chore: simplify skills publishing pipeline

[jyaunches]

Summary

Removes the catalog-skills allowlist, exporter script, drift gate, and nightly refresh automation. Publishing a user-facing skill is now:

cp -r .agents/skills/nemoclaw-user-<name> skills/
git commit -am "chore(skills): publish nemoclaw-user-<name>"
# open PR, comment /nvskills-ci, merge

skills/ is the source of truth for what is published. NVSkills CI signs one skill per PR (which is the existing timeout constraint anyway).

Why

The current gate (scripts/export-catalog-skills.py --check --allow-missing) requires .agents/catalog-skills.yaml and skills/ to be in lockstep on every commit. NVSkills CI's per-skill signing cadence means we land published skills incrementally over many PRs, so allowlist and export are intentionally out of sync for the duration of the migration. The gate fights that workflow and forced #4438 to skip pre-commit hooks just to push.

The system as a whole had three sources of truth (allowlist, source .agents/skills/, exported skills/) all needing to agree. Collapsing to two (source + published) eliminates the class of inconsistencies the gate was built to catch — because there's nothing left to be inconsistent.

What replaces drift detection

On-demand verification: ask an agent to diff skills/<name>/ against .agents/skills/<name>/ and report any content differences (ignoring skill.oms.sig and skill-card.md). Documented in the rewritten .github/catalog-skills-signing-flow.md.

The nightly refresh bot's job (regenerating from source) is no longer meaningful since there's no allowlist driving regeneration — each published skill is now an explicit human decision per PR.

Removed

• .agents/catalog-skills.yaml (allowlist)
• scripts/export-catalog-skills.py (exporter + checker, 460 lines)
• test/catalog-skills-export.test.ts (test for the deleted script)
• .github/workflows/catalog-skills-refresh.yaml (nightly refresh bot)
• .github/pr-bodies/catalog-skills-refresh.md (bot PR body template)
• .pre-commit-config.yaml catalog-skills-export hook
• .github/workflows/pr.yaml "Verify catalog skills export" step
• .github/CODEOWNERS line for the deleted allowlist

Rewritten

• .github/catalog-skills-signing-flow.md — was a Mermaid diagram of the seven-step generator/checker/refresh flow. Now a 40-line manual workflow doc.

Downstream

#4438 (and the 9 per-skill PRs to follow) need to rebase onto this. After rebase, Miyoung's PR becomes a plain cp -r of two skill directories with no manifest and no SPDX-stripping — strictly "as authored" content under skills/.

Type of Change

• Code change (refactor / removal)

Verification

• No secrets, API keys, or credentials committed

Signed-off-by: Julie Yaunches jyaunches@nvidia.com

Summary by CodeRabbit

• Chores

  • Removed the catalog skills automation and export tooling, related ownership entry, CI hook, and pre-commit check
  • Updated PR CI verification to focus on platform documentation checks

• Documentation

  • Replaced the detailed signing flow with a concise user-facing publishing guide
  • Removed the catalog refresh PR template

• Tests

  • Removed the catalog skills export test suite

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 8126a239-d8a3-4538-b6c6-1fc67c229168

📥 Commits

Reviewing files that changed from the base of the PR and between 19151a8 and 46c861c.

📒 Files selected for processing (1)

• .github/catalog-skills-signing-flow.md

✅ Files skipped from review due to trivial changes (1)

• .github/catalog-skills-signing-flow.md

---

📝 Walkthrough

Walkthrough

Removes the automated catalog skills export system (config, script, workflow, tests, PR body) and updates CI checks, pre-commit hooks, documentation, and CODEOWNERS to reflect a manual, comment-triggered signing flow using /nvskills-ci.

Changes

Remove catalog skills export automation

Layer / File(s)	Summary
CI/CD and pre-commit updates .github/workflows/pr.yaml, .pre-commit-config.yaml	Replaces the PR check that ran scripts/export-catalog-skills.py --check --allow-missing with scripts/generate-platform-docs.py --check; removes the local catalog-skills-export pre-commit hook.
Docs and CODEOWNERS update .github/catalog-skills-signing-flow.md, .github/CODEOWNERS	Rewrites the catalog skills signing flow with step-by-step manual publishing and refresh instructions and removes the specific /.agents/catalog-skills.yaml CODEOWNERS entry, keeping directory-level /.agents/skills/ ownership.

