fix(skills/drafting-a-release): correct --target SHA form and the publish confirmation flow#21
Merged
Merged
Conversation
…eviated GitHub's release API rejects an abbreviated target_commitish and reports it as "tag_name is not a valid tag" / "Release.target_commitish is invalid" — a tag-shaped error that is really the short SHA. The skill echoed the short SHA for human confirmation and left the --target form unspecified, so an agent could pass that short SHA straight to the flag and hit the rejection. State that --target takes a branch name or the full 40-char SHA (git rev-parse), never the abbreviated form, at the point of use and in the anti-pattern and red-flag lists. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…nsent The skill split "draft or published?" (step 6) and a confirmation gate (step 7) into two prompts, with the gate written as its own scripted "About to create ... Confirm?" wait that the body never authorized collapsing. So after a user selected published against an already-shown body, the agent still posted a second confirmation — redundant friction on a choice the user just made. Merge the two into one publish gate: with the full body shown in step 5, the draft-or-published choice made against this exact tag, body, and commit IS the explicit consent to create. The guard against inferred or stale consent stays — a start-of-task "cut a release" still isn't approval, and the body must have been shown in full first. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the drafting-a-release skill to prevent two real-world failures at publish time: (1) using an abbreviated commit SHA with gh release create --target (rejected by GitHub’s API), and (2) prompting for redundant “final confirmation” after the user already selected draft vs published.
Changes:
- Clarifies that
--targetmust be a branch name or a full 40-character commit SHA (viagit rev-parse), never an abbreviated SHA. - Merges the draft-vs-published choice and the final confirmation into a single publish gate where the mode choice is the explicit consent to create.
- Reinforces the “no inferred consent” rule, while ensuring the body is shown in full before the publish gate.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Two defects in
drafting-a-releasethat surface at the publish step, both hit in a real release run.First,
gh release create --target <short-sha>fails: GitHub's release API rejects an abbreviatedtarget_commitishand reports it astag_name is not a valid tag/Release.target_commitish is invalid— a tag-shaped error that is really the short SHA. The skill echoed the short SHA for human confirmation and left the--targetform unspecified, so an agent could pass that short SHA straight to the flag and hit the rejection. Second, the skill asked for a redundant final confirmation even after the user had already chosen published-vs-draft against an already-shown body, because step 6 (draft or published?) and step 7 (confirmation gate) were written as two separate prompts.Changes
--targettakes a branch name or the full 40-char SHA (git rev-parse), never the abbreviated form — at the point of use, and in the anti-pattern and red-flag lists.Testing
Developed through
superpowers:writing-skills(RED → GREEN → REFACTOR). RED: isolated subagents given only the current skill text reproduced both defects — one literally concluded it must post a second confirmation after the user selected "Published", and the short-SHA target was confirmed underspecified against the real failing run. GREEN: the same scenarios against the edited skill flip — full SHA emitted for--target, and the agent runsgh release createimmediately on the publish-mode selection. REFACTOR: a loophole probe (user says "publish it live, go" before any body exists) confirmed the agent still refuses and drafts/shows the body first. The two.claude-pluginJSON files still parse; no project-specific identifiers introduced.