Releases: ob-aion/pruner
Release list
0.2.15
ci: 0.2.15 — pre-tag pin verifier + finding-positive fixture (#28)
* ci(release): pre-tag lockstep check in verify-action-pins.sh
Closes the 0.2.7 lockstep-skip bug class at the release-pipeline gate.
`scripts/verify-action-pins.sh` gains an opt-in check, activated when
`EXPECTED_RELEASE_TAG` is set in the script's environment. The check reads
`.github/workflows/scan.yml`, extracts the `uses: ob-aion/pruner@<X.Y.Z>`
literal, and exits 1 if `<X.Y.Z>` does not match the tag being cut. Local
runs without the env var keep the previous SHA-pin-only behaviour. Script
header documents the env-var contract and the updated exit-code set
(0 OK / 1 bad pin / 2 missing gh or scan.yml).
`.github/workflows/release.yml` reorders the steps so `Resolve tag` runs
before the renamed `Verify action SHA pins and scan.yml lockstep` step,
which receives the tag via `EXPECTED_RELEASE_TAG`. No behavioural change
to the SHA-pin loop or any downstream release step.
The 0.2.7 bug class: four consecutive releases (0.2.3-0.2.6) shipped
`scan.yml` pinned to the previous composite because the documented bump
step was a manual hand-edit that fell through review. Consumers calling
`scan.yml@0.2.6` got the 0.2.2 composite internally and missed the Cisco
engine bump. The 0.2.13 attempt to retire the lockstep via a structural
self-checkout pattern was reverted at 0.2.14 (cross-repo `github.*`
context refers to the caller). With the manual lockstep restored, this
verifier is the principled defence — pre-tag, scriptable, idempotent.
* test(self-scan): finding-positive fixture + 0.2.15 release prep
Closes the 0.2.8 exit-code bug class — `pruner scan` exit 1 (findings
present, all below threshold) must thread through `coroboros-pack-run`
and the gate step without being masked as a workflow failure.
`examples/finding-positive-skill/` is a minimal skill that trips four
sub-critical Coroboros pack rules: FC001 (high, name fails kebab-case),
FC003 (medium, top-level `custom_field`), FC004 (low, `metadata.version`
present), FC005 (low, non-SPDX license). Zero critical by design.
Companion `EXPECTATIONS.md` documents the cross-walk and distinguishes
the fixture from `examples/vulnerable-skill/` (21 findings, 7 critical,
every finding allowlisted in `.pruner-ignore.yml`).
`.github/workflows/self-scan.yml` adds a `pruner-finding-positive` job
invoking the composite via `uses: ./` against the new fixture at
`fail-on: critical`. Green outcome asserts the exit-code propagation
contract. The pre-existing `pruner-self-scan` job scans `.` from repo
root with `.pruner-ignore.yml` applied — every Pruner-side fixture
finding sits in the allowlist, so `pruner scan` exited 0 and the 0.2.8
bug never surfaced on the maintainer side until the first consumer
integration on `coroboros/agent-skills`. Finding-positive findings are
intentionally not allowlisted; they surface in Code Scanning at
downgraded severities (template-example weight 0.25 drops high to low,
medium to info, etc.) but never gate the workflow.
`.github/workflows/scan.yml` synced to `ob-aion/pruner@0.2.15` per the
lockstep contract, now verified pre-tag by the verifier extension in
the previous commit.
`CHANGELOG.md` — v0.2.15 entry covering both changes.
Branch protection on `main` requires `pruner-self-scan` already;
promoting `pruner-finding-positive` to a required status check is a
one-line `gh api` follow-up after the first green run on `main`.
* docs(changelog): scrub v0.2.15 entry against Coroboros brand voice
Split four sentences that ran over the 25-word hard cap. Tighten lexicon
("CI additions" not "defensive CI additions"), drop "lived as", drop the
verbose parenthetical that nested another em-dash inside a clause. Bullet
for the new fixture restructured: four rule items as short sentences
instead of a single 40-word parenthetical chain. Bullet for the new
self-scan job restructured: ten short sentences replace four long ones.
No semantic change. Same five bullets, same surface area.
