Improved usability for skills commands

Author: bhanurp

cli/cli.go

@@ -35,7 +35,9 @@ func GetJfrogCliArtifactoryApp() components.App {
 	})
 	app.Subcommands = append(app.Subcommands, components.Namespace{
 		Name:        "skills",
+		Aliases:     []string{"skill"},
 		Description: "Skills commands.",
+		Hidden:      true,
 		Commands:    skillsCLI.GetCommands(),
 		Category:    "Command Namespaces",
 	})

cliutils/flagkit/flags.go

@@ -500,13 +500,16 @@ const (
 	// Skills commands keys
 	SkillsPublish = "skills-publish"
 	SkillsInstall = "skills-install"
+	SkillsSearch  = "skills-search"
 
 	// Skills-specific flags
-	version     = "version"
-	installPath = "path"
-	signingKey  = "signing-key"
-	keyAlias    = "key-alias"
-	skillsQuiet = "skills-" + quiet
+	version      = "version"
+	installPath  = "path"
+	signingKey   = "signing-key"
+	keyAlias     = "key-alias"
+	skillsQuiet  = "skills-" + quiet
+	propSearch   = "prop"
+	skillsFormat = "skills-" + Format
 )
 
 var commandFlags = map[string][]string{
@@ -832,10 +835,13 @@ var commandFlags = map[string][]string{
 		Format, OrderBy, FilterBy, OrderAsc, Limit, Offset, Includes, Project,
 	},
 	SkillsPublish: {
-		url, user, password, accessToken, serverId, version, signingKey, keyAlias, skillsQuiet,
+		url, user, password, accessToken, serverId, repo, version, signingKey, keyAlias, skillsQuiet,
 	},
 	SkillsInstall: {
-		url, user, password, accessToken, serverId, version, installPath, skillsQuiet,
+		url, user, password, accessToken, serverId, repo, version, installPath, skillsQuiet,
+	},
+	SkillsSearch: {
+		url, user, password, accessToken, serverId, repo, skillsFormat, propSearch,
 	},
 }
 
@@ -1143,7 +1149,9 @@ var flagsMap = map[string]components.Flag{
 	installPath: components.NewStringFlag(installPath, "Custom install path for the skill. Default: current directory.", components.SetMandatoryFalse()),
 	signingKey:  components.NewStringFlag(signingKey, "Path to PGP private key for signing evidence. Overrides EVD_SIGNING_KEY_PATH env var.", components.SetMandatoryFalse()),
 	keyAlias:    components.NewStringFlag(keyAlias, "Alias for the signing key. Overrides EVD_KEY_ALIAS env var.", components.SetMandatoryFalse()),
-	skillsQuiet: components.NewBoolFlag(quiet, "[Default: $CI] Set to true to skip interactive prompts.", components.WithBoolDefaultValueFalse()),
+	skillsQuiet:  components.NewBoolFlag(quiet, "[Default: $CI] Set to true to skip interactive prompts.", components.WithBoolDefaultValueFalse()),
+	skillsFormat: components.NewStringFlag(Format, "Output format: \"table\" (default) or \"json\".", components.SetMandatoryFalse()),
+	propSearch:   components.NewBoolFlag(propSearch, "Use Artifactory property search (skill.name) instead of Skills API search.", components.WithBoolDefaultValueFalse()),
 }
 
 func GetCommandFlags(cmdKey string) []components.Flag {

go.mod

@@ -207,6 +207,8 @@ replace github.com/gfleury/go-bitbucket-v1 => github.com/gfleury/go-bitbucket-v1
 
 replace github.com/ktrysmt/go-bitbucket => github.com/ktrysmt/go-bitbucket v0.9.80
 
-replace github.com/jfrog/jfrog-client-go => github.com/bhanurp/jfrog-client-go v1.49.1-0.20260305021800-71cf43b6e283
+// replace github.com/jfrog/jfrog-client-go => ../jfrog-client-go
 
 // replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20251026182600-8a8c0428f538
+
+replace github.com/jfrog/jfrog-client-go => github.com/bhanurp/jfrog-client-go v1.49.1-0.20260305114046-2b0ff03b6f49

go.sum

@@ -98,8 +98,8 @@ github.com/beevik/etree v1.6.0 h1:u8Kwy8pp9D9XeITj2Z0XtA5qqZEmtJtuXZRQi+j03eE=
 github.com/beevik/etree v1.6.0/go.mod h1:bh4zJxiIr62SOf9pRzN7UUYaEDa9HEKafK25+sLc0Gc=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/bhanurp/jfrog-client-go v1.49.1-0.20260305021800-71cf43b6e283 h1:YQ+U69LTJO5MriIPyevWeGJpSMWQXIJRNsDzzQpcF7Q=
-github.com/bhanurp/jfrog-client-go v1.49.1-0.20260305021800-71cf43b6e283/go.mod h1:sCE06+GngPoyrGO0c+vmhgMoVSP83UMNiZnIuNPzU8U=
+github.com/bhanurp/jfrog-client-go v1.49.1-0.20260305114046-2b0ff03b6f49 h1:5BguVDGfQR4O2pRGRl3tbDQOpA+0E9nEP688/Yjsw6o=
+github.com/bhanurp/jfrog-client-go v1.49.1-0.20260305114046-2b0ff03b6f49/go.mod h1:sCE06+GngPoyrGO0c+vmhgMoVSP83UMNiZnIuNPzU8U=
 github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ=
 github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
 github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M=

skills/cli/cli.go

@@ -4,32 +4,32 @@ import (
 	"github.com/jfrog/jfrog-cli-artifactory/cliutils/flagkit"
 	"github.com/jfrog/jfrog-cli-artifactory/skills/commands/install"
 	"github.com/jfrog/jfrog-cli-artifactory/skills/commands/publish"
+	"github.com/jfrog/jfrog-cli-artifactory/skills/commands/search"
 	"github.com/jfrog/jfrog-cli-core/v2/plugins/components"
 )
 
 func GetCommands() []components.Command {
 	return []components.Command{
 		{
-			Name:  "publish",
-			Flags: flagkit.GetCommandFlags(flagkit.SkillsPublish),
-			Description: "Publish a skill to Artifactory.\n" +
-				"  After uploading, evidence is signed and attached to the artifact.\n" +
-				"  Provide a PGP private key via --signing-key (or EVD_SIGNING_KEY_PATH env var)\n" +
-				"  and an alias via --key-alias (or EVD_KEY_ALIAS env var).\n" +
-				"  If no key is provided, the upload succeeds but evidence creation is skipped.",
-			Arguments: getPublishArguments(),
-			Action:    publish.RunPublish,
+			Name:        "publish",
+			Flags:       flagkit.GetCommandFlags(flagkit.SkillsPublish),
+			Description: "Publish a skill to Artifactory. Signs and attaches evidence if a signing key is provided.",
+			Arguments:   getPublishArguments(),
+			Action:      publish.RunPublish,
 		},
 		{
-			Name:  "install",
-			Flags: flagkit.GetCommandFlags(flagkit.SkillsInstall),
-			Description: "Install a skill from Artifactory.\n" +
-				"  Evidence verification uses --use-artifactory-keys to pull the publisher's\n" +
-				"  public key from Artifactory automatically. No local signing keys are needed.\n" +
-				"  If verification fails, an interactive prompt lets you proceed or abort;\n" +
-				"  in CI/quiet mode the install fails automatically.",
-			Arguments: getInstallArguments(),
-			Action:    install.RunInstall,
+			Name:        "install",
+			Flags:       flagkit.GetCommandFlags(flagkit.SkillsInstall),
+			Description: "Install a skill from Artifactory. Verifies evidence using Artifactory keys automatically.",
+			Arguments:   getInstallArguments(),
+			Action:      install.RunInstall,
+		},
+		{
+			Name:        "search",
+			Flags:       flagkit.GetCommandFlags(flagkit.SkillsSearch),
+			Description: "Search for skills across Artifactory repositories.",
+			Arguments:   getSearchArguments(),
+			Action:      search.RunSearch,
 		},
 	}
 }
@@ -40,9 +40,14 @@ func getPublishArguments() []components.Argument {
 			Name:        "path",
 			Description: "Path to the skill folder containing SKILL.md.",
 		},
+	}
+}
+
+func getSearchArguments() []components.Argument {
+	return []components.Argument{
 		{
-			Name:        "repo",
-			Description: "Skills repository key in Artifactory.",
+			Name:        "query",
+			Description: "Skill name or search term.",
 		},
 	}
 }
@@ -53,9 +58,5 @@ func getInstallArguments() []components.Argument {
 			Name:        "slug",
 			Description: "Skill name/slug to install.",
 		},
-		{
-			Name:        "repo",
-			Description: "Skills repository key in Artifactory.",
-		},
 	}
 }

skills/commands/install/install.go

@@ -208,11 +208,12 @@ func unzipFile(src, dest string) error {
 		_ = r.Close()
 	}()
 