Sequence Diagram(s)

sequenceDiagram
  participant Maintainer
  participant GitHubCommentListener
  participant SigningCI
  participant Repo
  Maintainer->>Repo: add or refresh skill in `skills/` and open PR
  Maintainer->>GitHubCommentListener: comment `/nvskills-ci`
  GitHubCommentListener->>SigningCI: trigger signing workflow
  SigningCI->>Repo: publish signed artifacts to `/.agents/skills/`

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• NVIDIA/NemoClaw#4334: Touches the catalog-skills refresh workflow and PR-body documentation that this PR deletes.
• NVIDIA/NemoClaw#4342: Modifies the catalog-skills export pipeline paths and workflows related to the deleted automation.
• NVIDIA/NemoClaw#4284: Introduced the deterministic signed export implementation that this PR removes.

Suggested labels

CI/CD, documentation

Suggested reviewers

• miyoungc
• cv

Poem

I hopped through code with careful paws,
Export scripts gone without a cause,
Now sign with comments, swift and sly —
/nvskills-ci gives a carrot-high. 🐰✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore: simplify skills publishing pipeline' directly and concisely summarizes the main change: simplifying the skills publishing process by removing the catalog-skills allowlist system, exporter script, nightly automation, and related infrastructure.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/simplify-skills-publishing

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

E2E Advisor Recommendation

Required E2E: None
Optional E2E: docs-validation-e2e, skill-agent-e2e

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• None. No merge-blocking existing E2E is recommended because the changed files remove catalog publishing automation, CI/pre-commit checks, docs, CODEOWNERS, and tests, without modifying installer/onboarding, sandbox lifecycle, credentials, network policy, inference routing, or assistant runtime code. Existing E2E jobs only provide adjacent confidence and do not directly cover the catalog export/signing flow being changed.

Optional E2E

• docs-validation-e2e (medium): Optional confidence for documentation-adjacent changes: this installs NemoClaw and runs the repository docs validation job, but it does not specifically validate the removed catalog export automation.
• skill-agent-e2e (high): Optional adjacent coverage for the assistant skill mechanism: it verifies skill injection and agent consumption in a real sandbox, but it does not cover NVIDIA Verified Skills catalog publication or signing.

New E2E recommendations

• catalog-skills-publishing-ci (medium): No existing E2E job appears to validate the customer-facing catalog publication flow after the exporter/refresh workflow removal. Add a lightweight workflow-dispatched E2E or integration check that creates a temporary published skill under skills/, verifies required catalog artifacts and signing handoff expectations, and prevents internal nemoclaw-maintainer-* or nemoclaw-contributor-* skills from being published.
  • Suggested test: catalog-skills-publishing-flow-e2e

[github-actions]

E2E Scenario Advisor Recommendation

Required scenario E2E: None
Optional scenario E2E: None

Workflow run

Full scenario advisor summary

E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required scenario E2E

• None. No scenario workflow, scenario metadata, scenario runtime, or validation-suite files changed.

Optional scenario E2E

• None.

Relevant changed files

• None.

[github-actions]

PR Review Advisor

Findings: 0 needs attention, 6 worth checking, 0 nice ideas
Since last review: 1 prior item resolved, 5 still apply, 0 new items found

Review findings

🛠️ Needs attention

• None.

