Skip to content

VENDOR.md

Latest commit

 

History

History
76 lines (55 loc) · 2.87 KB

VENDOR.md

File metadata and controls

76 lines (55 loc) · 2.87 KB

Vendoring the JFrog skills

This plugin ships the official JFrog Agent Skills with the package rather than downloading them at runtime. The skills are copied (vendored) from jfrog/jfrog-skills at a pinned version and committed to this repo under skills/.

Because the skills are bundled, updating them requires a new plugin release — there are no runtime skill updates.

Configuration: sync-skills-vendor.json

The vendoring source is declared in sync-skills-vendor.json at the repo root:

{
  "repo": "jfrog/jfrog-skills",
  "pin": "v0.14.0",
  "paths": ["skills"]
}
Field Meaning
repo The upstream GitHub repository (owner/name) to vendor from.
pin The exact upstream ref to vendor (a tag, e.g. v0.14.0). Pin to a tag for reproducibility.
paths The paths within the upstream repo to copy into this repo root. Currently just skills.

How the sync works

scripts/sync-skills.mjs (run via mise run sync-skills):

  1. Downloads the upstream tarball from codeload.github.com for repo at pin (public, no auth).
  2. Extracts it and strips the single top-level directory.
  3. Copies each entry in paths into the repo root (replacing the existing copy).

The result is a flat, committed tree:

skills/
  jfrog/SKILL.md (+ references/ scripts/ assets/)
  jfrog-package-safety-and-download/SKILL.md

The script is dependency-free Node ESM and makes no changes outside the vendored paths.

Bumping the pin

  1. Edit sync-skills-vendor.json and set pin to the new upstream tag (e.g. v0.12.0).

  2. Re-vendor:

    mise run sync-skills

  3. Review the diff under skills/ and commit the regenerated tree together with the updated sync-skills-vendor.json:

    git add sync-skills-vendor.json skills
git commit -m "feat(skills): vendor jfrog-skills@v0.12.0"

  4. Cut a plugin release so the new skills ship to users. Until a release is published, installed plugins keep using the previously vendored skills.

CI runs mise run sync-skills:check, which re-vendors and fails if the committed skills/ tree drifts from the pin. If that check fails on a PR, run mise run sync-skills and commit the result.

Notes

  • Keep skills/ flat: SKILL.md must sit directly under skills/<skill-name>/ (no version directory). The plugin and OpenCode discover skills by {skill,skills}/**/SKILL.md, with the skill name read from each SKILL.md's YAML frontmatter.
  • The vendored tree is byte-identical to the upstream skills/ at the pinned tag; re-running the sync without changing the pin produces no diff (idempotent).