* refactor(self-scan): dual-path allowlist for the finding-positive fixture + docs
PR review on `#28` surfaced inline `github-advanced-security[bot]` comments on
`examples/finding-positive-skill/SKILL.md`. The pre-existing `pruner-self-scan`
job uploaded the four sub-critical findings to Code Scanning, the bot mirrored
each as a PR review comment, and the public PR ended up annotated with
intentional-fixture noise.
Fix exploits the wrapper's path-relative behaviour:
- `pruner-self-scan` runs with `target-path: .`. Finding paths land as
`examples/finding-positive-skill/SKILL.md` (repo-root-relative). The four
new entries in `.pruner-ignore.yml` are keyed on exactly that path and match,
so the findings filter out before SARIF upload. Security tab and PR review
surface stay clean.
- `pruner-finding-positive` runs with `target-path: examples/finding-positive-skill`.
The wrapper computes finding paths relative to `target-path`, so each one is
the bare string `SKILL.md`. Allowlist entries do not match, findings fire,
`pruner scan` exits 1, and the composite's `coroboros-pack-run` step has to
mask that exit for the workflow to pass — exactly the 0.2.8 propagation
contract this fixture exists to validate.
Same path-rooted asymmetry as the 14 `examples/vulnerable-skill/` entries
already in `.pruner-ignore.yml`, so the file stays internally consistent.
Documentation updates folded in alongside the fix.
- `examples/finding-positive-skill/EXPECTATIONS.md` gains a "Dual-path
allowlist behaviour" section with the truth table above. Distinct-from-
vulnerable-skill note tightened.
- `examples/finding-positive-skill/SKILL.md` body sentence split across the
brand-voice 25-word cap.
- `.github/workflows/self-scan.yml` comment block reworded — earlier
"zero `SKILL.md` files" was inaccurate; the real reason `pruner scan` exits
0 on the pre-existing job is that every Pruner-side fixture finding sits in
`.pruner-ignore.yml`.
- `docs/sha-pinning.md` gains a "Pre-tag lockstep check" section documenting
the `EXPECTED_RELEASE_TAG` env-var contract on `verify-action-pins.sh`.
- `docs/threat-model.md` self-scan bullet now names both jobs; release-
integrity bullet now mentions the verifier's two invariants (SHA-pin
validity + scan.yml lockstep).
- `CHANGELOG.md` v0.2.15 entry gains a fifth bullet describing the allowlist
additions.
0.2.14
Hotfix that reverts the 0.2.13 scan.yml structural fix. The new pattern parsed github.workflow_ref and github.workflow_sha to derive the Pruner repo + SHA, then actions/checkout'd that into .pruner-action and invoked the composite via uses: ./.pruner-action. The pattern passed Pruner's own PR-only test-scan-yml.yml validator because both context variables resolve to the workflow's hosting repo when the reusable workflow is called locally (uses: ./.github/workflows/scan.yml). It failed on the first real cross-repo consumer call (coroboros/agent-skills@scan.yml@0.2.13) because under remote invocation, the entire github.* context refers to the caller's workflow, not the called reusable workflow — WORKFLOW_REF=coroboros/agent-skills/.github/workflows/ci.yml@refs/pull/29/merge, FALLBACK_REPOSITORY=coroboros/agent-skills. The second checkout therefore cloned agent-skills (no action.yml) and uses: ./.pruner-action errored. GHA docs are explicit on this: "The github context, with the exception of github.token, references the calling workflow." No documented context exposes the called reusable workflow's own repo/ref/sha; expressions in uses: action refs are not supported (actions/runner#1493). The pattern is structurally unfixable. Scorecard documents the same chicken-and-egg in its RELEASE.md and lives with the manual two-step. Pruner does the same starting here.
