are correctly handled.
- [CREDENTIALS_UNSAFE]: Appropriately utilizes GitHub Actions secrets (${{ secrets.NUGET_API_KEY }}, ${{ secrets.GITHUB_TOKEN }}, etc.) instead of hardcoded values.
- [DATA_EXFILTRATION]: Network operations are restricted to well-known package registries and container registries (nuget.org, ghcr.io, DockerHub, Azure Container Registry).
- [SAFE]: Includes explicit security best practices such as mandatory cleanup of temporary signing certificates (rm -f) in an 'always()' execution block to prevent sensitive data persistence on CI runners.
Audit Metadata