🔎 Worth checking

• Source-of-truth review needed: Manual root `skills/` publishing and on-demand drift spot-checking: The advisor marked localized patch analysis as needs_followup.
  • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Evidence: The doc says source and published skills `can drift` and recommends asking an agent to compare directories, while the deterministic exporter, manifest, PR check, pre-commit hook, refresh workflow, and tests are deleted.
• Catalog publishing policy becomes documentation-only (.github/catalog-skills-signing-flow.md:6): The rewritten flow makes root `skills/` the NVSkills-watched publishing surface and says whatever lives there is signed and published, while the diff removes the allowlist, exporter, PR check, pre-commit hook, and refresh automation. Internal `nemoclaw-maintainer-*` and `nemoclaw-contributor-*` skills live next to public user skills under `.agents/skills`, so the public/internal catalog boundary is now enforced only by manual review and prose naming conventions.
  • Recommendation: Keep the simplified manual publishing flow if desired, but add a lightweight deterministic CI/pre-commit guard that validates root `skills/` contains only explicitly permitted public skill directories and rejects internal prefixes. Use a checked-in policy if exceptions are intended.
  • Evidence: Deleted `.agents/catalog-skills.yaml`, `scripts/export-catalog-skills.py`, the PR workflow `Verify catalog skills export is in sync` step, and the `catalog-skills-export` pre-commit hook. The new doc states: `Whatever lives there is what gets signed and published. There is no allowlist, manifest, or generator script`.
• Catalog export safety tests are deleted without replacement coverage (test/catalog-skills-export.test.ts:1): The deleted test suite covered security-relevant catalog behavior, including unsafe allowlist path rejection, expected public skill set, signer artifact preservation, and failure when preservation broke. No replacement test or runtime validation now verifies that root `skills/` entries are public-only, match source content where expected, or handle signing artifacts intentionally.
  • Recommendation: Add replacement validation and tests for the new invariant: published `skills/` directories are permitted public skills, internal prefixes are rejected, content drift from `.agents/skills` is detected or explicitly documented, and `skill.oms.sig`/`skill-card.md` are handled intentionally.
  • Evidence: `test/catalog-skills-export.test.ts` is removed entirely, while `.github/workflows/pr.yaml` and `.pre-commit-config.yaml` also drop the only automated catalog freshness checks.
• On-demand drift detection does not define a durable source-of-truth boundary (.github/catalog-skills-signing-flow.md:40): The PR replaces deterministic drift checking with instructions to ask an agent to compare root `skills/` against `.agents/skills`. That documents the invalid state but does not prevent or reliably detect it. The PR body also claims the inconsistency class is eliminated, while the new doc explicitly says source and published skills can drift.
  • Recommendation: Encode the intended source-of-truth model in repository-owned tooling: either make `skills/` the sole reviewed source and validate allowed contents, or keep a drift checker that compares each published skill to `.agents/skills` with documented exceptions for signing artifacts. Add a regression test and document the migration/removal condition for any temporary manual spot-check process.
  • Evidence: The new doc says source `/.agents/skills/` and published `/skills/` `can drift` and recommends asking an agent to compare directories while ignoring `skill.oms.sig` and `skill-card.md`. The deleted exporter previously provided deterministic `--check` behavior and generated metadata.
• Published skill policy is ambiguous for `nemoclaw-skills-guide` (.github/catalog-skills-signing-flow.md:49): The new documentation says only customer-facing `nemoclaw-user-*` skills go in the catalog, but the deleted allowlist included `nemoclaw-skills-guide` as a public index. If that skill remains intended for the catalog, the new policy silently excludes it; if it is no longer intended, downstream publishing work needs to account for the scope change.
  • Recommendation: Clarify whether `nemoclaw-skills-guide` is still catalog-publishable. If yes, document it as an explicit exception and include it in the deterministic `skills/` guard; if no, note that the public catalog index is intentionally no longer published.
  • Evidence: Deleted `.agents/catalog-skills.yaml` included `nemoclaw-skills-guide` with rationale `Public index for user-facing NemoClaw skills.` The rewritten doc says: `Only customer-facing skills, identified by the nemoclaw-user-* naming convention.`
• This deletion overlaps active catalog export work (.agents/catalog-skills.yaml:1): The PR deletes files that are still being modified by active catalog publishing work. This may be intentional simplification, but it should be coordinated because overlapping work may otherwise continue building on files and tests removed here.
  • Recommendation: Confirm whether this PR supersedes the overlapping catalog export PR, then rebase, retarget, or close the overlapping work so the repository has one clear publishing model.
  • Evidence: Trusted drift context reports open PR chore: skills signing batch 1 #4438, `chore: export nemoclaw user agent skills`, overlapping `.agents/catalog-skills.yaml` and `test/catalog-skills-export.test.ts`, both deleted here.

🌱 Nice ideas

• None.

Since last review details

Current findings:

