ci: add HOL skill-publish validate workflow

[internet-dot]

I opened this as a small validate-only check for the skill metadata in the repo.

A couple of repo-specific details I checked first:

• A Model Context Protocol (MCP) server and CLI that provides tools for agent use when working on iOS and macOS projects
• XcodeBuildMCP ships as a single package with two modes: a CLI for direct terminal use and an MCP server for AI coding agents. Both installation methods give you both modes
• Upgrade later with brew update && brew upgrade xcodebuildmcp

This adds one workflow for . and leaves the runtime code alone.
It only runs the schema and trust checks for the skill metadata in validate mode.

If you would rather place the workflow under a different filename or point it at a different skill directory, I can adjust the branch.

[cursor]

Wrong skill-dir points to root, missing skill files

High Severity

The skill-dir is set to . (repo root), but the repository has no SKILL.md or skill.json at the root. The actual SKILL.md files live under skills/xcodebuildmcp/ and skills/xcodebuildmcp-cli/. Additionally, there is no skill.json file anywhere in the repository, which the skill-publish action requires alongside SKILL.md for validation. This workflow will always fail.

 

^{Reviewed by Cursor Bugbot for commit 78e4fc7. Configure here.}

[sentry]

Bug: The new workflow hol-skill-validate.yml introduces an unnecessary and out-of-context third-party action, hashgraph-online/skill-publish, which poses a supply chain security risk.
_{Severity: HIGH}

Suggested Fix

The new workflow file .github/workflows/hol-skill-validate.yml should be removed entirely. The introduced third-party action is not relevant to this project and introduces an unnecessary security risk to the CI/CD pipeline.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: .github/workflows/hol-skill-validate.yml#L14-L16

Potential issue: The pull request adds a GitHub Actions workflow that executes
`hashgraph-online/skill-publish`, an action for a blockchain skill registry. This action
is entirely unrelated to the project's purpose as an Xcode build tool. The workflow is
configured to run on every push and pull request, passing repository contents to this
external service. This introduces an unnecessary dependency and a potential supply chain
security vulnerability, as the external action runs in a trusted CI environment with
access to repository data. The change is submitted by an unknown external contributor
and lacks any justification within the project's context.

_{Did we get this right? 👍 / 👎 to inform future reviews.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 2 total unresolved issues (including 1 from previous review).

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 04c9596. Configure here.}

[cursor]

Duplicated version comment on action reference line

Low Severity

The uses line has a duplicated version comment: # v1 # v1. This appears to be an accidental double-paste of the version annotation.

 

^{Reviewed by Cursor Bugbot for commit 04c9596. Configure here.}