Add HOL skill validate workflow#1136
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✅ Files skipped from review due to trivial changes (1)
📝 WalkthroughWalkthroughAdds a GitHub Actions workflow Changes
Sequence Diagram(s)sequenceDiagram
participant PR as Pull Request
participant GH as GitHub Actions
participant Runner as Actions Runner
participant Repo as Repository
participant Action as hashgraph-online/skill-publish
PR->>GH: open/update PR affecting SKILL.md/skill.json
GH->>Runner: dispatch validate-skill workflow
Runner->>Repo: actions/checkout (read)
Runner->>Action: run skill-publish (mode: validate, skill-dir: .)
Action->>Repo: read `SKILL.md` and `skill.json`
Action-->>Runner: return validation result
Runner-->>GH: workflow completes with status
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Possibly related issues
Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
internet-dot
force-pushed
the
hol-skill-validate
branch
from
fa98cae to
7f1f64f
Compare
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
.github/workflows/validate-skill.yml (1)
16-16: Pin third-party action to a commit SHA instead of a mutable tag.
@v1can move; pinning to a SHA improves supply-chain integrity and reproducibility.Suggested change
- - uses: hashgraph-online/skill-publish@v1 + - uses: hashgraph-online/skill-publish@<full_commit_sha>🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/validate-skill.yml at line 16, The workflow currently references the third‑party action with a mutable tag "hashgraph-online/skill-publish@v1"; replace that tag with the action repository's specific commit SHA (full 40‑char) to pin the exact code used. Locate the uses entry "hashgraph-online/skill-publish@v1" and update it to "hashgraph-online/skill-publish@<commit-sha>" where <commit-sha> is the exact commit from the action repo you verified, and commit that change so the workflow uses the immutable SHA.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/validate-skill.yml:
- Around line 4-6: The workflow only watches root-level SKILL.md and skill.json;
expand the path globs under the paths key to include nested package files by
adding patterns like **/SKILL.md and **/skill.json (and optionally
**/skills/**/SKILL.md if you want to target skills directories specifically).
Update the existing 'SKILL.md' and 'skill.json' entries in the
validate-skill.yml paths list to these recursive glob patterns so edits in
subdirectories (e.g., package or plugin folders) trigger the workflow.
- Around line 11-13: Remove the unnecessary OpenID Connect permission by
deleting the "id-token: write" entry from the workflow permissions block (leave
"permissions: contents: read" intact); this ensures the job only uses the
RB_API_KEY static API key for hashgraph-online/skill-publish@v1 in validate mode
and avoids granting unneeded id-token access.
---
Nitpick comments:
In @.github/workflows/validate-skill.yml:
- Line 16: The workflow currently references the third‑party action with a
mutable tag "hashgraph-online/skill-publish@v1"; replace that tag with the
action repository's specific commit SHA (full 40‑char) to pin the exact code
used. Locate the uses entry "hashgraph-online/skill-publish@v1" and update it to
"hashgraph-online/skill-publish@<commit-sha>" where <commit-sha> is the exact
commit from the action repo you verified, and commit that change so the workflow
uses the immutable SHA.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 07a59897-9c66-4b0f-b7e1-ec400a2facea
📒 Files selected for processing (1)
.github/workflows/validate-skill.yml
| paths: | ||
| - 'SKILL.md' | ||
| - 'skill.json' |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
# First, examine the workflow file
cat -n .github/workflows/validate-skill.ymlRepository: f/prompts.chat
Length of output: 563
🏁 Script executed:
# Search for nested SKILL.md and skill.json files
fd -t f 'SKILL\.md$|skill\.json$' --exec echo {} \;Repository: f/prompts.chat
Length of output: 176
🏁 Script executed:
# Check the overall repository structure to understand package layout
find . -type f -name "SKILL.md" -o -name "skill.json" | head -20Repository: f/prompts.chat
Length of output: 266
Broaden path filters to include skill files in package subdirectories.
The current filters only match root-level SKILL.md and skill.json. The repository contains skill packages in nested directories (e.g., ./.windsurf/skills/book-translation/SKILL.md, ./plugins/claude/prompts.chat/skills/prompt-lookup/SKILL.md), which will not trigger this workflow when modified.
Suggested change
pull_request:
paths:
- - 'SKILL.md'
- - 'skill.json'
+ - '**/SKILL.md'
+ - '**/skill.json'📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| paths: | |
| - 'SKILL.md' | |
| - 'skill.json' | |
| paths: | |
| - '**/SKILL.md' | |
| - '**/skill.json' |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/validate-skill.yml around lines 4 - 6, The workflow only
watches root-level SKILL.md and skill.json; expand the path globs under the
paths key to include nested package files by adding patterns like **/SKILL.md
and **/skill.json (and optionally **/skills/**/SKILL.md if you want to target
skills directories specifically). Update the existing 'SKILL.md' and
'skill.json' entries in the validate-skill.yml paths list to these recursive
glob patterns so edits in subdirectories (e.g., package or plugin folders)
trigger the workflow.
| permissions: | ||
| contents: read | ||
| id-token: write |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cat -n .github/workflows/validate-skill.ymlRepository: f/prompts.chat
Length of output: 563
🌐 Web query:
hashgraph-online/skill-publish@v1 OIDC id-token validation mode
💡 Result:
The hashgraph-online/skill-publish@v1 GitHub Action does not support OIDC id-token validation mode. Authentication is exclusively via a static Registry Broker API key passed as the required 'api-key' input from repository secrets (RB_API_KEY). No OIDC, id-token, or token exchange features are mentioned in the official documentation, README, npm package, or related Registry Broker API references. API keys are generated via https://hol.org/registry/docs?tab=api-keys, with ledger-based alternatives like 'npx skill-publish setup' using Hedera private keys, but no OIDC integration for GitHub Actions.
Citations:
- 1: https://github.com/hashgraph-online/skill-publish
- 2: https://registry.npmjs.org/skill-publish
- 3: https://hol.org/docs/registry-broker/
- 4: https://hol.org/registry/skill.md
- 5: https://github.com/marketplace/actions/skill-publish
- 6: https://hol.org/docs/registry-broker/api/client/
- 7: https://hol.org/docs/libraries/standards-sdk/registry-broker-client
Drop id-token: write permission—the skill-publish action uses static API key authentication, not OIDC.
The workflow only performs validation using hashgraph-online/skill-publish@v1 with mode: validate, which authenticates via the RB_API_KEY secret, not OIDC. Neither actions/checkout nor skill-publish requires id-token permissions. Removing this reduces unnecessary token exposure.
Suggested change
permissions:
contents: read
- id-token: write📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| permissions: | |
| contents: read | |
| id-token: write | |
| permissions: | |
| contents: read |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/validate-skill.yml around lines 11 - 13, Remove the
unnecessary OpenID Connect permission by deleting the "id-token: write" entry
from the workflow permissions block (leave "permissions: contents: read"
intact); this ensures the job only uses the RB_API_KEY static API key for
hashgraph-online/skill-publish@v1 in validate mode and avoids granting unneeded
id-token access.
internet-dot
force-pushed
the
hol-skill-validate
branch
from
7f1f64f to
94f5a98
Compare
1 participant
Hi 👋
Adding a validate-only workflow for skill packages. This runs on every PR that touches SKILL.md or skill.json — no API keys needed.
What's included
.github/workflows/validate-skill.ymlWhy
Let me know if you'd like changes!
Summary by CodeRabbit