• Source-of-truth review needed: Manual root `skills/` publishing and on-demand drift spot-checking: The advisor marked localized patch analysis as needs_followup.
  • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Evidence: The doc says source and published skills `can drift` and recommends asking an agent to compare directories, while the deterministic exporter, manifest, PR check, pre-commit hook, refresh workflow, and tests are deleted.
• Catalog publishing policy becomes documentation-only (.github/catalog-skills-signing-flow.md:6): The rewritten flow makes root `skills/` the NVSkills-watched publishing surface and says whatever lives there is signed and published, while the diff removes the allowlist, exporter, PR check, pre-commit hook, and refresh automation. Internal `nemoclaw-maintainer-*` and `nemoclaw-contributor-*` skills live next to public user skills under `.agents/skills`, so the public/internal catalog boundary is now enforced only by manual review and prose naming conventions.
  • Recommendation: Keep the simplified manual publishing flow if desired, but add a lightweight deterministic CI/pre-commit guard that validates root `skills/` contains only explicitly permitted public skill directories and rejects internal prefixes. Use a checked-in policy if exceptions are intended.
  • Evidence: Deleted `.agents/catalog-skills.yaml`, `scripts/export-catalog-skills.py`, the PR workflow `Verify catalog skills export is in sync` step, and the `catalog-skills-export` pre-commit hook. The new doc states: `Whatever lives there is what gets signed and published. There is no allowlist, manifest, or generator script`.
• Catalog export safety tests are deleted without replacement coverage (test/catalog-skills-export.test.ts:1): The deleted test suite covered security-relevant catalog behavior, including unsafe allowlist path rejection, expected public skill set, signer artifact preservation, and failure when preservation broke. No replacement test or runtime validation now verifies that root `skills/` entries are public-only, match source content where expected, or handle signing artifacts intentionally.
  • Recommendation: Add replacement validation and tests for the new invariant: published `skills/` directories are permitted public skills, internal prefixes are rejected, content drift from `.agents/skills` is detected or explicitly documented, and `skill.oms.sig`/`skill-card.md` are handled intentionally.
  • Evidence: `test/catalog-skills-export.test.ts` is removed entirely, while `.github/workflows/pr.yaml` and `.pre-commit-config.yaml` also drop the only automated catalog freshness checks.
• On-demand drift detection does not define a durable source-of-truth boundary (.github/catalog-skills-signing-flow.md:40): The PR replaces deterministic drift checking with instructions to ask an agent to compare root `skills/` against `.agents/skills`. That documents the invalid state but does not prevent or reliably detect it. The PR body also claims the inconsistency class is eliminated, while the new doc explicitly says source and published skills can drift.
  • Recommendation: Encode the intended source-of-truth model in repository-owned tooling: either make `skills/` the sole reviewed source and validate allowed contents, or keep a drift checker that compares each published skill to `.agents/skills` with documented exceptions for signing artifacts. Add a regression test and document the migration/removal condition for any temporary manual spot-check process.
  • Evidence: The new doc says source `/.agents/skills/` and published `/skills/` `can drift` and recommends asking an agent to compare directories while ignoring `skill.oms.sig` and `skill-card.md`. The deleted exporter previously provided deterministic `--check` behavior and generated metadata.
• Published skill policy is ambiguous for `nemoclaw-skills-guide` (.github/catalog-skills-signing-flow.md:49): The new documentation says only customer-facing `nemoclaw-user-*` skills go in the catalog, but the deleted allowlist included `nemoclaw-skills-guide` as a public index. If that skill remains intended for the catalog, the new policy silently excludes it; if it is no longer intended, downstream publishing work needs to account for the scope change.
  • Recommendation: Clarify whether `nemoclaw-skills-guide` is still catalog-publishable. If yes, document it as an explicit exception and include it in the deterministic `skills/` guard; if no, note that the public catalog index is intentionally no longer published.
  • Evidence: Deleted `.agents/catalog-skills.yaml` included `nemoclaw-skills-guide` with rationale `Public index for user-facing NemoClaw skills.` The rewritten doc says: `Only customer-facing skills, identified by the nemoclaw-user-* naming convention.`
• This deletion overlaps active catalog export work (.agents/catalog-skills.yaml:1): The PR deletes files that are still being modified by active catalog publishing work. This may be intentional simplification, but it should be coordinated because overlapping work may otherwise continue building on files and tests removed here.
  • Recommendation: Confirm whether this PR supersedes the overlapping catalog export PR, then rebase, retarget, or close the overlapping work so the repository has one clear publishing model.
  • Evidence: Trusted drift context reports open PR chore: skills signing batch 1 #4438, `chore: export nemoclaw user agent skills`, overlapping `.agents/catalog-skills.yaml` and `test/catalog-skills-export.test.ts`, both deleted here.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/catalog-skills-signing-flow.md (1)

21-22: ⚡ Quick win

Consider clarifying the one-skill-per-PR constraint.

