Main Branch

Fundamentals first, always

Issue #23

🏪 The one where GitHub becomes an App Store

By Andrea Griffiths Leer en Español 阅读中文版
gh-skill sbom agent-skills public-preview
Listen to article

Hiya friends,

Just got back from Nerdearla in Chile. It was nice to see so many of you IRL. More on that below.

This week: a GitHub fix that flew under the radar, and a new CLI command that I think matters more than it looks.

🚢 What Shipped

Async SBOM exports

If you’ve tried to export an SBOM from a large repo, you know it could be timeout prone. Exports are now async. You start a job, then fetch the result when it’s ready. There are two new API endpoints:

  • GET /repos/{owner}/{repo}/dependency-graph/sbom/generate-report
  • GET /repos/{owner}/{repo}/dependency-graph/sbom/fetch-report/{sbom-uuid}

The first kicks off the job and returns a UUID. The second lets you check until the report is ready, then returns the export (or redirects you to it, depending on the client).

In the UI: Insights > Dependency graph > Export SBOM.

Agent skills (public preview)

Agent skills are portable instruction sets that teach AI coding agents how to do specific tasks. Like plugins, but for agents. They follow the open Agent Skills spec and work across Copilot, Claude Code, Cursor, Codex, and Gemini CLI.

The new gh skill command lets you install, update, and publish them:

gh skill install github/awesome-copilot documentation-writer
gh skill install github/awesome-copilot documentation-writer --agent claude-code
gh skill update --all

You can pin to a tag or commit SHA for reproducibility. Provenance metadata gets written into the skill’s frontmatter so it travels with the file.

One honest note: the changelog warns that skills are not verified by GitHub and may contain prompt injections or malicious scripts. Inspect before you install with gh skill preview. Supply chain hygiene applies here too.

🎧 What I’m Listening To

Empire of AI by Erika Hao

This took me a long time to get through. Not because it’s hard to read. Because it’s a lot to sit with. Hao writes about how the top AI labs operate (focused on OpenAI) and how the work that trains these models actually gets done. It left me genuinely conflicted. Thrilled by what this technology makes possible. More clear-eyed about what it costs.

Worth your time if: you want a grounded look at the people behind the AI wave, not the hype version.

🔧 What I’m Using

gh skill: I installed my first agent skill using it this week and immediately checked what was inside before running anything. gh skill preview is the right call before you trust anything from a public repo. Treat it like a third-party GitHub Action: read it first.

✨ This Week

I spoke at Nerdearla in Santiago this week, the largest free tech event in Latin America. My talk covered Team X-Ray, a VS Code extension I built as a personal experiment and a small homage to the Atom editor (my first GitHub role was Atom community manager). It does contribution discovery through code analysis: you point it at a repo and it surfaces who knows what. The talk traced its evolution from raw git log and git blame prompting, through MCP, to the current Copilot SDK-based version.

The community is everything. Curious, generous, and genuinely grateful when you show up for them. I will be back. If you’re a company looking to grow in Latin America, Nerdearla is the room to be in.

Also: I’ll be at Google Cloud Next in Vegas next week. Come find me at the GitHub booth. I’m giving a talk on the Copilot CLI. Would love to meet you.

With gratitude, I’ll see you next week,
Andrea