dotnet-gha-publish
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: No malicious patterns or security vulnerabilities were detected in the skill instructions or workflow templates.
- [EXTERNAL_DOWNLOADS]: The skill references official GitHub Actions from trusted organizations including 'actions' (GitHub), 'docker', 'microsoft', and 'sigstore'. It also utilizes well-known community tools such as 'anchore/sbom-action' and 'softprops/action-gh-release' for standard CI/CD functionality.
- [CREDENTIALS_UNSAFE]: The workflow templates demonstrate best practices for credential management by using GitHub Secrets placeholders (e.g.,
${{ secrets.NUGET_API_KEY }},${{ secrets.GITHUB_TOKEN }}) rather than hardcoding sensitive information. - [COMMAND_EXECUTION]: The shell commands are limited to standard build, packaging, and signing operations. The skill explicitly guides users to implement safety measures such as
set -euo pipefailto ensure script failures are caught and recommends cleaning up temporary sensitive files (like signing certificates) usingif: always()blocks.
Audit Metadata