.github/workflows/scan.ymlreverted.uses: ob-aion/pruner@0.2.14literal restored at the composite-invocation step. The lockstep contract codified in 0.2.7 is back; one line bumps every release..github/workflows/test-scan-yml.ymldeleted. It validated a same-repo-local-call against the broken cross-repo-remote-call pattern — false confidence.self-scan.ymlremains the load-bearing self-validation; it has the documented limitation of running against a target with zeroSKILL.mdfiles (the 0.2.8 blind spot).<VERSION>placeholders survive.README.md,docs/consumer-integration.md(three refs),templates/workflow-{minimal,full}.ymlkeep the placeholder + latest-release-URL pattern. That convention is independent of thescan.ymllockstep and was never the source of the cross-repo bug.
Net effect against the pre-0.2.13 baseline: per-release file bumps drop from seven to two (CHANGELOG.md plus scan.yml's one-line literal). Not the one-file shrink 0.2.13 promised, but a real five-file improvement. The post-mortem lesson: same-repo-local-call CI tests do not validate cross-repo behaviour of reusable workflows; a real consumer PR is the only honest validation surface.
0.2.13
Phase γ headline reposition plus a structural fix that retires the per-release manual version-pin bump. Pre-0.2.13, every release hand-edited seven files: one functional self-reference inside the reusable workflow plus six consumer-facing examples across README.md, docs/consumer-integration.md, and templates/. 0.2.7 codified the lockstep contract after a four-release skip bug. 0.2.11 codified the per-release example-pin sync. Both were workarounds for a manual process. Both retire here. Per-release file bumps shrink from seven to one. Phase β closed 2026-05-11 on coroboros/agent-skills 1.18.0 and 1.18.1, both pruner / pruner green. The README headline travels in link previews — load-bearing for Phase γ outreach on HackerNews, Lobste.rs, OpenSSF, and coroboros.com.
README.md— headline reposition. New bold opener:**Sigstore-signed attestations for AI agent skills.**Brand DNAVariants don't ship. Signal does.becomes the italic kicker. The urgency pitch follows:The agent-skills supply chain is the next attack surface. Pruner produces a portable, signed trust artefact that travels with every release tag.Replaces the prior tagline plus theCoroboros's attestation chain for agent skill repositories.description. The previous opener read well with context but underdelivered for a fresh reader.README.md—## Why nowmoved down. From first body section to between## What Pruner is notand## Quick start. The threat-surface paragraph reads as supporting context after the orientation arc (What Pruner is→Why a wrapper→Code inside skills→What Pruner is not). TOC reordered to match..github/workflows/scan.yml— self-checkout pattern eliminates the lockstep contract. Previous:uses: ob-aion/pruner@<X>hand-edited every release; a skipped bump shipped consumers the prior composite (the 0.2.7 bug class). New: aself-refstep parsesgithub.workflow_reffor the repository portion,actions/checkoutclones that repo atgithub.workflow_shainto.pruner-action, thenuses: ./.pruner-actioninvokes the composite. Version-coherent by construction — no literal version in the workflow file to skip. GHA does not support expressions inuses:action refs (actions/runner#1493, closed without implementation). The canonical workaround isuses: ./<path>after a path-aware checkout — same patternactions/checkoutuses to self-test.- Example pins switched to
<VERSION>placeholder.README.md,docs/consumer-integration.md(three refs), andtemplates/workflow-{minimal,full}.ymlno longer carry a literal tag. Each example points readers at https://github.com/ob-aion/pruner/releases/latest. Thelatestbadge at the top ofREADME.mdis the one-click reference. Retires the per-release example-pin sync from 0.2.11. - Added
.github/workflows/test-scan-yml.yml— PR-only validation ofscan.ymlend-to-end. Callsuses: ./.github/workflows/scan.ymlfrom the PR branch againstexamples/benign-skill.self-scan.ymlinvokesuses: ./directly and bypassesscan.yml— the blind spot that hid the 0.2.7 lockstep-skip bug for four releases. The new test job exercises the reusable workflow's structural pattern at PR time so any regression surfaces before merge.
0.2.12
Stylistic alignment of the Apache-2.0 appendix copyright line with the convention used across the public Coroboros workspace. The 0.2.11 release added the –End of Time signature but kept the bare Copyright 2026–End of Time Coroboros form; the rest of the workspace (coroboros/archivist, coroboros/agent-skills) carries (c) per the standard MIT template. This release brings Pruner into line. Apache-2.0 operative terms remain untouched.
