You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fix(skills): update pulumi/agent-skills to 592e4da with corrected paths (#732)
* chore(deps): update pulumi/agent-skills digest to 592e4da
* chore(skills): bump spec.version for package-usage,provider-upgrade,pulumi-automation-api,pulumi-best-practices,pulumi-component,pulumi-esc,pulumi-upgrade-provider,upstream-patches
* fix(skills): update pulumi/agent-skills paths after upstream restructure
pulumi/agent-skills moved skill directories from authoring/skills/<name>
to pulumi/skills/<name> (or package-maintenance/skills/<name> for
pulumi-upgrade-provider and upstream-patches) at commit 592e4da. This
broke validate-skills and skill-security-scan CI checks in PR #695
since the old path no longer resolves. Update spec.yaml path fields to
match upstream's new layout.
Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
* fix(skills): resolve remaining CI failures on pulumi path-fix PR
- pulumi-esc: bump version to 0.2.0 per skillversionbump policy — the
path-fix diff is a full-content move (+/-100 lines, SKILL.md changed),
which requires a minor bump, not the patch bump renovate applied.
- provider-upgrade: allowlist ATR_2026_00066 FP, a documented
${VERSION}/${OS}/${ARCH} shell substitution building a schema-tools
release download URL.
- pulumi-upgrade-provider: allowlist ATR_2026_00111 FP, two read-only/
self-authored command substitutions in the documented post-run steps
($(git branch --show-current), $(cat /tmp/pr_body.txt) re-reading a
temp file the script itself just wrote).
Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
* fix(skills): allowlist ATR_2026_00050 FP in provider-upgrade
Non-deterministic scanner surfaced a new finding on re-scan: "Same
error persists" is plain troubleshooting prose in SKILL.md's Preview
Progress section, not executable content.
Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
* fix(skills): allowlist ATR_2026_00111/00040 FPs in provider-upgrade
Non-deterministic scanner surfaced two more findings from the same
schema-tools download script already covered by the ATR_2026_00066
allowlist entry: $(uname -s...)/$(uname -m) OS/arch detection and
chmod +x on the downloaded binary. Same benign install script,
different rule IDs surviving the meta-analyzer this run.
Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
---------
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: toolhive-release-app[bot] <280093410+toolhive-release-app[bot]@users.noreply.github.com>
Co-authored-by: Claude Sonnet 5 <noreply@anthropic.com>
reason: "pulumi/agent-skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter."
24
24
- rule_id: COMPOUND_EXTRACT_EXECUTE
25
25
reason: "The skill documents standard `npm install` / `pip install` / `go get` upgrade workflows which involve extracting packaged archives and running their lifecycle scripts. The scanner itself notes 'found in documentation — may be instructional'."
26
+
# FP: ATR_2026_00066 pattern-matches the `${VERSION}`/`${OS}`/`${ARCH}` shell
27
+
# variable interpolation in a documented `schema-tools` release-download URL
28
+
# (references/diagnostic-toolbox.md). Standard shell variable substitution
29
+
# building a GitHub release asset URL, not an injection vector.
30
+
- rule_id: ATR_2026_00066
31
+
reason: "FP: cisco-ai-skill-scanner matched ${VERSION}/schema-tools-${VERSION}-${OS}-${ARCH} in the documented schema-tools download example (references/diagnostic-toolbox.md); standard shell variable substitution for a GitHub release URL, no injection risk."
32
+
# FP: ATR_2026_00050 pattern-matches "Same error persists" in SKILL.md's
33
+
# "Preview Progress" troubleshooting list — plain prose guidance on
34
+
# interpreting repeated `pulumi preview` errors, no executable content.
35
+
# Non-deterministic scanner: this finding wasn't present on the prior run.
36
+
- rule_id: ATR_2026_00050
37
+
reason: "FP: cisco-ai-skill-scanner matched the phrase 'Same error persists' in a bulleted troubleshooting list (SKILL.md, Preview Progress section) describing how to interpret repeated pulumi preview errors. Plain documentation prose, no executable content."
38
+
# FP: ATR_2026_00111 pattern-matches $(uname -s | tr ...) and $(uname -m) in
39
+
# the same documented schema-tools download script (references/diagnostic-
40
+
# toolbox.md) as ATR_2026_00066 above — detecting the local OS/arch to build
41
+
# the release download URL. Not attacker-controllable input.
42
+
- rule_id: ATR_2026_00111
43
+
reason: "FP: cisco-ai-skill-scanner matched $(uname -s | tr '[:upper:]' '[:lower:]') and $(uname -m) in the documented schema-tools download example (references/diagnostic-toolbox.md); used only to detect the local OS/arch for a release URL, not attacker-controllable input."
44
+
# FP: ATR_2026_00040 pattern-matches `chmod +x /tmp/schema-tools` in the same
45
+
# schema-tools download script — making the just-downloaded release binary
46
+
# executable, a standard install step, not a privilege-escalation pattern.
47
+
- rule_id: ATR_2026_00040
48
+
reason: "FP: cisco-ai-skill-scanner matched 'chmod' in the documented schema-tools install script (references/diagnostic-toolbox.md), which does `chmod +x /tmp/schema-tools` on the binary it just downloaded and extracted. Standard install step, not privilege escalation."
reason: "pulumi/agent-skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter."
24
+
# FP: ATR_2026_00111 pattern-matches two read-only/self-authored command
25
+
# substitutions in SKILL.md's Post-run Tasks: `$(git branch --show-current)`
26
+
# (fallback lookup for the current branch's PR URL) and `$(cat /tmp/pr_body.txt)`
27
+
# (re-reading a temp file the same script just wrote, to PATCH the PR body via
28
+
# `gh api`). Neither reads untrusted input or escalates privilege.
29
+
- rule_id: ATR_2026_00111
30
+
reason: "FP: cisco-ai-skill-scanner matched $(git branch --show-current) and $(cat /tmp/pr_body.txt) in SKILL.md's documented post-run steps; both are read-only/self-authored substitutions (branch name lookup, re-reading a locally-written temp file), not privilege escalation."
0 commit comments