feat: add skills support across language packs#73
Open
markcallen wants to merge 2 commits intomainfrom
Open
Conversation
Codecov Report❌ Patch coverage is 📢 Thoughts on this report? Let us know! |
Contributor
There was a problem hiding this comment.
Pull request overview
Adds first-class skills support to Ballast (alongside agent rules) and ships the initial common skill owasp-security-scan, including packaging/install flows and smoke/unit coverage across TypeScript, Python, Go, and the wrapper CLI.
Changes:
- Add shared
skills/source content forowasp-security-scanand sync/embed/package it for TypeScript, Python, and Go. - Implement
--skill/--all-skills, config persistence (skillsarray), target-specific skill installers, and support-file indexing (CLAUDE.md/AGENTS.md) updates. - Add smoke tests and unit tests for skill build/install flows across CLIs.
Reviewed changes
Copilot reviewed 42 out of 42 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| skills/common/owasp-security-scan/SKILL.md | Adds the shared OWASP security scan skill definition and instructions. |
| skills/common/owasp-security-scan/references/ci-workflow.md | Adds CI workflow templates referenced by the skill. |
| skills/common/owasp-security-scan/references/owasp-mapping.md | Adds OWASP category/tool-code mapping reference. |
| skills/common/owasp-security-scan/references/remediation-guide.md | Adds remediation guidance for common findings. |
| skills/common/owasp-security-scan/references/tool-config.md | Adds example tool configuration snippets for scanners. |
| scripts/smoke-skills.sh | Adds a smoke script validating skill installs across targets. |
| packages/ballast-typescript/src/agents.ts | Adds skill discovery/validation helpers in the TypeScript CLI. |
| packages/ballast-typescript/src/build.ts | Implements skill builders (Cursor frontmatter, Markdown, Claude zip) and destinations. |
| packages/ballast-typescript/src/build.test.ts | Adds unit tests for skill build/destination behavior. |
| packages/ballast-typescript/src/cli.ts | Adds --skill/-s and --all-skills CLI flags. |
| packages/ballast-typescript/src/cli.test.ts | Adds tests for parsing the new skill flags. |
| packages/ballast-typescript/src/config.ts | Extends config schema with optional skills. |
| packages/ballast-typescript/src/config.test.ts | Updates config tests to cover skills persistence. |
| packages/ballast-typescript/src/install.ts | Implements skill installation + config persistence + support file updates. |
| packages/ballast-typescript/src/install.test.ts | Adds coverage for installing skills alongside agent rules. |
| packages/ballast-typescript/src/patch.ts | Updates patching to handle both “Installed agent rules” and “Installed skills” sections. |
| packages/ballast-typescript/scripts/sync-agents.mjs | Updates sync script to copy both agents/ and skills/ into the TS package. |
| packages/ballast-typescript/package.json | Includes skills in published files and adds a sync script entry. |
| packages/ballast-typescript/skills/common/owasp-security-scan/SKILL.md | Adds the packaged copy of the common skill for the TS distribution. |
| packages/ballast-typescript/skills/common/owasp-security-scan/references/ci-workflow.md | Adds the packaged copy of the CI reference for TS distribution. |
| packages/ballast-typescript/skills/common/owasp-security-scan/references/owasp-mapping.md | Adds the packaged copy of the mapping reference for TS distribution. |
| packages/ballast-typescript/skills/common/owasp-security-scan/references/remediation-guide.md | Adds the packaged copy of remediation guidance for TS distribution. |
| packages/ballast-typescript/skills/common/owasp-security-scan/references/tool-config.md | Adds the packaged copy of tool config examples for TS distribution. |
| packages/ballast-python/ballast/cli.py | Implements skill discovery, packaging, install, config persistence, and support-file indexing for Python. |
| packages/ballast-python/pyproject.toml | Ensures skills/**/* is included in Python package data. |
| packages/ballast-python/tests/test_cli.py | Adds unit coverage for skill install/build/support-file generation in Python CLI. |
| packages/ballast-python/ballast/skills/common/owasp-security-scan/SKILL.md | Adds the packaged copy of the common skill for the Python distribution. |
| packages/ballast-python/ballast/skills/common/owasp-security-scan/references/ci-workflow.md | Adds the packaged copy of the CI reference for Python distribution. |
| packages/ballast-python/ballast/skills/common/owasp-security-scan/references/owasp-mapping.md | Adds the packaged copy of the mapping reference for Python distribution. |
