release-workflow

Pass

Audited by Gen Agent Trust Hub on Jun 30, 2026

Risk Level: SAFE
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes several local scripts (scripts/build-zips.sh, scripts/release-monorepo.sh, scripts/update-readme.py, scripts/generate-release-notes.py) to manage the release lifecycle. These scripts perform Git operations (tagging, pushing), use the GitHub CLI (gh) for release management, and utilize standard utilities like zip and tar. The commands are well-documented and strictly aligned with the skill's purpose of release automation.
  • [EXTERNAL_DOWNLOADS]: The Python script scripts/update-readme.py interacts with the official GitHub API (api.github.com) to retrieve release asset information. This is a legitimate operation for a release management tool and uses the well-known GitHub service for metadata retrieval.
  • [PROMPT_INJECTION]: The skill includes strong instructional constraints (e.g., '打 tag 前强制自检 (AI 不得跳过)'
  • Mandatory self-check before tagging, AI must not skip). These are safety-oriented instructions designed to prevent user errors, such as wasting CI resources or releasing unstable builds, and do not represent adversarial behavior.
  • [DATA_EXPOSURE]: The workflow documentation (references/ci-troubleshooting.md, references/tauri-release.md) discusses the management of build secrets like TAURI_SIGNING_PRIVATE_KEY. The skill provides best practices for setting these secrets securely using gh secret set and explicitly warns against practices that could leak credentials in CI logs.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 30, 2026, 04:03 PM
Security Audit — agent-trust-hub — release-workflow