feat(copilot-skills)!: drop lockfile, lean on gh skill frontmatter#95
Merged
botantler[bot] merged 3 commits intomainfrom Apr 19, 2026
Merged
Conversation
`gh skill install` now records upstream provenance in each installed SKILL.md's `metadata.github-*` frontmatter, and `gh skill update` reads that to detect drift — so a sidecar skills-lock.json is redundant. setup-copilot-skills: - Replace `skills-lock` / `source` / `skills` inputs with a single `skills` input: newline list of `<owner/repo> <skill>[@pin]` entries, so consumers can mix upstreams freely. - Drop the jq dependency. - Pin per line via `@<tag|branch|sha>`; reproducible installs no longer need a lockfile. update-copilot-skills: - Replace the gh-api ref-resolution loop with `gh skill update --all --dir <dir>`; the CLI edits installed SKILL.md files in place. - New `dry-run`, `unpin`, `dir` inputs; drop `skills-lock`. - `changed` output computed from SKILL.md content hashes before/after, so git is not required in the caller's environment. Both READMEs gain a "Migrating from v1" section showing the diff. BREAKING CHANGE: `setup-copilot-skills` and `update-copilot-skills` both remove the `skills-lock` input; `setup-copilot-skills` also removes the `source` input and redefines `skills` as the sole list input. Delete any skills-lock.json and move each entry onto its own `<owner/repo> <skill>` line in `setup-copilot-skills.with.skills`. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
![botantler[bot]](https://avatars.githubusercontent.com/in/1025824?s=60&v=4){kind=small}
3 tasks
There was a problem hiding this comment.
Pull request overview
This PR refactors the Copilot skills actions to remove the skills-lock.json workflow and instead rely on the upstream provenance frontmatter that gh skill install injects into each installed SKILL.md. Updates are delegated to gh skill update --all, and both actions’ inputs/outputs and documentation are updated accordingly.
Changes:
- Replace
update-copilot-skillslockfile pinning logic withgh skill update --all --dir <dir>plus before/after content hashing to computechanged. - Simplify
setup-copilot-skillsto a single required newline-separatedskillslist (<owner/repo> <skill>[@pin]) supporting comments and blanks. - Update READMEs and root action list, including “Migrating from v1” guidance.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| update-copilot-skills/action.yaml | Switches implementation to gh skill update, adds dir/dry-run/unpin, and computes changed via SKILL.md hashing. |
| update-copilot-skills/README.md | Updates docs for new behavior/inputs/outputs and adds v1→v2 migration section. |
| setup-copilot-skills/action.yaml | Removes lockfile/source modes; parses a unified <owner/repo> <skill>[@pin] list and installs via gh skill install. |
| setup-copilot-skills/README.md | Documents new unified input format and adds migration notes. |
| README.md | Updates action catalog descriptions to reflect the new v2 behavior. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
devantler
added a commit
to devantler-tech/ksail
that referenced
this pull request
Apr 19, 2026
Re-install each agent skill from its original upstream repo via `gh skill install`, so every installed SKILL.md now carries `metadata.github-*` frontmatter pointing at the true origin instead of `devantler-tech/skills`. `gh skill update --all` reads that metadata directly, making the sidecar `skills-lock.json` redundant. - Delete `skills-lock.json` + remove its mega-linter exclusions. - Reinstall 15 skills from upstream via `gh skill install <owner/repo> <path> --agent github-copilot --scope project --dir .agents/skills`. - Bump `update-skills.yaml` to pin the refreshed reusable workflow and swap `skills-lock` for the new `dir` input. BREAKING CHANGE: `skills-lock.json` is removed. Tooling that reads it must now discover skills under `.agents/skills/` instead. Refs: devantler-tech/skills#16, devantler-tech/actions#95, devantler-tech/reusable-workflows#207 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2 tasks
devantler
added a commit
to devantler-tech/platform
that referenced
this pull request
Apr 19, 2026
