zhanj/claude-plugins-official
1
0
Fork 0
mirror of https://github.com/anthropics/claude-plugins-official.git synced 2026-05-13 07:52:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

Adopt validate-plugins action suite; pin all external SHAs (#1762)

Browse Source 
* Adopt validate-plugins action suite; pin all external SHAs

Replaces the hand-rolled marketplace validator and bot-based bump
workflow with the shared composite actions (pinned at f846a0b).

marketplace.json:
- 62 external entries that were missing a `sha` are now pinned to
  their current upstream HEAD (resolved via git ls-remote).

Workflows:
- validate-plugins.yml: invariants I1-I11 + claude plugin validate +
  diff-gated clone-at-SHA validation of changed external entries.
  SHA-pin (I5) is a hard error. I8/I11 stay warnings until the 15
  known data issues (vendored dirs without manifests; one dotted
  name) are cleaned up.
- bump-plugin-shas.yml: bot-free weekly refresh. Validates each new
  SHA with claude plugin validate before opening one PR; works with
  the default GITHUB_TOKEN (contents:write + pull-requests:write).
- scan-plugins.yml: Claude policy scan of changed external entries.
  Non-blocking; graceful no-op if ANTHROPIC_API_KEY isn't set.

Removed:
- validate-marketplace.yml + the two TS helper scripts (superseded
  by step 11/20 of validate-plugins).

validate-frontmatter.yml is kept — it's complementary (targeted
checks on agent/skill/command files for in-repo plugins).

* Remove 5 external entries that fail validation at HEAD

Step 30 (clone at pinned SHA + claude plugin validate) fails for
these at their current HEAD:

  aiven                   Unrecognized key "logo" in plugin.json
  atlassian-forge-skills  skill YAML frontmatter parse error
  sagemaker-ai            skill YAML frontmatter parse error
  speakai                 no plugin manifest at repo root
  stagehand               no plugin manifest at repo root

These can be re-added once the upstream repos are fixed.

* Wire scan-plugins to the detailed policy prompt

Adds .github/policy/prompt.md and schema.json (the full security
review rubric — malicious code, privacy, deception, safety
circumvention, exfiltration; plus network-call and software-install
flags) and points scan-plugins at it via the policy-prompt input.

With ANTHROPIC_API_KEY now configured on the repo, scan-plugins runs
the actual policy review on changed external entries instead of
no-op'ing.

* Bump scan-plugins action pin to include L11/L12 fixes
This commit is contained in:
Tobin South
2026-05-07 12:18:52 -07:00
committed by GitHub
parent c51f5c1513
commit 95cc50d132
9 changed files with 250 additions and 381 deletions
Download Patch File Download Diff File Expand all files Collapse all files

