feat: add deploy-to-cloud-engine skill#212
Open
artkorotkikh-dfinity wants to merge 5 commits into
Open
Conversation
New Infrastructure skill that deploys an already-built ICP project to a user's own cloud engine: verify the icp CLI, link the user's console identity with `icp identity link web --auth <console-origin>`, obtain the console origin and subnet id (asking when unknown), and run `icp deploy -e ic --subnet <subnet-id>`. Includes evaluations/deploy-to-cloud-engine.json (output + trigger evals). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Skill Validation ReportValidating skill: /home/runner/work/icskills/icskills/skills/deploy-to-cloud-engineStructure
Frontmatter
Markdown
Tokens
Content Analysis
Contamination Analysis
Result: passed Project Checks |
- Console origin now defaults to https://opencloud.org (the main OpenCloud console): the agent states the default and offers an override instead of asking open-endedly. Subnet id stays a hard ask — it cannot be guessed. - Pitfall 2 gains a recovery path for an unauthorized deploy after linking against the default origin. - Fix `icp default` -> `icp identity default` (the former does not exist in icp 0.3.0), in both the skill and the evals. - Evals: case 1 expects default-with-override behavior; new override case for a non-default console origin. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…acts - Step 1 starts with `icp identity list`: the CLI cannot reveal which console an identity was linked against, so route by what exists — no web-linked identity -> link; recognizable identity -> set active; unsure -> relink under a new name (cheap and safe). Verify with `icp identity default` / `icp identity principal`. - Warn never to omit --auth: its built-in default is https://id.ai, not the console (verified against icp 0.3.0 --help). - Document the 'Press Enter to log in' prompt that stalls the link command in non-interactive shells (hit in a real agent deploy). - Step 3 names the frontend URL form https://<id>.icp0.io and the console's 'Open in browser' link. - compatibility: icp-cli >= 0.3.0 (commands verified on 0.3.0). - Evals: stalled-link case, deploy-as-anonymous case (pitfall 5 had no coverage), marketplace .icp packaging near-miss in should_not_trigger. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Add a step explaining how to tag canisters with __META_PROJECT / __META_NAME / __META_MAIN_CANISTER via settings.environment_variables so the cloud engine console groups them into one named application with labelled canisters and an "Open" button, instead of bare principal rows. icp-cli merges these with the auto-injected PUBLIC_CANISTER_ID:* vars (verified against 0.3.0). Renumber deploy/verify steps, add two pitfalls, and surface naming in the skill description. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Add two output evals (naming a deployed app via __META_PROJECT / __META_NAME / __META_MAIN_CANISTER in settings.environment_variables, and an adversarial "no Open button" case checking the literal "true" value), two should_trigger queries for console-naming requests, and mention the metadata in the eval-file description. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds
deploy-to-cloud-engine(category Infrastructure): a skill that deploys an already-built ICP project to a user's own cloud engine (an OpenCloud / control-panel engine, administered from a web console). It:icpCLI is installed,icp identity list) and, when no engine identity exists, links the user's console identity withicp identity link web <name> --auth <console-origin>(the user completes the Internet Identity sign-in in the browser),https://opencloud.org(stated to the user and overridable when they sign in to a different console) and obtains the engine's subnet id, asking the user rather than guessing,icp deploy -e ic --subnet <subnet-id>,__META_PROJECT/__META_NAME/__META_MAIN_CANISTERenvironment variables (viasettings.environment_variables) so the engine console shows a single named app with labelled backend/frontend canisters and an "Open" button, instead of bare principal rows, and verifies the canisters on the console.Includes
evaluations/deploy-to-cloud-engine.json(output + trigger evals) covering the documented pitfalls: wrong or omitted--authorigin, the non-interactive "Press Enter" stall, deploying as anonymous, guessing the subnet id, dfx misuse, the console-naming metadata flow (naming an app + the "no Open button" case), and a marketplace-packaging near-miss that must not trigger this skill.Why
The
icp-cliskill covers general builds and mainnet deploys, but nothing covers the cloud-engine-specific path: linking the CLI to the engine's console identity, targeting the engine's own subnet, and tagging the canisters so the engine console shows them as one named app. This is the skill a coding agent links to so it can ship straight to a user's cloud engine — the flow the cloud-engine console currently spells out by hand.Updates since opening
icp default→icp identity default(the former does not exist in icp 0.3.0), and documentation of the "Press Enter to log in" prompt that stallsicp identity link webin non-interactive shells.https://opencloud.org) with an invited override, instead of an open-ended ask; the subnet id remains a hard ask.icp identity list(the CLI cannot reveal which console an identity was linked against), a warning that omitting--authsilently links against its built-in defaulthttps://id.ai, the frontend URL formhttps://<canister-id>.icp0.io, and a compatibility pin toicp-cli >= 0.3.0.__META_PROJECT/__META_NAME/__META_MAIN_CANISTERenvironment variables that group CLI-deployed canisters into one named app (same__META_PROJECTacross canisters), label each one, and mark the entry point (__META_MAIN_CANISTER: "true") for the "Open" button. Verified on the opencloud.org engine: icp-cli merges these with the auto-injectedPUBLIC_CANISTER_ID:*variables, so the asset canister keeps serving. Added matching output evals (naming an app, "no Open button" adversarial) and twoshould_triggerqueries.npm run validate—skill-validatorwas not available in my environment (no Go/Homebrew install).node scripts/check-project.js deploy-to-cloud-enginepasses (metadatatitle/categorypresent, eval file found, 0 warnings).node scripts/evaluate-skills.js deploy-to-cloud-engine) and paste results below.icp identity link web …andicp deploy -e ic --subnet …against a real engine — done 2026-06-10, see "Updates since opening".__META_*console-naming metadata against a real engine — done 2026-06-11 (canisters merged the vars and rendered as a named app).Evaluation results
Not yet generated.
evaluations/deploy-to-cloud-engine.jsonis included (10 output evals + trigger evals, covering the deploy flow, the documented pitfalls, and the console-naming metadata); results need to be produced withnode scripts/evaluate-skills.js deploy-to-cloud-enginebefore merge.Per CONTRIBUTING, all PRs require repo-admin approval before merge.