fix(skills): scan staged payload with SkillSpector

[davida-ps]

User description

Summary

• Run SkillSpector against the staged release payload instead of the source skill directory in both PR dry-runs and tag releases.
• Keep the release simulation aligned with that behavior so source-only test directories cannot leak into scans.
• Embed the generated SkillSpector report content directly in GitHub release notes, while keeping the downloadable skillspector-report.md artifact link.

Security / release benefit

• Prevents SkillSpector findings from source-only test fixtures that are not shipped in skill release archives.
• Makes the generated SkillSpector report visible directly on the skill release page.

Testing

• for test_file in scripts/test-skill-*.mjs; do node "$test_file"; done
• npx eslint scripts/ci/simulate_skill_tag_release.mjs scripts/test-skill-release-workflow.mjs scripts/test-skill-tag-release-simulation.mjs --max-warnings 0
• npx tsc --noEmit
• git diff --check
• npm run build

---

Generated description

Below is a concise technical summary of the changes proposed in this PR:
Align release workflows to scan the staged release payload by running generate_skillspector_report against the archived output and propagating that behavior through scripts/ci/simulate_skill_tag_release.mjs and its test shim. Embed the generated skillspector-report.md into the GitHub release body via a new preparation step that also provides a release notes link, with tests validating the resulting workflow structure.

Topic	Details
SkillSpector Flow	Update generate_skillspector_report invocations and the fake SkillSpector helper so the dry-run, tag-release build, and simulation scripts scan the staged payload (inner_dir) rather than the source directory, preventing source-only test fixtures from leaking into the report. Modified files (3) .github/workflows/skill-release.yml scripts/ci/simulate_skill_tag_release.mjs scripts/test-skill-tag-release-simulation.mjs Latest Contributors(2) User Commit Date David.a@prompt.security fix(skills): use body ... June 10, 2026 david.a@prompt.security fix(skills): namespace... June 10, 2026
Release Notes	Add a GitHub release body preparation step that loads the generated report, embeds it along with verification instructions and the download link, and update workflow tests to assert the new body handling and release note requirements. Modified files (2) .github/workflows/skill-release.yml scripts/test-skill-release-workflow.mjs Latest Contributors(2) User Commit Date David.a@prompt.security fix(skills): use body ... June 10, 2026 david.a@prompt.security fix(skills): namespace... June 10, 2026

_{Review this PR on Baz | Customize your next review}