Add distributable skills directory and CI pipeline

[JAORMX]

Summary

ToolHive skills (Claude Code Agent Skills) currently live in .claude/skills/ which auto-loads them into every conversation in this repo. That's the right place for repo-specific development skills (commit-message, pr-review, etc.), but not for general-purpose skills like toolhive-cli-user that should work anywhere — not just when developing ToolHive.

This PR introduces a skills/ directory at the repo root for distributable skills, along with a CI pipeline that packages them as OCI artifacts and publishes to GHCR alongside the main release.

• Add skills/toolhive-cli-user/ with comprehensive CLI user guide (SKILL.md + reference docs)
• Add reusable skills-build-and-publish.yml workflow with a push boolean input
• Wire into releaser.yml with push: true (publish on release, tagged with the same version as thv)
• Wire into run-on-main.yml and run-on-pr.yml without push (build-only validation)
• CI security hardening: expression injection prevention (github.ref via env var), set -euo pipefail, PID tracking for backgrounded thv serve, log capture on failure, cleanup step

After release, users install with:

thv skill install ghcr.io/stacklok/toolhive/skills/toolhive-cli-user:v0.5.0

Type of change

• New feature

Test plan

• Manual testing (describe below)

Verified skill structure matches the SKILL.md spec (frontmatter with name, description, version, license + markdown body + references). Reviewed workflow YAML for correctness against existing patterns in image-build-and-publish.yml. CI security review performed (expression injection, permission scoping, process lifecycle).

Changes

File	Change
skills/toolhive-cli-user/SKILL.md	Main skill definition with CLI user guide
skills/toolhive-cli-user/references/COMMANDS.md	Complete CLI command reference
skills/toolhive-cli-user/references/EXAMPLES.md	Detailed usage examples
.github/workflows/skills-build-and-publish.yml	Reusable workflow: build skills, optionally push to GHCR
.github/workflows/releaser.yml	Wire skills build+push into release pipeline
.github/workflows/run-on-main.yml	Wire skills build-only validation into main pipeline
.github/workflows/run-on-pr.yml	Wire skills build-only validation into PR checks

Large PR Justification

• ~960 of the ~1300 lines are documentation content (COMMANDS.md and EXAMPLES.md reference files) — these are CLI command references and usage examples that ship inside the skill as static content, not code
• The remaining ~150 lines are the skill definition (SKILL.md) and CI workflow changes, which are tightly coupled and cannot be meaningfully split
• This is a documentation-heavy PR by nature: a skill is a documentation artifact packaged as an OCI artifact

Special notes for reviewers

• The skills/ directory is intentionally separate from .claude/skills/ — the latter auto-loads into Claude Code conversations in this repo, while skills/ holds artifacts for distribution.
• Cosign signing for skill OCI artifacts is not included yet (follow-up work) — unlike container images, skills are a new artifact type and need design consideration.
• The compute-version action has pre-existing expression injection patterns (github.ref inline in shell) — not addressed here as it affects all workflows.

Generated with Claude Code

[github-actions]

Large PR Detected

This PR exceeds 1000 lines of changes and requires justification before it can be reviewed.

How to unblock this PR:

Add a section to your PR description with the following format:

## Large PR Justification

[Explain why this PR must be large, such as:]
- Generated code that cannot be split
- Large refactoring that must be atomic
- Multiple related changes that would break if separated
- Migration or data transformation

Alternative:

Consider splitting this PR into smaller, focused changes (< 1000 lines each) for easier review and reduced risk.

See our Contributing Guidelines for more details.

---

This review will be automatically dismissed once you add the justification section.

Large PR justification has been provided. Thank you!

[github-actions]

✅ Large PR justification has been provided. The size review has been dismissed and this PR can now proceed with normal review.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 68.54%. Comparing base (5b4b724) to head (da6f381).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4070      +/-   ##
==========================================
- Coverage   68.60%   68.54%   -0.06%     
==========================================
  Files         447      447              
  Lines       45758    45758              
==========================================
- Hits        31391    31365      -26     
- Misses      11946    11970      +24     
- Partials     2421     2423       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.