| packages/ballast-python/ballast/skills/common/owasp-security-scan/references/remediation-guide.md | Adds the packaged copy of remediation guidance for Python distribution. |
| packages/ballast-python/ballast/skills/common/owasp-security-scan/references/tool-config.md | Adds the packaged copy of tool config examples for Python distribution. |
| packages/ballast-go/cmd/ballast-go/main.go | Adds embedded skills, skill install/build logic, and config persistence in Go CLI. |
| packages/ballast-go/cmd/ballast-go/main_test.go | Adds Go unit tests for skill packaging, destinations, install, and persistence. |
| packages/ballast-go/cmd/ballast-go/skills/common/owasp-security-scan/SKILL.md | Adds the embedded skill content for the Go CLI. |
| packages/ballast-go/cmd/ballast-go/skills/common/owasp-security-scan/references/ci-workflow.md | Adds the embedded CI reference for the Go CLI. |
| packages/ballast-go/cmd/ballast-go/skills/common/owasp-security-scan/references/owasp-mapping.md | Adds the embedded mapping reference for the Go CLI. |
| packages/ballast-go/cmd/ballast-go/skills/common/owasp-security-scan/references/remediation-guide.md | Adds the embedded remediation guidance for the Go CLI. |
| packages/ballast-go/cmd/ballast-go/skills/common/owasp-security-scan/references/tool-config.md | Adds the embedded tool config examples for the Go CLI. |
| cli/ballast/main.go | Extends wrapper monorepo planning/forwarding to include skill selections. |
| docs/installation.md | Documents skill flags, config shape, and install locations for skills per target. |
| README.md | Updates top-level docs to explain skills and how to install them. |
| .github/workflows/examples-smoke.yml | Adds a new CI job to smoke-test skills install paths and outputs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+532
to
+538
| const agentsFromFlag = options.all ? 'all' : options.agents; | ||
| const skillsFromFlag = options.allSkills ? 'all' : options.skills; | ||
| const resolved = await resolveTargetAndAgents({ | ||
| projectRoot, | ||
| target: options.target, | ||
| agents: agentsFromFlag, | ||
| skills: skillsFromFlag, |
There was a problem hiding this comment.
runInstall forwards options.agents/options.skills directly into resolveTargetAndAgents. When the CLI parses no --agent/--skill flags, these end up as empty arrays, which overrides any saved .rulesrc.json values and forces prompts (and can fail in --yes/CI mode). Treat empty selections as “unset” (e.g., pass undefined when the array is empty) so saved config is honored unless the user explicitly provided flags.
Comment on lines
+57
to
+61
| "G104": { | ||
| "ErrorFunctions": { | ||
| "fmt": ["Fprintln", "Fprintf", "Fprintf"] | ||
| } | ||
| } |
There was a problem hiding this comment.
In the gosec config example, the fmt ErrorFunctions list contains "Fprintf" twice (["Fprintln", "Fprintf", "Fprintf"]). This looks like a copy/paste typo and could confuse users configuring gosec; replace the duplicate with the intended function (or remove it) and ensure the synced package copies are updated too.
Comment on lines
26
to
28
| "sync:agents": "node ./scripts/sync-agents.mjs", | ||
| "sync:skills": "node ./scripts/sync-agents.mjs", | ||
| "build": "pnpm run sync:agents && tsc", |
There was a problem hiding this comment.
sync:skills and sync:agents both invoke ./scripts/sync-agents.mjs, which now syncs both agents and skills. This makes sync:skills misleading (it doesn’t sync only skills) and the naming is inconsistent with the behavior; consider renaming the script to something like sync-content.mjs and/or making sync:skills call a dedicated script that only syncs skills.
Suggested change
| "sync:agents": "node ./scripts/sync-agents.mjs", | |
| "sync:skills": "node ./scripts/sync-agents.mjs", | |
| "build": "pnpm run sync:agents && tsc", | |
| "sync:content": "node ./scripts/sync-agents.mjs", | |
| "sync:agents": "pnpm run sync:content", | |
| "sync:skills": "pnpm run sync:content", | |
| "build": "pnpm run sync:content && tsc", |
Contributor
Author
|
Addressed the Copilot review feedback in Changes:
Verification rerun after the fixes:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
skills/source content forowasp-security-scanand sync/package/embed it for TypeScript, Python, and Go--skilland--all-skills, config persistence, target-specific skill installers, and installed-skills sections inCLAUDE.md/AGENTS.mdVerification
pnpm --filter @everydaydevopsio/ballast run test:coveragepython3 -m unittest packages/ballast-python/tests/test_cli.pygo test ./...inpackages/ballast-gogo test ./...incli/ballastPATH=/tmp:$PATH scripts/smoke-skills.sh /home/marka/src/ballastCloses #47