feat: guard production skill version publishes

[kantorcodes]

Summary

• block non-stable custom version publishes to production by default
• default manual workflow scaffolds to staging for ad hoc runs
• document the explicit opt-in for intentional production prerelease publishes

Validation

• pnpm run lint
• pnpm run smoke:badge
• verified non-stable production overrides now fail fast locally
• verified staging still permits non-stable versions to reach the broker API path

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the skill-publish action by introducing critical safeguards against unintended production deployments of non-stable skill versions. It improves the developer experience for manual publishing workflows by defaulting to staging and adds a robust retry mechanism for API interactions, making the publishing process more resilient to temporary network issues. These changes collectively aim to increase the stability and reliability of skill deployments.

Highlights

• Production Guardrails: Implemented a default block on publishing non-stable custom skill versions directly to the production registry, requiring explicit opt-in for intentional prerelease publishes.
• Improved Manual Workflow Defaults: Updated manual workflow scaffolds to default to staging for ad hoc runs, reducing the risk of accidental production deployments.
• Enhanced API Request Robustness: Introduced a retry mechanism for API requests to handle transient network failures and improve the reliability of publish operations.
• Documentation Updates: Updated the README to reflect the new allow-nonstable-production-version input and clarified file exclusion rules.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• README.md
  • Clarified that skill-publish excludes hidden files and directories.
  • Documented the new allow-nonstable-production-version input and its default behavior.
• action.yml
  • Added a new input allow-nonstable-production-version with a default of false.
  • Passed the new allow-nonstable-production-version input to the main script.
• bin/lib/distribution-kit.mjs
  • Exported the normalizeApiBaseUrl function.
• bin/lib/repo-commands.mjs
  • Modified the buildManualWorkflow function to include a publish_target input (staging/production) for manual workflow dispatch.
  • Implemented logic to dynamically set the api-base-url based on the selected publish_target in manual workflows.
• entrypoint.mjs
  • Extended the ActionError class to include statusCode and code properties for more detailed error handling.
  • Defined constants for retryable HTTP status codes, error codes, and version pattern matching (integer, semver, prerelease).
  • Added utility functions isStableRegistryVersion and isProductionRegistryBase for version and environment validation.
  • Introduced sleep, extractErrorCode, and isRetryableRequestError functions to support robust API request retries.
  • Refactored requestJson to catch network errors and throw ActionError with relevant codes/status.
  • Implemented requestJsonWithRetry to automatically retry API calls on transient failures with exponential backoff.
  • Integrated requestJsonWithRetry into findExistingSkillVersion, skills/config, skills/quote, and skills/jobs API calls.
  • Added logic to prevent publishing non-stable versions to production unless the allowNonstableProductionVersion input is explicitly set to true.
  • Read the new allowNonstableProductionVersion input from environment variables.
• examples/workflows/publish-manual.yml
  • Added a publish_target input to the example manual workflow, allowing users to choose between staging and production.
  • Configured the api-base-url for the skill-publish action in the example workflow to use the selected publish_target.
• package.json
  • Bumped the package version from 1.0.1 to 1.0.2.
  • Added a new script test:package-files for running specific file discovery tests.
• test/package-files.test.mjs
  • Added a new test file to validate the discoverSkillPackageFiles utility, ensuring correct file inclusion and exclusion logic.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces important safeguards to prevent accidental publishing of non-stable skill versions to the production registry. It adds a new allow-nonstable-production-version input for explicit overrides. The manual publish workflows are also improved to default to a staging environment. Additionally, the action is made more robust by introducing automatic retries with backoff for transient network errors. My review includes a couple of minor suggestions to improve code conciseness and log clarity.