123
.github/workflows/bump-plugin-shas.yml vendored
View File

@@ -1,133 +1,38 @@
name: Bump plugin SHAs
name: Bump Plugin SHAs
# Weekly sweep of marketplace.json — for each entry whose upstream repo has
# moved past its pinned SHA, open a PR against main with updated SHAs. The
# validate-marketplace workflow then runs on the PR to confirm the file is
# still well-formed.
# Weekly sweep: for each external entry whose upstream HEAD has moved past
# its pinned SHA, validate at the new SHA with `claude plugin validate`
# inline, then open one PR with all passing bumps.
#
# Adapted from claude-plugins-community-internal's bump-plugin-shas.yml
# for the single-file marketplace.json format. Key difference: all bumps
# are batched into one PR (since they all modify the same file).
# Bot-free — uses the default GITHUB_TOKEN. Because GITHUB_TOKEN-opened PRs
# don't trigger on:pull_request workflows, validation runs in this workflow
# before the PR is opened; the PR body links back here as the CI evidence.
on:
schedule:
- cron: '23 7 * * 1' # Monday 07:23 UTC
workflow_dispatch:
inputs:
plugin:
description: Only bump this plugin (for testing)
required: false
max_bumps:
description: Cap on plugins bumped this run
required: false
default: '20'
dry_run:
description: Discover only, don't open PR
type: boolean
default: true
concurrency:
group: bump-plugin-shas
cancel-in-progress: false
permissions:
contents: write
pull-requests: write
concurrency:
group: bump-plugin-shas
jobs:
bump:
runs-on: ubuntu-latest
timeout-minutes: 15
steps:
- uses: actions/checkout@v4
- name: Check for existing bump PR
id: existing
env:
GH_TOKEN: ${{ github.token }}
run: |
existing=$(gh pr list --label sha-bump --state open --json number --jq 'length')
echo "count=$existing" >> "$GITHUB_OUTPUT"
if [ "$existing" -gt 0 ]; then
echo "::notice::Open sha-bump PR already exists — skipping"
fi
- name: Ensure sha-bump label exists
if: steps.existing.outputs.count == '0'
env:
GH_TOKEN: ${{ github.token }}
run: gh label create sha-bump --color 0e8a16 --description "Automated SHA bump" 2>/dev/null || true
- name: Overlay marketplace data from main
if: steps.existing.outputs.count == '0'
run: |
git fetch origin main --depth=1 --quiet
git checkout origin/main -- .claude-plugin/marketplace.json
- name: Discover and apply SHA bumps
if: steps.existing.outputs.count == '0'
id: discover
env:
GH_TOKEN: ${{ github.token }}
PR_BODY_PATH: /tmp/bump-pr-body.md
PLUGIN: ${{ inputs.plugin }}
MAX_BUMPS: ${{ inputs.max_bumps }}
DRY_RUN: ${{ inputs.dry_run }}
run: |
args=(--max "${MAX_BUMPS:-20}")
[[ -n "$PLUGIN" ]] && args+=(--plugin "$PLUGIN")
[[ "$DRY_RUN" = "true" ]] && args+=(--dry-run)
python3 .github/scripts/discover_bumps.py "${args[@]}"
- uses: oven-sh/setup-bun@v2
if: steps.existing.outputs.count == '0' && steps.discover.outputs.count != '0' && inputs.dry_run != true
- name: Validate marketplace.json
if: steps.existing.outputs.count == '0' && steps.discover.outputs.count != '0' && inputs.dry_run != true
run: |
bun .github/scripts/validate-marketplace.ts .claude-plugin/marketplace.json
bun .github/scripts/check-marketplace-sorted.ts
- name: Push bump branch
if: steps.existing.outputs.count == '0' && steps.discover.outputs.count != '0' && inputs.dry_run != true
id: push
run: |
branch="auto/bump-shas-$(date +%Y%m%d)"
echo "branch=$branch" >> "$GITHUB_OUTPUT"
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
git checkout -b "$branch"
git add .claude-plugin/marketplace.json
git commit -m "Bump SHA pins for ${{ steps.discover.outputs.count }} plugin(s)
Plugins: ${{ steps.discover.outputs.bumped_names }}"
git push -u origin "$branch" --force-with-lease
# GITHUB_TOKEN cannot create PRs (org policy: "Allow GitHub Actions to
# create and approve pull requests" is disabled). Use the same GitHub App
# that -internal's bump workflow uses.
#
# Prerequisite: app 2812036 must be installed on this repo. The PEM
# secret must exist in this repo's settings (shared with -internal).
- name: Generate bot token
if: steps.push.outcome == 'success'
id: app-token
uses: actions/create-github-app-token@v1
- uses: anthropics/claude-plugins-community/.github/actions/bump-plugin-shas@f846a0bcb0e721b1f93d60e8b73e91dafc4a1e87
with:
app-id: 2812036
private-key: ${{ secrets.CLAUDE_DIRECTORY_BOT_PRIVATE_KEY }}
owner: ${{ github.repository_owner }}
repositories: ${{ github.event.repository.name }}
- name: Create pull request
if: steps.push.outcome == 'success'
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
run: |
gh pr create \
--base main \
--head "${{ steps.push.outputs.branch }}" \
--title "Bump SHA pins (${{ steps.discover.outputs.count }} plugins)" \
--body-file /tmp/bump-pr-body.md \
--label sha-bump
marketplace-path: .claude-plugin/marketplace.json
max-bumps: ${{ inputs.max_bumps || '20' }}
claude-cli-version: latest

24
.github/workflows/scan-plugins.yml vendored Normal file
View File

@@ -0,0 +1,24 @@
name: Scan Plugins
on:
pull_request:
paths:
- '.claude-plugin/marketplace.json'
permissions:
contents: read
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
# Non-blocking by default. To enforce, set fail-on-findings: "true".
- uses: anthropics/claude-plugins-community/.github/actions/scan-plugins@b277757588871fe55b2620de8c6dfda470e2e9d8
with:
anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
policy-prompt: .github/policy/prompt.md
claude-cli-version: latest

20
.github/workflows/validate-marketplace.yml vendored
View File

@@ -1,20 +0,0 @@
name: Validate Marketplace JSON
on:
pull_request:
paths:
- '.claude-plugin/marketplace.json'
jobs:
validate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: oven-sh/setup-bun@v2
- name: Validate marketplace.json
run: bun .github/scripts/validate-marketplace.ts .claude-plugin/marketplace.json
- name: Check plugins sorted
run: bun .github/scripts/check-marketplace-sorted.ts

34
.github/workflows/validate-plugins.yml vendored Normal file
View File

@@ -0,0 +1,34 @@
name: Validate Plugins
on:
pull_request:
paths:
- '.claude-plugin/**'
- '*/.claude-plugin/**'
- '*/agents/**'
- '*/skills/**'
- '*/commands/**'
push:
branches: [main]
paths:
- '.claude-plugin/**'
permissions:
contents: read
jobs:
validate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: anthropics/claude-plugins-community/.github/actions/validate-plugins@f846a0bcb0e721b1f93d60e8b73e91dafc4a1e87
with:
marketplace-path: .claude-plugin/marketplace.json
# Official curated marketplace: SHA-pin (I5) is a HARD error.
# I8/I11 are warnings until the 15 known vendored-path/name issues
# are cleaned up (see PR body); tighten to "I1 I3" after.
warn-invariants: "I1 I3 I8 I11"
claude-cli-version: latest