Re-install each agent skill from its original upstream repo via `gh skill install`, so every installed SKILL.md now carries `metadata.github-*` frontmatter pointing at the true origin instead of `devantler-tech/skills`. `gh skill update --all` reads that metadata directly, making the sidecar `skills-lock.json` redundant. - Delete `skills-lock.json`. - Reinstall 11 of 12 skills from upstream via `gh skill install <owner/repo> <path> --agent github-copilot --scope project --dir .agents/skills`. - `siderolabs/docs` is not re-installed: the upstream ships `public/skill.md` (lowercase) which `gh skill install` rejects (it only recognises `SKILL.md`). Tracking upstream for a fix — until then, manage that skill out-of-band or drop it. - Bump `update-skills.yaml` to pin the refreshed reusable workflow and swap `skills-lock` for the new `dir` input. BREAKING CHANGE: `skills-lock.json` is removed. The `siderolabs` skill is temporarily unavailable pending an upstream rename to `SKILL.md`. Refs: devantler-tech/skills#16, devantler-tech/actions#95, devantler-tech/reusable-workflows#207 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Merged
1 task
- Rewrite `test-setup-copilot-skills.yaml` to exercise the new flat `skills: <owner/repo> <skill>[@pin]` input (inline, pinned, missing-input, malformed-line cases). - Rewrite `test-update-copilot-skills.yaml` to seed a pinned install and assert `gh skill update --all` is a no-op, that `--dry-run` does not mutate SKILL.md, and that a missing `dir` fails. - `setup-copilot-skills/action.yaml`: require exactly two whitespace-separated tokens per line (reject silent extra tokens). - `update-copilot-skills/action.yaml`: fail fast when `shasum` is missing and drop the `|| true` swallow so hashing errors surface. Addresses review threads on PR #95. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The whitespace-only guard accepted inputs that consisted entirely of `#` comment lines, letting the action "succeed" without installing anything. Track whether any entry was actually processed and fail with a clear message when none were. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
github-merge-queue Bot
pushed a commit
to devantler-tech/platform
that referenced
this pull request
Apr 19, 2026
) * refactor(skills)!: reinstall from upstreams, drop skills-lock.json Re-install each agent skill from its original upstream repo via `gh skill install`, so every installed SKILL.md now carries `metadata.github-*` frontmatter pointing at the true origin instead of `devantler-tech/skills`. `gh skill update --all` reads that metadata directly, making the sidecar `skills-lock.json` redundant. - Delete `skills-lock.json`. - Reinstall 11 of 12 skills from upstream via `gh skill install <owner/repo> <path> --agent github-copilot --scope project --dir .agents/skills`. - `siderolabs/docs` is not re-installed: the upstream ships `public/skill.md` (lowercase) which `gh skill install` rejects (it only recognises `SKILL.md`). Tracking upstream for a fix — until then, manage that skill out-of-band or drop it. - Bump `update-skills.yaml` to pin the refreshed reusable workflow and swap `skills-lock` for the new `dir` input. BREAKING CHANGE: `skills-lock.json` is removed. The `siderolabs` skill is temporarily unavailable pending an upstream rename to `SKILL.md`. Refs: devantler-tech/skills#16, devantler-tech/actions#95, devantler-tech/reusable-workflows#207 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(update-skills): pin to merged reusable-workflows commit on main The previous PR-head SHA was unreachable from the default branch after reusable-workflows#207 squash-merged, triggering zizmor's "commit with no history in referenced repository" alert. Repoint at the merge commit on `main`. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
🎉 This PR is included in version 3.0.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+146
to
+148
| cleaned=$(sed -e 's/\r/\n/g' -e 's/\x1B\[[0-9;]*[a-zA-Z]//g' "$out" \ | ||
| | grep -vE '^Checking .* installed skill' \ | ||
| | sed '/^$/d') |
There was a problem hiding this comment.
The cleaned=$( ... | grep -vE ... | ... ) pipeline can cause the action to fail on no-op runs. With set -euo pipefail, grep -vE exits with status 1 when it filters out all lines (i.e., no output), which will terminate the step even though this is a valid “nothing to report” case. Make the filtering pipeline tolerant of empty output (e.g., ignore grep’s 1 exit code or restructure to avoid relying on grep’s exit status).
