coder · DevelopmentCats · Jun 2, 2026 · Jun 2, 2026 · Jun 2, 2026 · Jun 2, 2026
@@ -0,0 +1,33 @@
+---
+name: Skills deploy gate failed
+about: Auto-opened by the deploy-registry verify job when catalogue or scan fails.
+title: "[skills-gate] Catalogue or scan failure blocking deploy"
+labels: ["skills-gate"]
+---
+
+The pre-deploy verify job for the agent-skills catalogue failed.
+Most recent run:
+
+{{ env.WORKFLOW_URL }}
+
+Trigger: `{{ env.RUN_TRIGGER }}`
+
+This is a single rolling tracker issue. The deploy workflow updates the
+same open issue on every subsequent failure until it is closed. Closing
+this issue without fixing the underlying problem reopens (or creates)
+the next time the gate fails.
+
+Likely causes:
+
+- A `sources[].skills[<slug>]` override in `registry/<namespace>/skills/README.md`
+  no longer matches a `skills/<slug>/SKILL.md` upstream (renamed,
+  deleted, or moved).
+- A declared `owner/repo@ref` no longer clones (repo renamed, deleted,
+  flipped to private, or the branch ref is gone).
+- An upstream `SKILL.md` is missing the required `name` or `description`
+  frontmatter per the agentskills.io v0.2.0 specification.
+- A SkillSpector critical-severity finding on upstream content. Open
+  alerts are listed under the repository's Security tab, Code scanning.
+
+See the run logs and any new Code scanning alerts for specifics, then
+land a PR that updates the catalogue or the upstream source repo.
@@ -102,14 +102,69 @@ jobs:
     # We want to do some basic README checks first before we try analyzing the
     # contents
     needs: validate-style
+    outputs:
+      skills_changed: ${{ steps.filter.outputs.skills }}
     steps:
       - name: Check out code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Detect changed files
+        uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
+        id: filter
+        with:
+          filters: |
+            skills:
+              - 'registry/**/skills/**'
+              - 'cmd/readmevalidation/**'
+              - 'go.mod'
+              - 'go.sum'
+              - '.github/workflows/ci.yaml'
       - name: Set up Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           go-version: "1.24.0"
       - name: Validate contributors
         run: go build ./cmd/readmevalidation && ./readmevalidation
+      - name: Validate skill sources (online)
+        if: steps.filter.outputs.skills == 'true'
+        env:
+          READMEVALIDATION_ONLINE: "1"
+        run: ./readmevalidation
       - name: Remove build file artifact
         run: rm ./readmevalidation
+
+  scan-skills:
+    name: Scan skill sources with SkillSpector
+    runs-on: ubuntu-latest
+    needs: validate-readme-files
+    if: needs.validate-readme-files.outputs.skills_changed == 'true'
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - name: Check out code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: "3.12"
+      - name: Set up yq
+        uses: mikefarah/yq@b534aa9ee5d38001fba3cd8fe254a037e4847b37 # v4.44.6
+      - name: Install SkillSpector
+        run: |
+          python -m pip install --upgrade pip
+          pip install "skillspector @ git+https://github.com/NVIDIA/SkillSpector.git@2eb844780ab163f01468ecf142c40a2ec0fcaec0"
+      - name: Scan declared skill sources
+        run: ./scripts/scan-skill-sources.sh ./sarif
+      - name: Upload SARIF to code scanning
+        uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
+        with:
+          sarif_file: sarif
+      # Initial policy: warn-only. SkillSpector flags real patterns in
+      # coder/skills/setup that are intentional for an installer skill
+      # (GitHub device-flow credential access). The gate prints findings
+      # but does not fail the job. Flip continue-on-error to false in a
+      # follow-up once the coder/skills baseline is triaged.
+      - name: Report critical findings
+        continue-on-error: true
+        run: |
+          jq -e '[.runs[].results[]? | select((.level // "") == "error")] | length == 0' sarif/*.sarif
@@ -19,14 +19,58 @@ on:
       - ".icons/**"
 
 jobs:
-  deploy:
+  verify:
+    name: Verify catalogue and scan skills
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Set up Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
+        with:
+          go-version: "1.24.0"
+          cache: false
+      - name: Verify catalogue against upstream sources
+        env:
+          READMEVALIDATION_ONLINE: "1"
+        run: go run ./cmd/readmevalidation
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: "3.12"
+      - name: Set up yq
+        uses: mikefarah/yq@b534aa9ee5d38001fba3cd8fe254a037e4847b37 # v4.44.6
+      - name: Install SkillSpector
+        run: |
+          python -m pip install --upgrade pip
+          pip install "skillspector @ git+https://github.com/NVIDIA/SkillSpector.git@2eb844780ab163f01468ecf142c40a2ec0fcaec0"
+      - name: Scan declared skill sources
+        run: ./scripts/scan-skill-sources.sh ./sarif
+      - name: Upload SARIF to code scanning
+        uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
+        with:
+          sarif_file: sarif
+      # Initial policy: warn-only. SkillSpector flags real patterns in
+      # coder/skills/setup that are intentional for an installer skill
+      # (GitHub device-flow credential access). The gate prints findings
+      # but does not fail the deploy. Flip continue-on-error to false in
+      # a follow-up once the coder/skills baseline is triaged.
+      - name: Report critical findings
+        continue-on-error: true
+        run: |
+          jq -e '[.runs[].results[]? | select((.level // "") == "error")] | length == 0' sarif/*.sarif
 
+  deploy:
+    name: Deploy registry
+    needs: verify
+    runs-on: ubuntu-latest
     # Set id-token permission for gcloud
     permissions:
       contents: read
       id-token: write
-
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -41,3 +85,24 @@ jobs:
         run: gcloud builds triggers run 29818181-126d-4f8a-a937-f228b27d3d34 --branch main
       - name: Deploy to registry.coder.com
         run: gcloud builds triggers run 106610ff-41fb-4bd0-90a2-7643583fb9c0 --tag production
+
+  open-issue-on-failure:
+    name: Open or update skills-gate tracker issue
+    needs: verify
+    if: failure()
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Open or update tracker issue
+        uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2.9.2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          WORKFLOW_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+          RUN_TRIGGER: ${{ github.event_name }}
+        with:
+          filename: .github/ISSUE_TEMPLATE/skills-failure.md
+          update_existing: true
+          search_existing: open