The phrase "Repeat per skill — NVSkills CI signs one at a time" implies a sequential process but doesn't explicitly state that each skill requires its own PR. Based on the PR objectives stating "NVSkills CI signs one skill per PR," consider rewording for operational clarity.

📝 Suggested rewording

-Open the PR, comment `/nvskills-ci`, wait for the signing job to push back
-`skill.oms.sig` and `skill-card.md`, then merge. Repeat per skill — NVSkills
-CI signs one at a time.
+Open a PR, comment `/nvskills-ci`, wait for the signing job to push back
+`skill.oms.sig` and `skill-card.md`, then merge. NVSkills CI signs one skill
+per PR; repeat this process for each additional skill.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/catalog-skills-signing-flow.md around lines 21 - 22, Update the
sentence containing "skill.oms.sig and skill-card.md, then merge. Repeat per
skill — NVSkills CI signs one at a time." to explicitly state the
one-skill-per-PR constraint: mention that each skill must be submitted as a
separate pull request and that NVSkills CI will sign only one skill per PR
(e.g., "Create a separate PR for each skill; NVSkills CI will sign one skill per
PR"). Ensure this replaces the ambiguous "Repeat per skill — NVSkills CI signs
one at a time" phrasing so readers clearly understand the operational
requirement.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/catalog-skills-signing-flow.md:
- Line 37: Paths in the document are inconsistent: some entries use leading
slashes ("/.agents/skills/", "/skills/") while others use no leading slash
(".agents/skills/"); update all occurrences to a single consistent notation —
e.g., change "/.agents/skills/" and "/skills/" to ".agents/skills/" and
"skills/" (or vice versa if you prefer absolute paths) so every reference to the
agent and published skill directories uses the same form throughout the file.

---

Nitpick comments:
In @.github/catalog-skills-signing-flow.md:
- Around line 21-22: Update the sentence containing "skill.oms.sig and
skill-card.md, then merge. Repeat per skill — NVSkills CI signs one at a time."
to explicitly state the one-skill-per-PR constraint: mention that each skill
must be submitted as a separate pull request and that NVSkills CI will sign only
one skill per PR (e.g., "Create a separate PR for each skill; NVSkills CI will
sign one skill per PR"). Ensure this replaces the ambiguous "Repeat per skill —
NVSkills CI signs one at a time" phrasing so readers clearly understand the
operational requirement.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 94b4f824-b2f7-4dd1-a149-5118554bef01

📥 Commits

Reviewing files that changed from the base of the PR and between 4e088d2 and 19151a8.

📒 Files selected for processing (9)

• .agents/catalog-skills.yaml
• .github/CODEOWNERS
• .github/catalog-skills-signing-flow.md
• .github/pr-bodies/catalog-skills-refresh.md
• .github/workflows/catalog-skills-refresh.yaml
• .github/workflows/pr.yaml
• .pre-commit-config.yaml
• scripts/export-catalog-skills.py
• test/catalog-skills-export.test.ts

💤 Files with no reviewable changes (8)

• test/catalog-skills-export.test.ts
• .github/workflows/catalog-skills-refresh.yaml
• .agents/catalog-skills.yaml
• .github/CODEOWNERS
• .pre-commit-config.yaml
• scripts/export-catalog-skills.py
• .github/pr-bodies/catalog-skills-refresh.md
• .github/workflows/pr.yaml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix path notation inconsistency.

Line 37 uses leading slashes (/.agents/skills/ and /skills/) while line 40 omits them (.agents/skills/). Use consistent notation throughout the document to avoid confusion about absolute vs. relative paths.

🔧 Proposed fix

-Source (`/.agents/skills/`) and published (`/skills/`) can drift if a
+Source (`.agents/skills/`) and published (`skills/`) can drift if a
 source-side edit lands without a corresponding refresh PR. To check, ask

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	Source (`/.agents/skills/`) and published (`/skills/`) can drift if a
	Source (`.agents/skills/`) and published (`skills/`) can drift if a

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/catalog-skills-signing-flow.md at line 37, Paths in the document are
inconsistent: some entries use leading slashes ("/.agents/skills/", "/skills/")
while others use no leading slash (".agents/skills/"); update all occurrences to
a single consistent notation — e.g., change "/.agents/skills/" and "/skills/" to
".agents/skills/" and "skills/" (or vice versa if you prefer absolute paths) so
every reference to the agent and published skill directories uses the same form
throughout the file.

[coderabbitai]

Actionable comments posted: 0