LICENSE— appendix copyright line:Copyright 2026–End of Time Coroboros→Copyright (c) 2026–End of Time Coroboros. Single-character-class addition at line 190 inside the customaryAPPENDIX: How to apply the Apache License to your work.block. SPDX classification staysApache-2.0; downstream license scanners read the boilerplate, not the appendix string..github/workflows/scan.yml— synced toob-aion/pruner@0.2.12per the lockstep contract.- Consumer-facing example pins bumped to
@0.2.12.README.md:94,docs/consumer-integration.md(three occurrences),templates/workflow-minimal.yml:15,templates/workflow-full.yml:18. Per the example-pin-moves-every-release convention established in 0.2.11.
0.2.11
Copyright-line alignment across the Coroboros workspace. The Pruner LICENSE carried the standard Apache-2.0 appendix copyright Copyright 2026 Coroboros, missing the –End of Time signature already in place on coroboros/archivist and coroboros/agent-skills. This release adds the signature to the appendix only. Apache-2.0 operative terms (sections 1–9, lines 1–177) are untouched. SPDX classification stays Apache-2.0 and downstream license scanners read the same boilerplate.
LICENSE— appendix copyright line:Copyright 2026 Coroboros→Copyright 2026–End of Time Coroboros. Single-line edit at line 190 inside the customaryAPPENDIX: How to apply the Apache License to your work.block. No change to grant terms, redistribution conditions, patent grant, trademark clause, or warranty disclaimer..github/workflows/scan.yml— synced toob-aion/pruner@0.2.11per the lockstep contract.- Consumer-facing example pins bumped to
@0.2.11.README.md:94,docs/consumer-integration.md(three occurrences),templates/workflow-minimal.yml:15,templates/workflow-full.yml:18. Previously frozen at@0.2.0since the line cut; new convention going forward: example pins move every release so consumers reading the repo cold land on the latest tag.
0.2.10
chore: 0.2.10 — add Coroboros mark to README (#23) The Pruner repo shipped without an `assets/` folder at bootstrap and the README opened on the title block with no Coroboros mark. The two sibling subprojects (`coroboros/archivist` and `coroboros/agent-skills`) both lead with the gold ouroboros at 288 by 288 — this release closes the visual-consistency gap. `assets/logo.png` is a verbatim copy of the canonical mark used by `coroboros/archivist`, sourced from the shared Coroboros brand asset pool (660 by 660 source PNG, 8-bit RGBA, ~84 kB). The README inserts `<img src="assets/logo.png" width="288" height="288" alt="Coroboros"/>` inside the existing centred div, immediately above the title. The markup matches the archivist README line-for-line for side-by-side browsing parity. `.github/workflows/scan.yml` synced to `ob-aion/pruner@0.2.10` per the lockstep contract.
0.2.9
feat: 0.2.9 — upload every SARIF in the bundle to Code Scanning (#22) The composite action ran the Cisco engine, gitleaks, and the Coroboros pack on every scan, but the `upload-sarif` step only pointed at `coroboros.sarif`. Cisco and gitleaks findings stayed in the workflow artefact bundle and never reached the GitHub Security tab. The Phase beta consumer PR on `coroboros/agent-skills` exposed it: 22 Cisco findings (mostly `ALLOWED_TOOLS_*_VIOLATION` on Python and shell scripts inside skill folders) lived in `cisco.sarif` but did not surface in `security/code-scanning`. Code-Scanning visibility was therefore half of what the bundle actually contained. Fix: change `sarif_file` from a single-file path to the report directory. `github/codeql-action/upload-sarif@v4.35.3` walks the directory, finds every `*.sarif` and `*.sarif.json`, and uploads each under its own tool category. Captures `coroboros.sarif`, `cisco.sarif`, `gitleaks.sarif`, and `snyk.sarif` when opted in. `actionlint.json` ends in `.json` rather than `.sarif.json` and is skipped — actionlint findings remain in the artefact bundle for download but do not appear in the Security tab. Three Code Scanning categories on a default Pruner run (pack, Cisco, gitleaks); four with Snyk. Also bumps `.github/workflows/scan.yml` to `ob-aion/pruner@0.2.9` per the lockstep contract reinstated in 0.2.7.
