Releases: netresearch/github-project-skill
v2.14.0
Highlights
npm distribution — the skill now ships as an npm package via @netresearch/agent-skill-coordinator, joining the marketplace and Composer as a first-class install path (#74).
AI-reviewer pushback patterns (#73). A new section in the skill teaches the agent how to push back when Gemini/Copilot/CodeRabbit reviewers post incorrect or low-value feedback — when to defer to the bot, when to defend the design, and how to phrase the response so the bot moves on without spam. Built from observed pushback patterns across recent skill-repo reviews.
Agentic workflows reference (#75). New references/agentic-workflows.md documents gh-aw and awf for spawning agent runs inside CI from issues/PRs — covers permissions, secret scoping, and the safety boundaries that keep agent CI runs from leaking into the project's main pipeline.
PR merge / branch protection / CodeQL playbook (commits). Adds documented playbooks for: branch-protection setup, CodeQL gotchas (default-setup vs advanced-setup interplay, language-detection edge cases), and PR-merge state diagnosis. The --delete-branch snippet now auto-detects the allowed merge strategy via the GitHub API instead of assuming --merge. Mergeability detection uses the GraphQL Repository.mergeQueue field, which correctly reports merge-queue state where the REST API returns ambiguous values.
Checkpoint quality pass — GH-6, GH-23, GH-30, GH-31 rewritten to satisfy the assessment runner's command allowlist; GH-2 license check broadened to recognize split-license repos (MIT + CC-BY-SA-4.0 layout); new GH-34/35/36 checkpoints + a references/reusable-workflow-pitfalls.md companion; org_provides introduced for community-health files that live at the org level (CODE_OF_CONDUCT, SECURITY) rather than per-repo; follow_uses lets checkpoints delegate CodeQL/Scorecard verification to companion workflows rather than re-implementing them.
Maintenance
- Release caller dropped the deprecated
with: bump:block andworkflow_dispatch.bumpinput — releases happen exclusively by pushing a locally-signed tag (commit). - Granted
id-token: write/attestations: writeon the release caller so the reusable workflow can emit SLSA build-provenance and cosign-signed checksums; over-privilegedpull-requests: writeremoved (#65). - Trailing newline added to release.yml to satisfy yamllint.
- SKILL.md trimmed to the 500-word cap; plugin.json sync'd to SKILL.md
metadata.version.
Documentation
- npm documented as a distribution channel; composer version assertion + LICENSE allowlist corrected per review.
- Org-security-settings and tag-validation references cited where applied.
Verification
gh attestation verify github-project-skill-v2.14.0.zip --repo netresearch/github-project-skill
cosign verify-blob \
--bundle SHA256SUMS.txt.bundle \
--certificate-identity-regexp '^https://github\.com/netresearch/skill-repo-skill/\.github/workflows/release\.yml@' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
SHA256SUMS.txt
sha256sum --check SHA256SUMS.txtInstall
/plugin install github-project@netresearch
composer require netresearch/github-project-skill
npm i -D @netresearch/agent-skill-coordinator github:netresearch/github-project-skillFull changelog: v2.13.1...v2.14.0
v2.13.1
What's Changed
- ci: forward bump input to reusable release workflow by @CybotTM in #61
- fix(checkpoints): GH-24..27 accept reusable-workflow delegation by @CybotTM in #62
- fix(checkpoints): GH-8/09 .yml form templates + GH-19/20 reusable workflow by @CybotTM in #63
- chore: release v2.13.1 by @github-actions[bot] in #64
New Contributors
- @github-actions[bot] made their first contribution in #64
Full Changelog: v2.13.0...v2.13.1
Contributors
Assets 7
v2.13.0
Highlights
- New
multi-repo-operationsreference for batch and fleet-wide GitHub operations, with parity and loop-safety guidance - New
fleet operational hygienereference covering patterns for maintaining many repos at once - New workflow-bash-patterns reference — safe bash inside workflow
run:steps, plus GHA expression gotchas for multi-trigger workflows - New dependency-management reference — Dependabot ecosystem hygiene and failure modes
- Auto-merge guide gains a post-merge review-sweep process and expanded Copilot auto-approve race-condition guide (wait for Copilot before merging; validate suggestions)
multi-repo-operationspicks up a template-drift resolution pattern
CI / infrastructure
- Added the eval-validate workflow
- Fixed the auto-merge-deps reusable workflow reference
- Multiple Copilot review sweeps folded into the references (followups from #53/#54/#55, plus second-sweep fixes)
Full Changelog: v2.12.0...v2.13.0
v2.12.0
Release v2.12.0
What's Changed
- feat: add auto-merge workflow quality checkpoints and troubleshooting guide by @CybotTM in #48
- feat: branch protection audit checkpoints (enforce_admins + conversation resolution) by @CybotTM in #49
- Expand evals to 20 and improve SKILL.md diagnostic coverage by @CybotTM in #50
Full Changelog: v2.10.2...v2.12.0
Contributors
Assets 7
v2.10.2
Maintenance release with CI and metadata fixes.
Added the required author.url field to plugin.json for skill validation compliance. Switched org-internal reusable workflow references from SHA-pinned to branch-based (@main), since SHA-pinning internal workflows causes unnecessary churn from Renovate without meaningful security benefit.
Full Changelog: v2.10.1...v2.10.2
v2.10.1
What's Changed
Full Changelog: v2.10.0...v2.10.1
Contributors
Assets 7
v2.10.0
Full Changelog: v2.9.0...v2.10.0
v2.9.0
What's Changed
- fix: harden GitHub Actions against supply chain attacks by @CybotTM in #40
- feat: add org-level security and reusable workflow security references by @CybotTM in #41
Full Changelog: v2.8.0...v2.9.0
Contributors
Assets 7
v2.8.0
Contributors
Assets 7
v2.7.1
What's Changed
Full Changelog: v2.7.0...v2.7.1