feat(skills): detect re-published skills and offer upstream install

[SamMorrowDrums]

Summary

When installing a skill from a repo that re-published it from an upstream source, the SKILL.md contains github-repo metadata pointing to the original publisher. This PR detects that and offers the user a choice: install from the re-publisher (default) or redirect to the upstream.

Changes

pkg/cmd/skills/install/install.go

• checkUpstreamProvenance - after skill selection, fetches SKILL.md via contents API, parses frontmatter, checks if github-repo points elsewhere
• Interactive: prompt to choose re-publisher (default) or upstream
• Non-interactive: print notice, continue with re-publisher
• --upstream flag: skip prompt, redirect to upstream directly (enables CI/script use)
• If upstream chosen: restart installRun with the upstream repo (fresh version resolution, discovery)
• skill_upstream_redirect telemetry event emitted on redirect
• --from-local and --upstream are mutually exclusive

pkg/cmd/skills/install/install_test.go

• 4 TestInstallRun_UpstreamDetection cases: interactive re-publisher, interactive upstream, non-interactive default, --upstream flag
• 2 TestNewCmdInstall cases: --upstream flag parsing, --from-local --upstream mutual exclusion

Behavior

Scenario	Result
SKILL.md has no github-repo metadata	No detection, install normally
github-repo points to same repo	No detection, install normally
github-repo points elsewhere (interactive)	Prompt: re-publisher or upstream?
github-repo points elsewhere (non-interactive)	Notice printed, install from re-publisher
--upstream flag set	Redirect to upstream without prompting
Contents API fetch fails	Silently continue with re-publisher
--from-local --upstream	Mutual exclusion error

What this does NOT change

• No new frontmatter metadata keys
• No changes to the installer, update command, publish command, or frontmatter package
• InjectGitHubMetadata overwrites github-repo to the chosen source as before

End-to-end testing

Manually verified against real repos using the built CLI binary:

Setup: Installed git-commit from github/awesome-copilot into a private repo (sammorrowdrums/test-republished-skills), committed the SKILL.md with its github-repo metadata pointing to the upstream, pushed.

1. Normal install (no upstream metadata) - works unchanged:

$ gh skill install github/awesome-copilot git-commit --force --dir ./normal-install --agent github-copilot
✓ Installed git-commit (from github/awesome-copilot@main) in normal-install
# github-repo: https://github.com/github/awesome-copilot  ✓

2. Local install - works unchanged:

$ gh skill install ./local-source my-local-skill --from-local --dir ./local-install --agent github-copilot --scope project
Installed my-local-skill (from ./local-source) in local-install  ✓

3. Re-published install (non-interactive) - detects upstream, installs from re-publisher:

$ gh skill install sammorrowdrums/test-republished-skills git-commit --force --dir ./republish-install --agent github-copilot --scope project
! This skill was originally published in github/awesome-copilot
  Installing from sammorrowdrums/test-republished-skills (use --upstream or interactive mode to choose upstream)
✓ Installed git-commit (from sammorrowdrums/test-republished-skills@main) in republish-install
# github-repo: https://github.com/sammorrowdrums/test-republished-skills  ✓

4. Re-published install with --upstream flag - redirects to upstream:

$ gh skill install sammorrowdrums/test-republished-skills git-commit --force --dir ./upstream-install --agent github-copilot --scope project --upstream
! This skill was originally published in github/awesome-copilot
Redirecting install to github/awesome-copilot...
✓ Installed git-commit (from github/awesome-copilot@main) in upstream-install
# github-repo: https://github.com/github/awesome-copilot  ✓

5. Interactive prompt (user picks upstream) - redirects:

$ gh skill install sammorrowdrums/test-republished-skills git-commit --force --dir ./interactive-upstream --agent github-copilot --scope project
! This skill was originally published in github/awesome-copilot
? Install from: github/awesome-copilot (upstream)
Redirecting install to github/awesome-copilot...
✓ Installed git-commit (from github/awesome-copilot@main) in interactive-upstream
# github-repo: https://github.com/github/awesome-copilot  ✓

6. Mutual exclusion:

$ gh skill install ./some-dir --from-local --upstream
--from-local and --upstream cannot be used together  ✓

[Copilot]

Pull request overview

Adds end-to-end upstream provenance tracking for re-published skills so installs/updates can preserve original-source metadata and (optionally) fetch future updates from upstream.

