Skip to content

Harden aitools raw skill installs#5770

Queued
simonfaltum wants to merge 1 commit into
mainfrom
simonfaltum/aitools-installer-hardening
Queued

Harden aitools raw skill installs#5770
simonfaltum wants to merge 1 commit into
mainfrom
simonfaltum/aitools-installer-hardening

Conversation

@simonfaltum

@simonfaltum simonfaltum commented Jun 30, 2026
edited
Loading

Copy link
Copy Markdown
Member

Stack

Why

Bug bash installs showed that raw skill delivery could leave users with brittle failures: a missing manifest asset produced a low-context HTTP error, and a failed download could replace the canonical skill directory with a partial install. Existing third-party skill backups could also fail across filesystems.

Changes

This is PR 1 in the aitools bug bash stack.

  • Resolve the default latest skills setting through the latest databricks-agent-skills release tag instead of installing raw skills from main.
  • Download each raw skill into a temporary directory, then swap it into place only after all files are fetched successfully.
  • Preserve the previous canonical skill directory when a refetch fails.
  • Include repo dir, skill name, file path, and ref in per-file fetch errors.
  • Fall back to copy-and-remove when backing up an existing agent skill hits a cross-device rename, including Windows ERROR_NOT_SAME_DEVICE.
  • Add terse progress output for manifest fetches, raw skill downloads/exposure, and plugin installs.

Test plan

  • go test ./libs/aitools/installer ./cmd/aitools
  • ./task test-exp-aitools
  • ./task checks
  • ./task lint-q
  • ./task fmt-q

@simonfaltum simonfaltum force-pushed the simonfaltum/aitools-installer-hardening branch from 2685636 to d0db063 Compare June 30, 2026 10:27
@eng-dev-ecosystem-bot

eng-dev-ecosystem-bot commented Jun 30, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Integration test report

Commit: e5d0608

Run: 28445168851

Env 🟨​KNOWN 💚​RECOVERED 🙈​SKIP ✅​pass 🙈​skip Time
💚​ aws linux 8 13 231 1037 3:42
🟨​ aws windows 7 1 13 233 1035 6:05
💚​ aws-ucws linux 8 13 315 955 5:24
💚​ aws-ucws windows 8 13 317 953 3:05
💚​ azure linux 2 15 231 1036 3:35
💚​ azure windows 2 15 233 1034 2:55
💚​ azure-ucws linux 2 15 317 952 4:45
💚​ azure-ucws windows 2 15 319 950 3:12
💚​ gcp linux 2 15 230 1038 3:31
💚​ gcp windows 2 15 232 1036 2:34
21 interesting tests: 13 SKIP, 7 KNOWN, 1 RECOVERED
Test Name aws linux aws windows aws-ucws linux aws-ucws windows azure linux azure windows azure-ucws linux azure-ucws windows gcp linux gcp windows
🟨​ TestAccept 💚​R 🟨​K 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R
🙈​ TestAccept/bundle/invariant/no_drift 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/permissions 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions 💚​R 🟨​K 💚​R 💚​R 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/DATABRICKS_BUNDLE_ENGINE=direct 💚​R 🟨​K 💚​R 💚​R
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/DATABRICKS_BUNDLE_ENGINE=terraform 💚​R 🟨​K 💚​R 💚​R
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions 💚​R 🟨​K 💚​R 💚​R 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/DATABRICKS_BUNDLE_ENGINE=direct 💚​R 🟨​K 💚​R 💚​R
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/DATABRICKS_BUNDLE_ENGINE=terraform 💚​R 🟨​K 💚​R 💚​R
🙈​ TestAccept/bundle/resources/postgres_branches/basic 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/recreate 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/replace_existing 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/update_protected 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/without_branch_id 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_endpoints/basic 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_projects/update_display_name 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/synced_database_tables/basic 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/vector_search_endpoints/drift/recreated_same_name 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/vector_search_indexes/recreate/embedding_dimension 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/ssh/connection 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
💚​ TestFetchRepositoryInfoAPI_FromRepo 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R

This was referenced Jun 30, 2026
Open
Open
@simonfaltum simonfaltum force-pushed the simonfaltum/aitools-installer-hardening branch from d0db063 to 331ae5e Compare June 30, 2026 11:31
@simonfaltum simonfaltum force-pushed the simonfaltum/aitools-installer-hardening branch from 81030c8 to 1dd8edb Compare June 30, 2026 12:10
@simonfaltum simonfaltum force-pushed the simonfaltum/aitools-installer-hardening branch from 1dd8edb to 74835c1 Compare June 30, 2026 12:28
@simonfaltum simonfaltum force-pushed the simonfaltum/aitools-installer-hardening branch from 74835c1 to e5d0608 Compare June 30, 2026 12:42
@simonfaltum simonfaltum added this pull request to the merge queue Jun 30, 2026
Any commits made after this event will not be merged.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@atilafassina atilafassina atilafassina approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@simonfaltum @eng-dev-ecosystem-bot @atilafassina