Make Scan Plugins a viable required check; auto-dispatch on bump PRs (#1815)

Scan Plugins is meant to gate every change to marketplace.json, but two
gaps made that unenforceable:

1. The bump workflow opens PRs with GITHUB_TOKEN, which GitHub exempts
   from on:pull_request triggers. Weekly bump PRs (e.g. #1809) get no
   scan check at all.
2. The workflow had a paths filter, so a required-check ruleset for
   `scan` would block every PR that doesn't touch marketplace.json
   (no check run = pending forever).

Fixes:

scan-plugins.yml
- Drop the paths filter; replace with a step-level `git diff --quiet`
  early-exit on the same paths. The check now reports on every PR,
  which makes it safe to require.
- Fail closed when ANTHROPIC_API_KEY is unset and a scan is needed.
  The shared action no-ops gracefully in that case (right default for
  community repos), but a required check that silently does nothing is
  a rubber stamp.

bump-plugin-shas.yml
- After the action opens the bump PR, `gh workflow run scan-plugins.yml
  --ref bump/plugin-shas`. workflow_dispatch is exempt from the
  GITHUB_TOKEN recursion guard, and the resulting check run lands on
  the branch HEAD (= PR head), so it satisfies the required check.
- Add `actions: write` so the dispatch is allowed.

Follow-up: add a repo ruleset on main requiring the `scan` check
(integration: github-actions) once this merges.

.claude-plugin/marketplace.json

@@ -81,6 +81,22 @@
       },
       "homepage": "https://github.com/AikidoSec/aikido-claude-plugin"
     },
+    {
+      "name": "airtable",
+      "description": "Airtable is the database and operations layer for your agents — whether running product, marketing, sales, ops, HR, or a custom business app. It combines structured data with multiplayer visual surfaces (grid, kanban, calendar, gallery, timeline) humans and agents share — plus sync integrations to Jira, Salesforce, Zendesk, Google Drive, Databricks, and the rest of your stack, all backed by enterprise governance. This plugin makes Claude fluent in Airtable: creating bases and schema, working with records, and sharing UI for collaboration. Bundles the official Airtable MCP server.",
+      "author": {
+        "name": "Airtable"
+      },
+      "category": "productivity",
+      "source": {
+        "source": "git-subdir",
+        "url": "https://github.com/Airtable/skills.git",
+        "path": "plugins/airtable",
+        "ref": "main",
+        "sha": "aaeb4f3ec8d462d694a13fe5c3d249c291bf8899"
+      },
+      "homepage": "https://www.airtable.com"
+    },
     {
       "name": "alloydb",
       "description": "Create, connect, and interact with an AlloyDB for PostgreSQL database and data.",
@@ -368,6 +384,11 @@
     {
       "name": "cds-mcp",
       "description": "AI-assisted development of SAP Cloud Application Programming Model (CAP) projects. Search CDS models and CAP documentation.",
+      "author": {
+        "name": "SAP SE",
+        "email": "ospo@sap.com",
+        "url": "https://www.sap.com"
+      },
       "category": "development",
       "source": {
         "source": "url",
@@ -1163,6 +1184,22 @@
       "category": "development",
       "homepage": "https://github.com/anthropics/claude-plugins-official/tree/main/plugins/mcp-server-dev"
     },
+    {
+      "name": "mercadopago",
+      "description": "Mercado Pago full-product integration toolkit. Covers online checkout (Pro, Bricks, API), in-store (QR, Point), subscriptions, marketplace, wallet, money-out, security (3DS, PCI), reporting, SDKs, and specialized integrations. Hybrid architecture: 13 skills provide stable integration intelligence, MCP provides live API data.",
+      "author": {
+        "name": "Mercado Pago Developer Experience"
+      },
+      "category": "development",
+      "source": {
+        "source": "git-subdir",
+        "url": "https://github.com/mercadopago/mercadopago-claude-marketplace.git",
+        "path": "plugins/mercadopago",
+        "ref": "main",
+        "sha": "1de8d97e1c875136e93bc8eea8494ebf982a08b8"
+      },
+      "homepage": "https://github.com/mercadopago/mercadopago-claude-marketplace/tree/main/plugins/mercadopago"
+    },
     {
       "name": "microsoft-docs",
       "description": "Access official Microsoft documentation, API references, and code samples for Azure, .NET, Windows, and more.",
@@ -1677,11 +1714,47 @@
       },
       "homepage": "https://www.sanity.io"
     },
+    {
+      "name": "sap-cds-mcp",
+      "description": "AI-assisted development of SAP Cloud Application Programming Model (CAP) projects. Search CDS models and CAP documentation.",
+      "author": {
+        "name": "SAP SE",
+        "email": "ospo@sap.com",
+        "url": "https://www.sap.com"
+      },
+      "category": "development",
+      "source": {
+        "source": "url",
+        "url": "https://github.com/cap-js/mcp-server.git",
+        "sha": "8ce2e13ac70bd78415aedeaab0061af9396d3372"
+      },
+      "homepage": "https://cap.cloud.sap/"
+    },
+    {
+      "name": "sap-fiori-mcp-server",
+      "description": "MCP server for SAP Fiori development tools for Claude Code. Build and modify SAP Fiori applications with AI assistance.",
+      "author": {
+        "name": "SAP SE",
+        "email": "ospo@sap.com",
+        "url": "https://www.sap.com"
+      },
+      "category": "development",
+      "source": {
+        "source": "git-subdir",
+        "url": "https://github.com/SAP/open-ux-tools.git",
+        "path": "packages/fiori-mcp-server",
+        "ref": "main",
+        "sha": "d9d4ab7e69fe453f8fd682304ff1e3ac40a216c6"
+      },
+      "homepage": "https://github.com/SAP/open-ux-tools/tree/main/packages/fiori-mcp-server"
+    },
     {
       "name": "sap-mdk-server",
       "description": "MCP server for SAP Mobile Development Kit (MDK). Build and modify MDK applications with AI assistance — schema lookups, action validation, rule editing, and project scaffolding.",
       "author": {
-        "name": "SAP"
+        "name": "SAP SE",
+        "email": "ospo@sap.com",
+        "url": "https://www.sap.com"
       },
       "category": "development",
       "source": {
@@ -2005,6 +2078,11 @@
     {
       "name": "ui5",
       "description": "SAPUI5 / OpenUI5 plugin for Claude. Create and validate UI5 projects, access API documentation, run UI5 linter, get development guidelines and best practices for UI5 development.",
+      "author": {
+        "name": "SAP SE",
+        "email": "openui5@sap.com",
+        "url": "https://www.sap.com"
+      },
       "category": "development",
       "source": {
         "source": "git-subdir",
@@ -2018,6 +2096,11 @@
     {
       "name": "ui5-typescript-conversion",
       "description": "SAPUI5 / OpenUI5 plugin for Claude. Convert JavaScript based UI5 projects to TypeScript.",
+      "author": {
+        "name": "SAP SE",
+        "email": "openui5@sap.com",
+        "url": "https://www.sap.com"
+      },
       "category": "development",
       "source": {
         "source": "git-subdir",