-	if err := os.MkdirAll(dest, 0755); err != nil {
+	if err := os.MkdirAll(dest, 0750); err != nil {
 		return err
 	}
 
 	for _, f := range r.File {
+		// #nosec G305 -- path traversal is checked immediately below
 		fpath := filepath.Join(dest, f.Name)
 
 		if !strings.HasPrefix(filepath.Clean(fpath), filepath.Clean(dest)+string(os.PathSeparator)) {
@@ -226,7 +227,8 @@ func unzipFile(src, dest string) error {
 			continue
 		}
 
-		if err := os.MkdirAll(filepath.Dir(fpath), 0755); err != nil {
+		// #nosec G301 -- skill files need to be readable
+		if err := os.MkdirAll(filepath.Dir(fpath), 0750); err != nil {
 			return err
 		}
 
@@ -255,12 +257,14 @@ func extractFile(f *zip.File, dest string) error {
 		_ = outFile.Close()
 	}()
 
+	// #nosec G110 -- skill zip files are size-bounded by Artifactory upload limits
 	_, err = io.Copy(outFile, rc)
 	return err
 }
 
 func copyDir(src, dst string) error {
-	if err := os.MkdirAll(dst, 0755); err != nil {
+	// #nosec G301 -- skill files need to be readable
+	if err := os.MkdirAll(dst, 0750); err != nil {
 		return err
 	}
 
@@ -293,6 +297,7 @@ func copyFile(src, dst string) error {
 		_ = in.Close()
 	}()
 
+	// #nosec G304 -- dst is constructed from validated unzip output path
 	out, err := os.Create(dst)
 	if err != nil {
 		return err
@@ -307,25 +312,30 @@ func copyFile(src, dst string) error {
 
 // RunInstall is the CLI action for `jf skills install`.
 func RunInstall(c *components.Context) error {
-	if c.GetNumberOfArgs() < 2 {
-		return fmt.Errorf("usage: jf skills install <slug> <repo> [options]")
+	if c.GetNumberOfArgs() < 1 {
+		return fmt.Errorf("usage: jf skills install <slug> [--repo <repo>] [options]")
 	}
 
 	slug := c.GetArgumentAt(0)
-	repoKey := c.GetArgumentAt(1)
 
 	serverDetails, err := common.GetServerDetails(c)
 	if err != nil {
 		return err
 	}
 
+	quiet := common.IsQuiet(c)
+	repoKey, err := common.ResolveRepo(serverDetails, c.GetStringFlagValue("repo"), quiet)
+	if err != nil {
+		return err
+	}
+
 	cmd := NewInstallCommand().
 		SetServerDetails(serverDetails).
 		SetRepoKey(repoKey).
 		SetSlug(slug).
 		SetVersion(c.GetStringFlagValue("version")).
 		SetInstallPath(c.GetStringFlagValue("path")).
-		SetQuiet(common.IsQuiet(c))
+		SetQuiet(quiet)
 
 	return cmd.Run()
 }

skills/commands/publish/publish.go

@@ -17,7 +17,7 @@ import (
 	"github.com/jfrog/jfrog-cli-core/v2/utils/config"
 	"github.com/jfrog/jfrog-client-go/artifactory"
 	"github.com/jfrog/jfrog-client-go/artifactory/services"
-	serviceutils "github.com/jfrog/jfrog-client-go/artifactory/services/utils"
+
 	"github.com/jfrog/jfrog-client-go/utils/log"
 )
 
@@ -131,11 +131,8 @@ func (pc *PublishCommand) Run() error {
 		return fmt.Errorf("failed to compute SHA256: %w", err)
 	}
 
