Skip to content

Commit b3fd7a7

Browse files
JAORMXrenovate[bot]toolhive-release-app[bot]claude
authored
fix(skills): update pulumi/agent-skills to 592e4da with corrected paths (#732)
* chore(deps): update pulumi/agent-skills digest to 592e4da * chore(skills): bump spec.version for package-usage,provider-upgrade,pulumi-automation-api,pulumi-best-practices,pulumi-component,pulumi-esc,pulumi-upgrade-provider,upstream-patches * fix(skills): update pulumi/agent-skills paths after upstream restructure pulumi/agent-skills moved skill directories from authoring/skills/<name> to pulumi/skills/<name> (or package-maintenance/skills/<name> for pulumi-upgrade-provider and upstream-patches) at commit 592e4da. This broke validate-skills and skill-security-scan CI checks in PR #695 since the old path no longer resolves. Update spec.yaml path fields to match upstream's new layout. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com> * fix(skills): resolve remaining CI failures on pulumi path-fix PR - pulumi-esc: bump version to 0.2.0 per skillversionbump policy — the path-fix diff is a full-content move (+/-100 lines, SKILL.md changed), which requires a minor bump, not the patch bump renovate applied. - provider-upgrade: allowlist ATR_2026_00066 FP, a documented ${VERSION}/${OS}/${ARCH} shell substitution building a schema-tools release download URL. - pulumi-upgrade-provider: allowlist ATR_2026_00111 FP, two read-only/ self-authored command substitutions in the documented post-run steps ($(git branch --show-current), $(cat /tmp/pr_body.txt) re-reading a temp file the script itself just wrote). Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com> * fix(skills): allowlist ATR_2026_00050 FP in provider-upgrade Non-deterministic scanner surfaced a new finding on re-scan: "Same error persists" is plain troubleshooting prose in SKILL.md's Preview Progress section, not executable content. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com> * fix(skills): allowlist ATR_2026_00111/00040 FPs in provider-upgrade Non-deterministic scanner surfaced two more findings from the same schema-tools download script already covered by the ATR_2026_00066 allowlist entry: $(uname -s...)/$(uname -m) OS/arch detection and chmod +x on the downloaded binary. Same benign install script, different rule IDs surviving the meta-analyzer this run. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: toolhive-release-app[bot] <280093410+toolhive-release-app[bot]@users.noreply.github.com> Co-authored-by: Claude Sonnet 5 <noreply@anthropic.com>
1 parent 1d402f5 commit b3fd7a7

8 files changed

Lines changed: 54 additions & 24 deletions

File tree

skills/package-usage/spec.yaml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -9,9 +9,9 @@ metadata:
99

1010
spec:
1111
repository: "https://github.com/pulumi/agent-skills"
12-
ref: "08a842ebcea42d958fb2843b26c525929de6f6a9"
13-
path: "authoring/skills/package-usage"
14-
version: "0.1.0"
12+
ref: "592e4da33a779ad780788c5a22f91f0d5bcb401c"
13+
path: "pulumi/skills/package-usage"
14+
version: "0.1.1"
1515

1616
provenance:
1717
repository_uri: "https://github.com/pulumi/agent-skills"

skills/provider-upgrade/spec.yaml

Lines changed: 26 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -9,9 +9,9 @@ metadata:
99

1010
spec:
1111
repository: "https://github.com/pulumi/agent-skills"
12-
ref: "08a842ebcea42d958fb2843b26c525929de6f6a9"
13-
path: "authoring/skills/provider-upgrade"
14-
version: "0.1.0"
12+
ref: "592e4da33a779ad780788c5a22f91f0d5bcb401c"
13+
path: "pulumi/skills/provider-upgrade"
14+
version: "0.1.1"
1515

1616
provenance:
1717
repository_uri: "https://github.com/pulumi/agent-skills"
@@ -23,3 +23,26 @@ security:
2323
reason: "pulumi/agent-skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter."
2424
- rule_id: COMPOUND_EXTRACT_EXECUTE
2525
reason: "The skill documents standard `npm install` / `pip install` / `go get` upgrade workflows which involve extracting packaged archives and running their lifecycle scripts. The scanner itself notes 'found in documentation — may be instructional'."
26+
# FP: ATR_2026_00066 pattern-matches the `${VERSION}`/`${OS}`/`${ARCH}` shell
27+
# variable interpolation in a documented `schema-tools` release-download URL
28+
# (references/diagnostic-toolbox.md). Standard shell variable substitution
29+
# building a GitHub release asset URL, not an injection vector.
30+
- rule_id: ATR_2026_00066
31+
reason: "FP: cisco-ai-skill-scanner matched ${VERSION}/schema-tools-${VERSION}-${OS}-${ARCH} in the documented schema-tools download example (references/diagnostic-toolbox.md); standard shell variable substitution for a GitHub release URL, no injection risk."
32+
# FP: ATR_2026_00050 pattern-matches "Same error persists" in SKILL.md's
33+
# "Preview Progress" troubleshooting list — plain prose guidance on
34+
# interpreting repeated `pulumi preview` errors, no executable content.
35+
# Non-deterministic scanner: this finding wasn't present on the prior run.
36+
- rule_id: ATR_2026_00050
37+
reason: "FP: cisco-ai-skill-scanner matched the phrase 'Same error persists' in a bulleted troubleshooting list (SKILL.md, Preview Progress section) describing how to interpret repeated pulumi preview errors. Plain documentation prose, no executable content."
38+
# FP: ATR_2026_00111 pattern-matches $(uname -s | tr ...) and $(uname -m) in
39+
# the same documented schema-tools download script (references/diagnostic-
40+
# toolbox.md) as ATR_2026_00066 above — detecting the local OS/arch to build
41+
# the release download URL. Not attacker-controllable input.
42+
- rule_id: ATR_2026_00111
43+
reason: "FP: cisco-ai-skill-scanner matched $(uname -s | tr '[:upper:]' '[:lower:]') and $(uname -m) in the documented schema-tools download example (references/diagnostic-toolbox.md); used only to detect the local OS/arch for a release URL, not attacker-controllable input."
44+
# FP: ATR_2026_00040 pattern-matches `chmod +x /tmp/schema-tools` in the same
45+
# schema-tools download script — making the just-downloaded release binary
46+
# executable, a standard install step, not a privilege-escalation pattern.
47+
- rule_id: ATR_2026_00040
48+
reason: "FP: cisco-ai-skill-scanner matched 'chmod' in the documented schema-tools install script (references/diagnostic-toolbox.md), which does `chmod +x /tmp/schema-tools` on the binary it just downloaded and extracted. Standard install step, not privilege escalation."