0.2.8
fix: 0.2.8 — coroboros-pack-run masks pruner-scan exit 1 (findings pr…
0.2.7
chore: 0.2.7 — sync scan.yml `uses:` tag with the release tag (#20) The 0.2.0 release introduced a documented bump step — every release must update `.github/workflows/scan.yml:52`'s `uses: ob-aion/pruner@<X>` line in lockstep with the new tag. The step fell through 0.2.3, 0.2.4, 0.2.5, and 0.2.6 (four consecutive releases). Consumers calling `uses: ob-aion/pruner/.github/workflows/scan.yml@0.2.6` were therefore executing the 0.2.2 composite action internally, missing the `cisco-ai-skill-scanner` bump 2.0.9 to 2.0.11 that 0.2.6 shipped. This release catches scan.yml up to `@0.2.7`. Future releases keep the two in lockstep.
0.2.6
chore(deps): 0.2.6 — bump cisco-ai-skill-scanner 2.0.9 → 2.0.11 (#17)
* chore(deps): 0.2.6 — bump cisco-ai-skill-scanner 2.0.9 → 2.0.11
Replaces Dependabot PR #10 with the full `wrapper/CISCO_PIN.md` bump
procedure. The bump folds in 2.0.10's rule-pack expansion (34 → 314
signatures, restructured by category) and 2.0.11's internal release-
pipeline fix. 2.0.10's opt-in surface (OpenAI-compatible LLM endpoints,
LiteLLM Gemini fallback, `--render-markdown`) does not affect Pruner;
the wrapper stays deterministic at v0.x.
Touched five surfaces for version consistency:
- `wrapper/pyproject.toml` — pin
- `wrapper/src/pruner_wrapper/cisco_runner.py` — `PINNED_VERSION`
- `scripts/setup-cisco.sh` — default
- `wrapper/CISCO_PIN.md` — version, release date, upstream main HEAD
`ff708ea00fd401640112c138711c5c36ff4992a0` (2026-04-30), license
re-verified 2026-05-11
- `wrapper/README.md` — pin reference
- five wrapper test fixtures (`test_cisco_runner.py` asserts the
constant; the other four use the version as fixture data)
`docs/fp-audit.md` gets a 0.2.6 audit section with full reproduction
against the canonical corpus (`coroboros/agent-skills`,
`anthropics/skills`, `vercel-labs/agent-skills`):
- Coroboros pack (`--without-cisco`) deltas vs 0.1.0: +1 FC003 (corpus
added one new skill matching the existing non-canonical-frontmatter
pattern) and +1 PI-PERM-001 on `skills/design-system/SKILL.md` (rule
added in 0.2.0, true positive). Three 0.1.0 tracking notes still
apply unchanged.
- Cisco dual-version parity check (`--with-cisco` with 2.0.9 then 2.0.11
on the same corpora): **identical rule-id distribution and counts**
on both `coroboros/agent-skills` (22 findings, 6 rule IDs) and
`vercel-labs/agent-skills` (20 findings, 8 rule IDs). The 280 newly
added Cisco signatures fire on neither — likely target patterns not
present in well-formed skill repositories.
License-drift guard re-validated: 2.0.11 ships Apache-2.0 intact at
`<venv>/lib/python*/site-packages/cisco_ai_skill_scanner-2.0.11.dist-info/licenses/LICENSE`.
Tests: 263 passed, coverage 90.83 percent.
* docs: humanize CHANGELOG and fp-audit entries against Coroboros voice
Three first-person plural instances ("our SARIF-upload-only use case",
"our dogfood targets", "our corpora") removed per the BRAND-VOICE.md
pronoun rule (third-person institutional, no first-person plural in
corporate communications).
One em-dash density hit on the fp-audit Per-repo bullet for
coroboros/agent-skills reduced from three em-dashes per line to one;
brand voice allows em-dashes, but three on a single line is busy. The
header em-dash separator stays, the inline clauses move to commas and
a colon.