Suggested change
| cleaned=$(sed -e 's/\r/\n/g' -e 's/\x1B\[[0-9;]*[a-zA-Z]//g' "$out" \ | |
| | grep -vE '^Checking .* installed skill' \ | |
| | sed '/^$/d') | |
| cleaned=$(sed \ | |
| -e 's/\r/\n/g' \ | |
| -e 's/\x1B\[[0-9;]*[a-zA-Z]//g' \ | |
| -e '/^Checking .* installed skill/d' \ | |
| -e '/^$/d' \ | |
| "$out") |
Comment on lines
+123
to
+125
| find "$INPUT_DIR" -type f -name SKILL.md -print0 \ | ||
| | sort -z \ | ||
| | xargs -0 -r shasum -a 256 >"$before" |
There was a problem hiding this comment.
The checksum snapshot uses sort -z and xargs -0 -r, which are not consistently available across BSD userlands (notably on macOS) even though this repo runs macos-latest in CI. Consider switching to a more portable approach (e.g., iterate find -print0 results in a while read -d '' loop and avoid sort -z/xargs -r), and apply it in both the before/after snapshots.
| | `changed` | `true` when the lockfile was modified, `false` otherwise | | ||
| | `updated-skills` | Newline-separated list of `name old-digest -> new-digest` lines for skills whose pins changed | | ||
| | `changed` | `true` when at least one `SKILL.md` was modified, `false` otherwise | | ||
| | `updated-skills` | Cleaned stdout from `gh skill update --all` (blank when nothing changed) | |
There was a problem hiding this comment.
The README says updated-skills is “blank when nothing changed”, but the action always writes this output and will emit at least a newline even when there is no cleaned stdout. Either adjust the implementation to only set updated-skills when there is meaningful content, or relax the documentation so consumers don’t rely on it being empty on no-op runs.
Suggested change
| | `updated-skills` | Cleaned stdout from `gh skill update --all` (blank when nothing changed) | | |
| | `updated-skills` | Cleaned stdout from `gh skill update --all`; do not rely on this output being empty on no-op runs | |
github-merge-queue Bot
pushed a commit
to devantler-tech/ksail
that referenced
this pull request
Apr 19, 2026
) * refactor(skills)!: reinstall from upstreams, drop skills-lock.json Re-install each agent skill from its original upstream repo via `gh skill install`, so every installed SKILL.md now carries `metadata.github-*` frontmatter pointing at the true origin instead of `devantler-tech/skills`. `gh skill update --all` reads that metadata directly, making the sidecar `skills-lock.json` redundant. - Delete `skills-lock.json` + remove its mega-linter exclusions. - Reinstall 15 skills from upstream via `gh skill install <owner/repo> <path> --agent github-copilot --scope project --dir .agents/skills`. - Bump `update-skills.yaml` to pin the refreshed reusable workflow and swap `skills-lock` for the new `dir` input. BREAKING CHANGE: `skills-lock.json` is removed. Tooling that reads it must now discover skills under `.agents/skills/` instead. Refs: devantler-tech/skills#16, devantler-tech/actions#95, devantler-tech/reusable-workflows#207 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(update-skills): pin to merged reusable-workflows commit on main The previous PR-head SHA was unreachable from the default branch after reusable-workflows#207 squash-merged, triggering zizmor's "commit with no history in referenced repository" alert. Repoint at the merge commit on `main`. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
github-merge-queue Bot
pushed a commit
to devantler-tech/ksail
that referenced
this pull request
Apr 19, 2026
) * refactor(skills)!: reinstall from upstreams, drop skills-lock.json Re-install each agent skill from its original upstream repo via `gh skill install`, so every installed SKILL.md now carries `metadata.github-*` frontmatter pointing at the true origin instead of `devantler-tech/skills`. `gh skill update --all` reads that metadata directly, making the sidecar `skills-lock.json` redundant. - Delete `skills-lock.json` + remove its mega-linter exclusions. - Reinstall 15 skills from upstream via `gh skill install <owner/repo> <path> --agent github-copilot --scope project --dir .agents/skills`. - Bump `update-skills.yaml` to pin the refreshed reusable workflow and swap `skills-lock` for the new `dir` input. BREAKING CHANGE: `skills-lock.json` is removed. Tooling that reads it must now discover skills under `.agents/skills/` instead. Refs: devantler-tech/skills#16, devantler-tech/actions#95, devantler-tech/reusable-workflows#207 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(update-skills): pin to merged reusable-workflows commit on main The previous PR-head SHA was unreachable from the default branch after reusable-workflows#207 squash-merged, triggering zizmor's "commit with no history in referenced repository" alert. Repoint at the merge commit on `main`. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
