[UPDATE PROMPTS] Add agent skills for creating and publishing CodeQL model packs

[Copilot]

Adds two SKILL.md files under .github/skills/ that turn the existing models-as-data reference docs into procedural, agent-routable workflows for the two distinct deployment paths: repo-local extensions vs. GHCR-published model packs.

📝 Prompt Update

• Scope: Global (new .github/skills/ resource type)
• Hierarchy Level: New peer to Level 3 (.github/prompts/*.prompt.md), procedurally oriented rather than reference-oriented
• Target Language (if applicable): N/A — language-agnostic, links out to language-specific data extension prompts

🎯 Changes

What Changed

• .github/skills/create-model-pack/SKILL.md — numbered procedure: identify library/language → classify API into sourceModel / sinkModel / summaryModel / barrierModel / barrierGuardModel / typeModel / neutralModel → choose between .github/codeql/extensions/ (no qlpack.yml) and a reusable pack under languages/<lang>/custom/src/ → author .model.yml with the right tuple format → wire qlpack.yml extensionTargets / dataExtensions → validate via codeql query run --additional-packs=… and codeql test run --additional-packs=….
• .github/skills/publish-model-pack/SKILL.md — numbered procedure: verify qlpack.yml (name, version, library: true, extensionTargets, dataExtensions) → codeql pack create → codeql pack publish (with GITHUB_TOKEN / packages: write notes) → configure under org Code security → Global settings → CodeQL analysis → Model packs → semver bump strategy with auto-latest behavior for Default Setup → validate via Analyze workflow logs.
• Both files use the SKILL.md convention (YAML frontmatter with name + agent-routing description, When to use, Prerequisites, Procedure, Validation checklist, Related resources), cross-link each other, and link out to the existing data_extensions_development.prompt.md, language-specific data extension prompts, and resources/cli/codeql/*.prompt.md files rather than duplicating tuple-format and CLI reference content.

Why This Change

The data extension prompts are excellent reference material (tuple formats, threat models, access path syntax) but are not structured as action plans. Skills routed by description give agents — especially Copilot Cloud Agent — a step-by-step recipe and cleanly separate the "no publish needed" repo-local path from the "publish to GHCR + configure org Default Setup" path, which today are intermingled in the reference docs.

Issues Addressed

Agents jumping straight to YAML authoring without first deciding deployment scope, skipping local validation with --additional-packs, conflating codeql query run (supports --model-packs) with codeql test run (does not), and missing the qlpack.yml → org settings → workflow-log validation chain when publishing.

🔍 Impact

Previous Behavior

When asked to "model library X" or "publish a model pack", agents had only reference prompts to draw on and tended to produce YAML without the surrounding workflow (scope decision, qlpack.yml glob verification, local query/test runs, GHCR publish, org configuration, log-based validation).

New Behavior

Agent routing on the skill description triggers the matching skill, and the agent executes the numbered Procedure end-to-end, deferring to the linked reference prompts only for tuple-format and CLI detail.

🧪 Validation

• Manual testing completed
• Workflow validation performed
• No forbidden files included (no queries, tests, or analysis files)

Test Scenarios

1. All relative markdown links in both skills resolved against the working tree (prompts, sibling skill, CLI prompt files, workflow file).
2. Both files pass the repository's prettier configuration (*.md override, printWidth: 100, proseWrap: preserve); YAML frontmatter parses with name + description fields populated.
3. parallel_validation (Code Review + CodeQL) reports no findings.

📋 Checklist

• Only prompt system files included
• No query implementation files
• No analysis or summary files
• Documentation updated (PROMPTS.md/README.md if needed) — PROMPTS.md does not currently describe .github/skills/; consider a follow-up to add the new resource type to the hierarchy diagram
• Links and references validated

🔗 References

• Add data extension prompts, templates, and barrier/barrierGuard support #42 — data extension prompts that this skill set complements
• Configure organization-level CodeQL model packs
• Extending CodeQL coverage with model packs in Default Setup
• CodeQL now supports sanitizers and validators in models-as-data

---

Note: This update maintains hierarchy integrity and follows prompt system best practices.