Changes:

• Extend frontmatter metadata injection to record upstream repo/tree/path and a track-upstream flag, with cleanup when upstream is nil.
• Add installer-side detection of upstream metadata from SKILL.md and a command-layer callback to choose re-publisher vs upstream tracking.
• Update update/install/publish commands and tests to preserve provenance across forced updates and improve publish-time guidance.

Show a summary per file

File	Description
pkg/cmd/skills/update/update_test.go	Adds unit coverage for parsing upstream metadata and preserving provenance on update.
pkg/cmd/skills/update/update.go	Parses upstream fields, resolves updates from upstream when tracking, and preserves provenance through re-installs.
pkg/cmd/skills/publish/publish.go	Enhances publish error messaging with re-publisher guidance when github metadata is present.
pkg/cmd/skills/install/install.go	Wires upstream-detection callback and adds interactive prompting/warnings for tracking choice.
internal/skills/installer/installer_test.go	Adds unit tests for detection, verification, self-referential handling, and preset upstream behavior.
internal/skills/installer/installer.go	Implements upstream detection, optional best-effort SHA verification, and injects upstream metadata during install.
internal/skills/frontmatter/frontmatter_test.go	Adds tests for upstream metadata injection/cleanup and track-upstream flag.
internal/skills/frontmatter/frontmatter.go	Introduces UpstreamInfo and extends InjectGitHubMetadata to write upstream fields.
acceptance/testdata/skills/skills-install-republished.txtar	Acceptance test ensuring upstream provenance survives forced update.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comments suppressed due to low confidence (1)

internal/skills/installer/installer.go:377

• In the existingRepo == currentRepoURL branch, detectAndResolveUpstream calls OnUpstreamDetected(...) but then returns (nil, false) unconditionally, meaning any user choice returned by the callback is ignored. With the current CLI callback implementation, this can lead to an interactive prompt that has no effect. Suggestion: avoid invoking OnUpstreamDetected in this branch unless you can guarantee the callback is “warning-only”, or extend the callback contract (e.g., an explicit stale bool argument) so the command layer can suppress prompting for this case.

	// Check whether the existing metadata points to a different repo
	currentRepoURL := source.BuildRepoURL(opts.Host, opts.Owner, opts.Repo)
	if existingRepo == currentRepoURL {
		// github-repo points to this repo, but if github-upstream-repo is
		// also present this looks like a previously installed skill that was
		// committed back into the source repo. Warn and install normally,
		// clearing the stale upstream fields.
		if upstreamURL, _ := result.Metadata.Meta["github-upstream-repo"].(string); upstreamURL != "" {
			opts.OnUpstreamDetected(frontmatter.UpstreamInfo{RepoURL: upstreamURL}, false)
		}
		return nil, false

• Files reviewed: 9/9 changed files
• Comments generated: 4

[BagToad]

Looks pretty good, but I think there's some error handling we should fix. I'm continuing to review, but figured I should post that comment first 😁

[BagToad]

❓ Do you think it's worth updating this with new upstream info? I'm not sure it is, but here's a copilot suggested edit:

-  - Install metadata (%[1]smetadata.github-*%[1]s) is stripped if present
+  - Install metadata (%[1]smetadata.github-*%[1]s) is reported as an
+    error if present; use %[1]s--fix%[1]s to strip it. When
+    %[1]smetadata.github-upstream-repo%[1]s is also present (i.e. a
+    re-published skill), the error includes guidance on preserving
+    upstream provenance by committing the files and releasing
+    directly instead of stripping with %[1]s--fix%[1]s.

[SamMorrowDrums]

@BagToad I decided in last 10 mins with @tommaso-moro that I should simplify and give user option of tracking from one or other, and then just using the standard front-matter and removing much complexity.

Does that sound better to you?

To me it makes it clear while preserving the simple format.

[BagToad]

💭 Wondering if you'd like telemetry for this upstream vs publisher?

[BagToad]

❗ let's use official or fake names like monalisa to prevent any name-squatting problems. I don't think it would actually cause any problems but better to be consistent with rest of the tests anyway.

[BagToad]

@SamMorrowDrums sorry just saw your question 👀

I decided in last 10 mins with @tommaso-moro that I should simplify and give user option of tracking from one or other, and then just using the standard front-matter and removing much complexity.

That sounds good! Definitely much simpler. And if they want to switch to a different source they can always reinstall from that other source.

[babakks]

Thanks for the PR! A few comments we need to fix.