Disable auth check for local-only skill flags#13173
Merged
SamMorrowDrums merged 1 commit intosm/add-skills-commandfrom Apr 15, 2026
Merged
Disable auth check for local-only skill flags#13173SamMorrowDrums merged 1 commit intosm/add-skills-commandfrom
SamMorrowDrums merged 1 commit intosm/add-skills-commandfrom
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Introduces the new gh skill command group (install/preview/search/update/publish) and supporting skills infrastructure, and adjusts auth-check behavior so explicitly local-only flags can bypass authentication.
Changes:
- Adds
gh skilltop-level command wiring and new skills subcommands (notablysearch,preview,update). - Introduces internal skills plumbing (discovery, frontmatter metadata injection, registry, lockfile) plus cross-platform file locking.
- Adds/extends unit + acceptance test coverage for the skills workflows.
Show a summary per file
| File | Description |
|---|---|
| pkg/cmd/skills/skills.go | Adds the gh skill command group and registers skills subcommands. |
| pkg/cmd/root/root.go | Wires skill(s) into the root command. |
| pkg/cmd/skills/search/search.go | Implements skills search using GitHub Code Search + enrichment/ranking. |
| pkg/cmd/skills/search/search_test.go | Unit tests for search behavior, ranking, JSON output, and rate-limit handling. |
| pkg/cmd/skills/preview/preview.go | Implements skill preview (tree + pager rendering, interactive file browsing). |
| pkg/cmd/skills/preview/preview_test.go | Unit tests for preview flows (interactive/non-interactive, file tree, caps). |
| pkg/cmd/skills/update/update.go | Implements skill update scanning, remote comparison, and reinstall/update execution. |
| internal/skills/source/source.go | Adds helpers for parsing/storing skill source repo metadata + host validation. |
| internal/skills/source/source_test.go | Tests for source parsing/host validation. |
| internal/skills/registry/registry.go | Defines agent host registry + install directory resolution. |
| internal/skills/registry/registry_test.go | Tests for registry lookups, install dirs, scope labels, etc. |
| internal/skills/lockfile/lockfile.go | Adds .skill-lock.json read/modify/write with inter-process locking. |
| internal/skills/lockfile/lockfile_test.go | Tests lockfile creation/update + recovery behavior. |
| internal/skills/installer/installer.go | Implements remote/local installs, metadata injection, and safe path writes. |
| internal/skills/installer/installer_test.go | Tests installer behaviors (local copy, traversal protection, progress). |
| internal/skills/frontmatter/frontmatter.go | Adds SKILL.md frontmatter parsing + GitHub/local metadata injection. |
| internal/skills/frontmatter/frontmatter_test.go | Tests parsing + metadata injection/serialization. |
| internal/skills/discovery/discovery.go | Adds repo skill discovery, ref resolution, blob fetching, file listing. |
| internal/skills/discovery/collisions.go | Adds collision detection/formatting for install-name conflicts. |
| internal/skills/discovery/collisions_test.go | Tests collision detection/formatting. |
| internal/flock/flock.go | Adds an OS-agnostic lock sentinel error. |
| internal/flock/flock_unix.go | Adds Unix implementation of non-blocking file locks. |
| internal/flock/flock_windows.go | Adds Windows implementation of non-blocking file locks (x/sys). |
| internal/flock/flock_test.go | Tests for file lock behavior. |
| git/client.go | Adds git helpers used by skills flows (remote URL, ignore checks, short SHA). |
| git/client_test.go | Adds tests for new git helper methods. |
| acceptance/acceptance_test.go | Adds a dedicated acceptance test runner for the “skills” scripts. |
| acceptance/testdata/skills/* | Adds acceptance coverage for install/search/preview/update/publish flows. |
| go.mod | Promotes golang.org/x/sys to a direct dependency (used by Windows flock). |
| .gitignore | Ignores a generated gh artifact. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 2/2 changed files
- Comments generated: 0
Add cmdutil.DisableAuthCheckFlag for --from-local on install so that installing from a local directory does not require authentication. This follows the same pattern used by attestation verify for its --bundle flag. The --dry-run flag on publish is intentionally left with auth enabled because dry-run validation includes remote repository checks (security settings, tag protection, topics). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2cc2693 to
f2d978d
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Stacked on #13165.
Adds
cmdutil.DisableAuthCheckFlagfor two flags that don't require authentication:--from-localongh skill install— installs from a local directory, no GitHub API calls needed--dry-runongh skill publish— validates locally without publishingThis follows the same pattern used by
attestation verifyfor its--bundleflag (verify.go#L231). Auth is only skipped when the flag is explicitly passed by the user; all other flows retain their auth requirements.