overthinkos/gh
coder/skills/gh/SKILL.md
GitHub CLI, git, and git-lfs — the single-responsibility home for all git/GitHub tooling. Ships the noscripts + post-install dance for git-lfs so the RPM's systemd trigger doesn't fail at build time. Use when composing git + gh + git-lfs into a box, or when deciding which candy should own a git-related binary.
tools
Updated Jun 11, 2026
$ install --global
skillsauthnpx skillsauth add overthinkos/overthink-plugins ghInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 11, 2026, 6:54 AM103.6s1 file scanned
SKILL.md
- name:
- gh
- description:
- |
gh -- GitHub CLI + git + git-lfs
Candy Properties
| Property | Value |
|----------|-------|
| Install files | charly.yml (packages + one post-install task) |
| Depends | (none) |
Packages
- RPM (with
--setopt=tsflags=noscripts):gh,git,git-lfs - pac:
github-cli,git,git-lfs
Why tsflags=noscripts + a post-install task
The git-lfs RPM's %post scriptlet runs git-lfs install --system
which tries to modify /etc/ and talk to systemd — operations that
fail (loudly or silently) inside a buildah container. We install with
noscripts and then run the git-lfs hook configuration manually:
task:
- cmd: /usr/bin/git-lfs install --system --skip-repo 2>/dev/null || true
user: root
The || true tolerates distros/versions where the command layout
differs; --skip-repo prevents git-lfs from trying to touch a repo
that doesn't exist in the build container.
Single-responsibility ownership
This candy is the exclusive home for gh, git, and git-lfs — no other
candy (including /charly-coder:dev-tools) installs them. That keeps ownership
unambiguous ("which candy do I look at to update the git-lfs version?" — this
one) and avoids duplicate test ids (gh-binary collisions).
Effect for candy authors: any box that wants git tooling composes gh
explicitly. The four power-user boxes (charly-arch, charly-fedora,
fedora-coder, githubrunner via the charly chain) all list gh
explicitly.
Tests
Six build-scope tests:
| Test | Purpose |
|---|---|
| gh-binary | /usr/bin/gh exists |
| gh-version | gh --version exits 0 |
| git-binary | /usr/bin/git exists |
| git-version | git --version exits 0 |
| git-lfs-binary | /usr/bin/git-lfs exists |
| git-lfs-version | git-lfs --version exits 0 |
Cross-distro coverage
rpm: (Fedora — from the github-cli COPR / community repo), pac: (Arch — github-cli from extra), deb: (Debian/Ubuntu — adds https://cli.github.com/packages as an apt repo with signed-by key; ships gh, git, git-lfs). Full parity across all three package families.
Usage
# box or candy charly.yml
candy:
- gh
Used In Boxes
/charly-coder:charly-arch,/charly-distros:charly-fedora,/charly-coder:fedora-coder— power-user boxes that compose gh explicitly/charly-openclaw:openclaw-desktop— streaming-desktop sibling- Any box composing
hermes-full
Related Candies
/charly-coder:dev-tools— does not install git/gh/git-lfs (this candy owns them)/charly-distros:agent-forwarding— pairs with gh for SSH/GPG agent access (you usually want both when driving gh from inside a container with the host's GPG keys forwarded)/charly-distros:github-runner— self-hosted Actions runner; different candy, different purpose/charly-coder:github-actions— installsact+actionlintfor local Actions testing; also different from this candy
Related Commands
/charly-build:secrets— provisionGITHUB_TOKENforgh auth login/charly-core:shell— run gh interactively inside a container
When to Use This Skill
MUST be invoked when:
- Adding git or GitHub CLI access to a box (compose this candy —
DO NOT add
gh,git, orgit-lfsto any other candy's packages). - Debugging why
git-lfs installfails at build time (the noscripts + post-install pattern here is the fix). - Understanding why
/charly-coder:dev-toolsdoes not install gh (this candy holds single-responsibility ownership of git tooling).
Related
/charly-image:layer— candy authoring reference (charly.ymlschema, task verbs, service declarations)/charly-eval:eval— declarative testing (eval:block,charly eval box,charly eval live)
Related Skills
overthinkos/charly
tools
VerifiedTrustedCommunity
OpenCharly CLI (charly) binary installed into container/VM images for in-container use. Use when working with charly binary deployment inside containers, native D-Bus support, or the full charly toolchain (charly binary + virtualization + gocryptfs + socat).
SKILL.mdUpdated Jun 10, 2026
overthinkos/charly-cachyos
development
VerifiedTrustedCommunity
Operator CachyOS workstation profile — a kind:local template + target:local deploy that installs the full dev stack (30 candies) onto a CachyOS host via ShellExecutor. Lives in the overthinkos/cachyos submodule. MUST be invoked before editing or applying the charly-cachyos workstation profile.
SKILL.mdUpdated Jun 10, 2026
overthinkos/charly-fedora
tools
VerifiedTrustedCommunity
Fedora box with the full charly toolchain using shared candies. Rootless-first — runs as uid=1000 with passwordless sudo (no root, no cap_add: ALL). Same candy list as charly-arch. Includes NVIDIA GPU runtime. MUST be invoked before building, deploying, configuring, or troubleshooting the charly-fedora box.
SKILL.mdUpdated Jun 10, 2026
overthinkos/charly-arch
tools
VerifiedTrustedCommunity
Arch Linux box with the full charly toolchain. Rootless-first — runs as uid=1000 with passwordless sudo (no root, no cap_add: ALL). Composes /charly-coder:charly-mcp so the box is reachable as an MCP gateway on port 18765. NVIDIA GPU runtime composed in. MUST be invoked before building, deploying, configuring, or troubleshooting the charly-arch box.
SKILL.mdUpdated Jun 10, 2026