-	targetProps := fmt.Sprintf("skill.name=%s;skill.description=%s;skill.version=%s",
-		slug, escapePropertyValue(meta.Description), version)
-
 	target := fmt.Sprintf("%s/%s/%s/", pc.repoKey, slug, version)
-	if err := pc.upload(zipPath, target, targetProps); err != nil {
+	if err := pc.upload(zipPath, target); err != nil {
 		return fmt.Errorf("upload failed: %w", err)
 	}
 
@@ -260,6 +257,7 @@ func zipSkillFolder(skillDir, slug, version string) (string, error) {
 	}
 
 	zipPath := filepath.Join(tmpDir, fmt.Sprintf("%s-%s.zip", slug, version))
+	// #nosec G304 -- path is constructed from controlled temp directory and user-provided slug
 	zipFile, err := os.Create(zipPath)
 	if err != nil {
 		return "", fmt.Errorf("failed to create zip file: %w", err)
@@ -306,7 +304,7 @@ func zipSkillFolder(skillDir, slug, version string) (string, error) {
 			return err
 		}
 
-		// #nosec G304 -- Path is constructed from user-provided skill directory
+		// #nosec G304,G122 -- path is from user-provided skill directory via filepath.Walk
 		file, err := os.Open(path)
 		if err != nil {
 			return err
@@ -358,7 +356,7 @@ func computeSHA256(path string) (string, error) {
 	return hex.EncodeToString(h.Sum(nil)), nil
 }
 
-func (pc *PublishCommand) upload(zipPath, target, targetProps string) error {
+func (pc *PublishCommand) upload(zipPath, target string) error {
 	serviceManager, err := utils.CreateUploadServiceManager(pc.serverDetails, 1, 3, 0, false, nil)
 	if err != nil {
 		return err
@@ -368,14 +366,6 @@ func (pc *PublishCommand) upload(zipPath, target, targetProps string) error {
 	uploadParams.Pattern = zipPath
 	uploadParams.Target = target
 	uploadParams.Flat = true
-	props := serviceutils.NewProperties()
-	for _, prop := range strings.Split(targetProps, ";") {
-		parts := strings.SplitN(prop, "=", 2)
-		if len(parts) == 2 {
-			props.AddProperty(parts[0], parts[1])
-		}
-	}
-	uploadParams.TargetProps = props
 
 	_, _, err = serviceManager.UploadFiles(artifactory.UploadServiceOptions{}, uploadParams)
 	return err
@@ -441,20 +431,13 @@ func (pc *PublishCommand) attachEvidence(slug, version, sha256Hex string) {
 	log.Info("Evidence successfully attached.")
 }
 
-func escapePropertyValue(val string) string {
-	val = strings.ReplaceAll(val, ";", "\\;")
-	val = strings.ReplaceAll(val, "=", "\\=")
-	return val
-}
-
 // RunPublish is the CLI action for `jf skills publish`.
 func RunPublish(c *components.Context) error {
-	if c.GetNumberOfArgs() < 2 {
-		return fmt.Errorf("usage: jf skills publish <path-to-skill-folder> <repo> [options]")
+	if c.GetNumberOfArgs() < 1 {
+		return fmt.Errorf("usage: jf skills publish <path-to-skill-folder> [--repo <repo>] [options]")
 	}
 
 	skillDir := c.GetArgumentAt(0)
-	repoKey := c.GetArgumentAt(1)
 	absDir, err := filepath.Abs(skillDir)
 	if err != nil {
 		return fmt.Errorf("invalid skill path: %w", err)
@@ -470,14 +453,20 @@ func RunPublish(c *components.Context) error {
 		return err
 	}
 
+	quiet := common.IsQuiet(c)
+	repoKey, err := common.ResolveRepo(serverDetails, c.GetStringFlagValue("repo"), quiet)
+	if err != nil {
+		return err
+	}
+
 	cmd := NewPublishCommand().
 		SetServerDetails(serverDetails).
 		SetRepoKey(repoKey).
 		SetSkillDir(absDir).
 		SetVersion(c.GetStringFlagValue("version")).
 		SetSigningKey(c.GetStringFlagValue("signing-key")).
 		SetKeyAlias(c.GetStringFlagValue("key-alias")).
-		SetQuiet(common.IsQuiet(c))
+		SetQuiet(quiet)
 
 	return cmd.Run()
 }