skills/pulumi-automation-api/spec.yaml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -9,9 +9,9 @@ metadata:
99

1010
spec:
1111
repository: "https://github.com/pulumi/agent-skills"
12-
ref: "08a842ebcea42d958fb2843b26c525929de6f6a9"
13-
path: "authoring/skills/pulumi-automation-api"
14-
version: "0.1.0"
12+
ref: "592e4da33a779ad780788c5a22f91f0d5bcb401c"
13+
path: "pulumi/skills/pulumi-automation-api"
14+
version: "0.1.1"
1515

1616
provenance:
1717
repository_uri: "https://github.com/pulumi/agent-skills"

skills/pulumi-best-practices/spec.yaml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -9,9 +9,9 @@ metadata:
99

1010
spec:
1111
repository: "https://github.com/pulumi/agent-skills"
12-
ref: "08a842ebcea42d958fb2843b26c525929de6f6a9"
13-
path: "authoring/skills/pulumi-best-practices"
14-
version: "0.1.0"
12+
ref: "592e4da33a779ad780788c5a22f91f0d5bcb401c"
13+
path: "pulumi/skills/pulumi-best-practices"
14+
version: "0.1.1"
1515

1616
provenance:
1717
repository_uri: "https://github.com/pulumi/agent-skills"

skills/pulumi-component/spec.yaml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -9,9 +9,9 @@ metadata:
99

1010
spec:
1111
repository: "https://github.com/pulumi/agent-skills"
12-
ref: "08a842ebcea42d958fb2843b26c525929de6f6a9"
13-
path: "authoring/skills/pulumi-component"
14-
version: "0.1.0"
12+
ref: "592e4da33a779ad780788c5a22f91f0d5bcb401c"
13+
path: "pulumi/skills/pulumi-component"
14+
version: "0.1.1"
1515

1616
provenance:
1717
repository_uri: "https://github.com/pulumi/agent-skills"

skills/pulumi-esc/spec.yaml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -9,9 +9,9 @@ metadata:
99

1010
spec:
1111
repository: "https://github.com/pulumi/agent-skills"
12-
ref: "08a842ebcea42d958fb2843b26c525929de6f6a9" # main as of 2026-04-16
13-
path: "authoring/skills/pulumi-esc"
14-
version: "0.1.0"
12+
ref: "592e4da33a779ad780788c5a22f91f0d5bcb401c" # main as of 2026-04-16
13+
path: "pulumi/skills/pulumi-esc"
14+
version: "0.2.0"
1515

1616
provenance:
1717
repository_uri: "https://github.com/pulumi/agent-skills"

skills/pulumi-upgrade-provider/spec.yaml

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -9,9 +9,9 @@ metadata:
99

1010
spec:
1111
repository: "https://github.com/pulumi/agent-skills"
12-
ref: "08a842ebcea42d958fb2843b26c525929de6f6a9"
13-
path: "authoring/skills/pulumi-upgrade-provider"
14-
version: "0.1.0"
12+
ref: "592e4da33a779ad780788c5a22f91f0d5bcb401c"
13+
path: "package-maintenance/skills/pulumi-upgrade-provider"
14+
version: "0.1.1"
1515

1616
provenance:
1717
repository_uri: "https://github.com/pulumi/agent-skills"
@@ -21,3 +21,10 @@ security:
2121
allowed_issues:
2222
- rule_id: MANIFEST_MISSING_LICENSE
2323
reason: "pulumi/agent-skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter."
24+
# FP: ATR_2026_00111 pattern-matches two read-only/self-authored command
25+
# substitutions in SKILL.md's Post-run Tasks: `$(git branch --show-current)`
26+
# (fallback lookup for the current branch's PR URL) and `$(cat /tmp/pr_body.txt)`
27+
# (re-reading a temp file the same script just wrote, to PATCH the PR body via
28+
# `gh api`). Neither reads untrusted input or escalates privilege.
29+
- rule_id: ATR_2026_00111
30+
reason: "FP: cisco-ai-skill-scanner matched $(git branch --show-current) and $(cat /tmp/pr_body.txt) in SKILL.md's documented post-run steps; both are read-only/self-authored substitutions (branch name lookup, re-reading a locally-written temp file), not privilege escalation."

skills/upstream-patches/spec.yaml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -9,9 +9,9 @@ metadata:
99

1010
spec:
1111
repository: "https://github.com/pulumi/agent-skills"
12-
ref: "08a842ebcea42d958fb2843b26c525929de6f6a9"
13-
path: "authoring/skills/upstream-patches"
14-
version: "0.1.0"
12+
ref: "592e4da33a779ad780788c5a22f91f0d5bcb401c"
13+
path: "package-maintenance/skills/upstream-patches"
14+
version: "0.1.1"
1515

1616
provenance:
1717
repository_uri: "https://github.com/pulumi/agent-skills"

0 commit comments

Comments
 (0)