feat(skills)!: consolidate github setup

.github/workflows/publish-skills.yml

@@ -14,6 +14,7 @@ permissions:
 
 jobs:
   review:
+    if: ${{ github.event_name != 'push' || !contains(github.event.head_commit.message, '[skip ci]') }}
     runs-on: ubuntu-latest
     env:
       TESSL_AUTO_UPDATE_INTERVAL_MINUTES: "0"
@@ -35,18 +36,22 @@ jobs:
 
   publish:
     needs: review
-    if: github.ref == 'refs/heads/main'
+    if: ${{ github.ref == 'refs/heads/main' && (github.event_name != 'push' || !contains(github.event.head_commit.message, '[skip ci]')) }}
     runs-on: ubuntu-latest
     environment:
       name: release
       deployment: false
+    concurrency:
+      group: publish-skills-${{ github.repository }}-main
+      cancel-in-progress: false
     permissions:
       contents: write
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          persist-credentials: true
+          fetch-depth: 0
+          persist-credentials: false
 
       - name: Set up Tessl
         uses: tesslio/setup-tessl@25ec223fc0da33b41b8044ff5ab2b85235f4f91e # v2
@@ -55,11 +60,13 @@ jobs:
 
       - name: Authorize version-bump pushes
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ github.token }}
         run: gh auth setup-git
 
       - name: Publish changed tiles
         uses: uinaf/tessl-publish-action@c886763f2a95d6971317fd4b8abe88679619ebad # v2.1.2
+        env:
+          GH_TOKEN: ${{ github.token }}
         with:
           review-threshold: "90"
-          commit-version-bumps: "false"
+          commit-version-bumps: "true"

docs/distribution.md

@@ -21,7 +21,8 @@ jq -r '.name' skills/*/tile.json
 - The publish job uses [`uinaf/tessl-publish-action`](https://github.com/uinaf/tessl-publish-action) to detect changed tiles, run review and lint, and publish them
 - The action derives semantic version bumps from Conventional Commit messages: breaking changes -> `major`, `feat` -> `minor`, everything else -> `patch`
 - Before publish, the action probes `tessl tile publish --dry-run` and keeps bumping patch versions in the job workspace until Tessl accepts a free version
-- After a successful publish, the workflow commits the resulting `tile.json` version bumps back to `main` as `github-actions[bot]` with a skip-CI commit message
+- After a successful publish, the workflow commits the resulting `tile.json` version bumps back to `main` as `github-actions[bot]` with the workflow `GITHUB_TOKEN` and a skip-CI commit message
+- Both review and publish jobs skip `[skip ci]` commits, and the publish job uses non-cancellable concurrency so version probing and writeback cannot race another publish
 - Publish-path actions are pinned to full commit SHAs with trailing comments for their human version tags
 
 ## Required GitHub Environment
@@ -31,7 +32,8 @@ Create a GitHub Environment named `release` for the publish job:
 - Do not add required reviewers; releases should stay continuously publishable after the review job passes on `main`
 - Limit Environment deployment branches to `main`
 - Store the Tessl publish token as the Environment secret `TESSL_TOKEN`; do not store it as a plain repository Actions secret
-- Protect `main` so only trusted uinaf admins can update it, with force-push and branch deletion blocked where GitHub supports those controls
+- Use workflow `GITHUB_TOKEN` writeback and do not enable branch push restrictions; GitHub's built-in `github-actions[bot]` actor is not a normal allowed-user entry. Repos that require push restrictions should use a narrowly scoped GitHub App release actor instead of a personal publish bot.
+- Protect `main` with force-push and branch deletion blocked where GitHub supports those controls
 - If publish or release tags are added later, restrict tag creation and mutation to trusted release automation or release admins
 
 Create a Tessl API key for the `uinaf` workspace, then add it to the `release` Environment as `TESSL_TOKEN`. Use a `uinaf` workspace key, not a token from another Tessl workspace.

scripts/sync/skills.json

@@ -25,11 +25,7 @@
       "source": "emilkowalski/skill"
     },
     {
-      "name": "gh-deploy-pipeline",
-      "source": "uinaf/agents"
-    },
-    {
-      "name": "gh-release-pipeline",
+      "name": "gh-setup",
       "source": "uinaf/agents"
     },
     {
@@ -56,10 +52,6 @@
       "name": "tanstack-start",
       "source": "tanstack-skills/tanstack-skills"
     },
-    {
-      "name": "uinaf-design-system",
-      "source": "uinaf/agents"
-    },
     {
       "name": "vercel-react-best-practices",
       "source": "vercel-labs/agent-skills"

skills/agent-readiness/SKILL.md

@@ -109,7 +109,7 @@ See [references/setup-patterns.md](references/setup-patterns.md) for e2e, observ
 
 **Tooling sources** — when adding CI, hooks, or bootstrap scripts, keep tool versions in one checked-in owner:
 
-- Node in `.node-version`, `.nvmrc`, or `.tool-versions`; CI reads it with `node-version-file` when the action supports it
+- Node in `.node-version`; CI reads it with `node-version-file` when the action supports it
 - Package managers in `package.json#packageManager`; avoid separate `pnpm@...` or `corepack prepare ...@...` literals unless the repo cannot consume `packageManager`
 - Tool wrappers such as Vite+ in package metadata or a workspace catalog; if a workflow input needs the version, read it with a structured tool such as `jq` instead of copying the literal
 - GitHub Action SHA pins and same-line action version comments are not project tool versions; keep them explicit and Dependabot-managed

skills/docs/evals/agents-md-content-and-structure/task.md

@@ -66,7 +66,7 @@ Stripe webhook signature verification key is stored in `STRIPE_WEBHOOK_SECRET`.
 
 ## Getting Started
 
-Prerequisites: Node.js 20+, PostgreSQL 15+, Docker (optional)
+Prerequisites: Node.js 24.x LTS, PostgreSQL 15+, Docker (optional)
 
 1. Install dependencies: `npm install`
 2. Copy environment file: `cp .env.example .env`

skills/docs/evals/top-level-doc-split-and-readme-structure/task.md

@@ -104,7 +104,7 @@ All errors go through `src/errors.ts`. The `GrokError` class carries an exit cod
 
 ## Development Setup
 
-Prerequisites: Node.js 18+, npm 9+
+Prerequisites: Node.js 24.x LTS, npm 11+
 
 1. Clone the repo:
    ```bash