kg-suite-spec-version-tracker-action reads JSON files from the workflow's checkout, posts a single PR comment via the GitHub API (when run on a pull_request event with a valid token), and writes structured outputs. No remote fetch beyond the GitHub API comment call, no execution of user-supplied code.
The action uses ${{ github.token }} by default — scoped to the repository where the workflow runs and never persisted. If you provide your own token via the github-token input, ensure it has only pull-requests: write permissions.
Only the latest tagged release is supported.
Please use GitHub Security Advisories for private disclosure:
Do not file public issues for security reports.