Upgrade paths between hardening levels — detection, delta generation, and rollback
From gh-guardnpx claudepluginhub anthropics/claude-plugins-community --plugin gh-guardThis skill is limited to using the following tools:
Enables AI agents to execute x402 payments with per-task budgets, spending controls, and non-custodial wallets via MCP tools. Use when agents pay for APIs, services, or other agents.
Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.
Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.
This guide covers upgrading between gh-guard hardening levels (Minimal → Standard → Hardened), including detecting your current level, generating only the delta files, and rolling back individual components.
| Upgrade | New Files | New Manual Steps |
|---|---|---|
| None → Minimal | CI workflow, deny.toml, dependabot.yml, SECURITY.md, rust-toolchain.toml | Verify CI passes, review deny allowlist |
| Minimal → Standard | Publish workflow, CodeQL workflow, Scorecard workflow, release script | Create crates-io env, configure Trusted Publishing, disable CodeQL default, set up signing key, branch protection |
| Standard → Hardened | Fuzz workflow, osv-scanner.toml + modify publish workflow (add SLSA jobs) | Init fuzz targets, register CII badge, review osv-scanner overrides |
Use the hardening-detection skill for the full marker list and classification algorithm. It is the single source of truth for level detection, shared by /audit, /harden, and this guide.
In brief: check for marker files across three tiers (Minimal: 4 markers, Standard: +4, Hardened: +3). The effective level is the highest tier where ALL markers are present. "Custom" means partial coverage — recommend filling gaps before upgrading.
maingh CLI installed and authenticated.github/workflows/publish.yml (from templates/workflows/publish.yml).github/workflows/codeql.yml (from templates/workflows/codeql.yml).github/workflows/scorecard.yml (from templates/workflows/scorecard.yml)scripts/release.sh (from templates/release.sh)crates-io environment — repo Settings > Environments > New environment > name it crates-iocrates.io/crates/<name>/settings, add publisher: repo, workflow publish.yml, environment crates-iomain: require status check "CI", require PR reviewsgit config --global gpg.format ssh && git config --global user.signingkey ~/.ssh/id_ed25519.pubscripts/release.sh X.Y.Z-rc.1CARGO_REGISTRY_TOKEN secret--admin flagcargo fuzz basicsprovenance and release jobs from the template..github/workflows/fuzz.yml (from templates/workflows/fuzz.yml)osv-scanner.toml (from templates/osv-scanner.toml)cargo fuzz init && cargo fuzz add <target_name> for each targetcargo +nightly fuzz run <target> -- -max_total_time=60 locally to verify targets workworkflow_dispatchv0.0.0-test.1) on a fork@tag reference, not SHA (reusable workflow requirement)toolchain: nightlyEach component can be rolled back independently:
| Component | Rollback | Notes |
|---|---|---|
| CI workflow | Delete .github/workflows/ci.yml | Remove "CI" from required status checks first |
| cargo-deny | Delete deny.toml | Remove deny step from CI workflow |
| Dependabot | Delete .github/dependabot.yml | Close any open Dependabot PRs |
| SECURITY.md | Delete SECURITY.md | Consider keeping — low cost, high value |
| Trusted Publishing | Remove crates-io-auth-action from publish workflow, add CARGO_REGISTRY_TOKEN secret | Revoke OIDC publisher at crates.io settings, generate a new API token at crates.io > Account Settings > API Tokens, add it as CARGO_REGISTRY_TOKEN in repo Settings > Secrets |
| CodeQL | Delete .github/workflows/codeql.yml | Re-enable default setup if desired |
| Scorecard | Delete .github/workflows/scorecard.yml | Badge will go stale, then 404 |
| Release script | Delete scripts/release.sh | Switch to manual tag-and-push workflow |
| SLSA provenance | Remove provenance and release jobs from publish workflow | Existing releases keep their provenance |
| Fuzz testing | Delete .github/workflows/fuzz.yml and optionally fuzz/ | Keep fuzz/ if you run locally |
| osv-scanner | Delete osv-scanner.toml | Scorecard Vulnerabilities check unaffected |
| Issue | Level | Symptom | Fix |
|---|---|---|---|
| CodeQL default blocks custom | Minimal → Standard | "Code scanning is already enabled" | Disable default setup in Settings > Code Security |
| Missing crates-io environment | Minimal → Standard | Publish workflow fails with "environment not found" | Create environment in repo Settings > Environments |
| Trusted Publishing not configured | Minimal → Standard | crates-io-auth-action fails with 403 | Configure at crates.io/crates/NAME/settings |
| SLSA tag reference | Standard → Hardened | Provenance job fails "must use tag" | Change SLSA generator reference from SHA to @v2.1.0 |
| Fuzz nightly missing | Standard → Hardened | cargo fuzz errors about -Z flags | Ensure workflow specifies toolchain: nightly |
| osv-scanner false positives | Standard → Hardened | CI fails on test fixture vulnerabilities | Add ecosystem overrides in osv-scanner.toml |
| Branch protection blocks merge | Any upgrade | PR can't merge without reviews/checks | Use --admin flag or temporarily adjust protection rules |