Menu
Resolves GitHub Action tags/versions (e.g., @v4) to their full 40-character commit SHAs for security pinning.
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Based on SOC occupation classification
Provides guidance on securing the Nuget supply chain, including best practices for verifying package integrity, understanding dependencies, and mitigating risks associated with third-party packages. Use this skill when you want to ensure the security and reliability of the Nuget packages you use in your projects.
Describes how to get usage instructions adding or implementing a Nuget package in a project, including viewing best practices and examples from the package's README file. Use this skill when you need to understand how to use a Nuget package effectively in your projects.
Provides guidance on securing the Nuget supply chain, including best practices for verifying package integrity, understanding dependencies, and mitigating risks associated with third-party packages. Use this skill when you want to ensure the security and reliability of the Nuget packages you use in your projects.
Create, update, and manage GitHub issues using MCP tools. Use this skill when users want to create bug reports, feature requests, or task issues, update existing issues, add labels/assignees/milestones, or manage issue workflows. Triggers on requests like "create an issue", "file a bug", "request a feature", "update issue X", or any GitHub issue management task.
Manage NuGet packages in .NET projects/solutions. Use this skill when adding, removing, or updating NuGet package versions. It enforces using `dotnet` CLI for package management and provides strict procedures for direct file edits only when updating versions.
Guide for reviewing GitHub Actions for security vulnerabilities.
| name | github-action-sha-resolver |
| description | Resolves GitHub Action tags/versions (e.g., @v4) to their full 40-character commit SHAs for security pinning. |
| allowed-tools | mcp_github-mcp_list_tags, mcp_github-mcp_get_tag |
This skill provides a secure workflow to identify the exact commit SHA associated with a specific version of a GitHub Action.
| Tool | Purpose |
|---|---|
mcp_github-mcp_list_tags | Lists all tags for a given repository |
mcp_github-mcp_get_tag | Retrieves detailed information about a specific tag |
When a user asks for the SHA of an action version (e.g., actions/checkout@v4):
Repository Identification:
actions) and repo (checkout).Tag Retrieval:
mcp_github-mcp_list_tags to list available tags for the repository.v4).SHA Extraction:
commit.sha from the tag object in the list response.v4 and v4.1.1), ask the user for clarification before providing a SHA.User: "Give me the SHA for actions/setup-node@v3" Agent Action:
mcp_github-mcp_list_tags(owner="actions", repo="setup-node", perPage=100).v3.051d54f3a8c27888bd22a30b9f6d6309277c7315.actions/setup-node@v3 is 051d54f3a8c27888bd22a30b9f6d6309277c7315."