github-merge-queue Bot
pushed a commit
to devantler-tech/ksail
that referenced
this pull request
Apr 19, 2026
) * refactor(skills)!: reinstall from upstreams, drop skills-lock.json Re-install each agent skill from its original upstream repo via `gh skill install`, so every installed SKILL.md now carries `metadata.github-*` frontmatter pointing at the true origin instead of `devantler-tech/skills`. `gh skill update --all` reads that metadata directly, making the sidecar `skills-lock.json` redundant. - Delete `skills-lock.json` + remove its mega-linter exclusions. - Reinstall 15 skills from upstream via `gh skill install <owner/repo> <path> --agent github-copilot --scope project --dir .agents/skills`. - Bump `update-skills.yaml` to pin the refreshed reusable workflow and swap `skills-lock` for the new `dir` input. BREAKING CHANGE: `skills-lock.json` is removed. Tooling that reads it must now discover skills under `.agents/skills/` instead. Refs: devantler-tech/skills#16, devantler-tech/actions#95, devantler-tech/reusable-workflows#207 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(update-skills): pin to merged reusable-workflows commit on main The previous PR-head SHA was unreachable from the default branch after reusable-workflows#207 squash-merged, triggering zizmor's "commit with no history in referenced repository" alert. Repoint at the merge commit on `main`. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
devantler
added a commit
to devantler-tech/ksail
that referenced
this pull request
Apr 20, 2026
) * refactor(skills)!: reinstall from upstreams, drop skills-lock.json Re-install each agent skill from its original upstream repo via `gh skill install`, so every installed SKILL.md now carries `metadata.github-*` frontmatter pointing at the true origin instead of `devantler-tech/skills`. `gh skill update --all` reads that metadata directly, making the sidecar `skills-lock.json` redundant. - Delete `skills-lock.json` + remove its mega-linter exclusions. - Reinstall 15 skills from upstream via `gh skill install <owner/repo> <path> --agent github-copilot --scope project --dir .agents/skills`. - Bump `update-skills.yaml` to pin the refreshed reusable workflow and swap `skills-lock` for the new `dir` input. BREAKING CHANGE: `skills-lock.json` is removed. Tooling that reads it must now discover skills under `.agents/skills/` instead. Refs: devantler-tech/skills#16, devantler-tech/actions#95, devantler-tech/reusable-workflows#207 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(update-skills): pin to merged reusable-workflows commit on main The previous PR-head SHA was unreachable from the default branch after reusable-workflows#207 squash-merged, triggering zizmor's "commit with no history in referenced repository" alert. Repoint at the merge commit on `main`. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Replace the
skills-lock.json-driven flow with a thin wrapper aroundgh skill install/gh skill update --all. Each installedSKILL.mdnow self-describes its upstream via themetadata.github-*frontmatter thatgh skill installinjects natively — no sidecar manifest required.Type of change
What changed
setup-copilot-skillsskillslist — newline-separated<owner/repo> <skill>[@pin]entries so consumers can mix upstreams freely.#comments and blank lines are allowed.skills-lock,source, and the oldskills-means-names-from-one-source input are removed.jqdependency dropped.@<tag|branch|sha>pins map togh skill install --pin; reproducible installs work without a lockfile.update-copilot-skillsgh skill update --all --dir <dir>; the CLI edits installedSKILL.mdfiles in place.dir,dry-run, andunpininputs;skills-lockinput removed.changedoutput computed from SKILL.md content hashes before/after the run, so the action works regardless of whether the caller is in a git workspace.Both READMEs gain a Migrating from v1 section with a before/after snippet, and the root
README.mdaction list is refreshed.Breaking change
setup-copilot-skillsandupdate-copilot-skillsboth remove theskills-lockinput;setup-copilot-skillsalso removes thesourceinput and redefinesskillsas the sole list input. Consumers should delete anyskills-lock.jsonand move each entry onto its own<owner/repo> <skill>line insetup-copilot-skills.with.skills. Companion PRs indevantler-tech/skills,devantler-tech/reusable-workflows,devantler-tech/ksail, anddevantler-tech/platformmigrate the upstream-index repo, reusable workflow, and downstream consumers to match.