--- title: "🏪 The one where GitHub becomes an App Store" date: 2026-04-21 author: Andrea Griffiths language: en issue: 23 excerpt: "GitHub fixed the SBOM timeout nobody talks about, gh skill shipped with a warning I think you should read, and I gave a talk in Chile that reminded me why I do this." tags: ["gh-skill", "sbom", "agent-skills", "public-preview"] canonical_url: https://mainbranch.beehiiv.com/p/60e7b40b-cb40-43e9-a87f-fd5e0ea58a83 --- Hiya friends, Just got back from Nerdearla in Chile. It was nice to see so many of you IRL. More on that below. This week: a GitHub fix that flew under the radar, and a new CLI command that I think matters more than it looks. ## 🚢 What Shipped **Async SBOM exports** If you've tried to export an SBOM from a large repo, you know it could be timeout prone. Exports are now async. You start a job, then fetch the result when it's ready. There are two new API endpoints: - `GET /repos/{owner}/{repo}/dependency-graph/sbom/generate-report` - `GET /repos/{owner}/{repo}/dependency-graph/sbom/fetch-report/{sbom-uuid}` The first kicks off the job and returns a UUID. The second lets you check until the report is ready, then returns the export (or redirects you to it, depending on the client). In the UI: Insights > Dependency graph > Export SBOM. **Agent skills (public preview)** Agent skills are portable instruction sets that teach AI coding agents how to do specific tasks. Like plugins, but for agents. They follow the open Agent Skills spec and work across Copilot, Claude Code, Cursor, Codex, and Gemini CLI. The new `gh skill` command lets you install, update, and publish them: ```bash gh skill install github/awesome-copilot documentation-writer gh skill install github/awesome-copilot documentation-writer --agent claude-code gh skill update --all ``` You can pin to a tag or commit SHA for reproducibility. Provenance metadata gets written into the skill's frontmatter so it travels with the file. One honest note: the changelog warns that skills are not verified by GitHub and may contain prompt injections or malicious scripts. Inspect before you install with `gh skill preview`. Supply chain hygiene applies here too. ## 🎧 What I'm Listening To [**Empire of AI** by Erika Hao](https://www.amazon.com/Empire-AI-Erika-Hao/dp/1250862116) This took me a long time to get through. Not because it's hard to read. Because it's a lot to sit with. Hao writes about how the top AI labs operate (focused on OpenAI) and how the work that trains these models actually gets done. It left me genuinely conflicted. Thrilled by what this technology makes possible. More clear-eyed about what it costs. Worth your time if: you want a grounded look at the people behind the AI wave, not the hype version. ## 🔧 What I'm Using **gh skill**: I installed my first agent skill using it this week and immediately checked what was inside before running anything. `gh skill preview` is the right call before you trust anything from a public repo. Treat it like a third-party GitHub Action: read it first. ## ✨ This Week I spoke at Nerdearla in Santiago this week, the largest free tech event in Latin America. My talk covered [Team X-Ray](https://github.com/AndreaGriffiths11/teamxray), a VS Code extension I built as a personal experiment and a small homage to the Atom editor (my first GitHub role was Atom community manager). It does contribution discovery through code analysis: you point it at a repo and it surfaces who knows what. The talk traced its evolution from raw git log and git blame prompting, through MCP, to the current Copilot SDK-based version. The community is everything. Curious, generous, and genuinely grateful when you show up for them. I will be back. If you're a company looking to grow in Latin America, [Nerdearla](https://nerdearla.com/) is the room to be in. Also: I'll be at Google Cloud Next in Vegas next week. Come find me at the GitHub booth. I'm giving a talk on the Copilot CLI. Would love to meet you. With gratitude, I'll see you next week, Andrea