.github/workflows/bump-plugin-shas.yml

@@ -4,9 +4,13 @@ name: Bump Plugin SHAs
 # its pinned SHA, validate at the new SHA with `claude plugin validate`
 # inline, then open one PR with all passing bumps.
 #
-# Bot-free — uses the default GITHUB_TOKEN. Because GITHUB_TOKEN-opened PRs
+# Bot-free — uses the default GITHUB_TOKEN. PRs opened with GITHUB_TOKEN don't
-# don't trigger on:pull_request workflows, validation runs in this workflow
+# trigger on:pull_request workflows, so the policy scan (`Scan Plugins`, a
-# before the PR is opened; the PR body links back here as the CI evidence.
+# required status check on main) would never run and the bump PR could never
+# merge. workflow_dispatch is exempt from that recursion guard, so we dispatch
+# the scan ourselves on the bump branch after the PR is opened. The check run
+# lands on the branch HEAD — the same SHA as the PR head — and satisfies the
+# required check.
 
 on:
   schedule:
@@ -21,6 +25,7 @@ on:
 permissions:
   contents: write
   pull-requests: write
+  actions: write  # gh workflow run scan-plugins.yml on the bump branch
 
 concurrency:
   group: bump-plugin-shas
@@ -31,8 +36,20 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - uses: anthropics/claude-plugins-community/.github/actions/bump-plugin-shas@f846a0bcb0e721b1f93d60e8b73e91dafc4a1e87
+      # createCommitOnBranch-based bump so commits are signed by GitHub and
+      # satisfy the org-level required_signatures ruleset on main.
+      - uses: anthropics/claude-plugins-community/.github/actions/bump-plugin-shas@c41c6911de0afffd2bc5cd8b21fb1e06444ee13b
+        id: bump
         with:
           marketplace-path: .claude-plugin/marketplace.json
           max-bumps: ${{ inputs.max_bumps || '20' }}
           claude-cli-version: latest
+
+      # `bump/plugin-shas` is the action's default `pr-branch`. The scan diffs
+      # the branch against origin/main (the action's base-ref fallback when
+      # there's no pull_request event) and scans only the bumped entries.
+      - name: Dispatch policy scan on bump branch
+        if: steps.bump.outputs.pr-url != ''
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: gh workflow run scan-plugins.yml --ref bump/plugin-shas

.github/workflows/scan-plugins.yml

@@ -1,10 +1,15 @@
 name: Scan Plugins
 
+# Claude policy scan of changed external marketplace entries.
+#
+# `scan` is a required status check on main. A path-filtered workflow never
+# reports a check run when its paths don't match, which would leave unrelated
+# PRs blocked forever — so this workflow runs on every PR and skips the heavy
+# scan setup at the step level when nothing scan-relevant changed. The check
+# always reports.
+
 on:
   pull_request:
-    paths:
-      - '.claude-plugin/marketplace.json'
-      - '.github/policy/**'
   workflow_dispatch:
     inputs:
       scan_all:
@@ -24,9 +29,42 @@ jobs:
         with:
           fetch-depth: 0
 
+      # Same paths the workflow-level filter used to gate on. workflow_dispatch
+      # always runs the scan (no PR diff to inspect).
+      - name: Check for scan-relevant changes
+        id: changes
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          BASE_SHA: ${{ github.event.pull_request.base.sha }}
+        run: |
+          if [[ "$EVENT_NAME" == "workflow_dispatch" ]]; then
+            echo "relevant=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          if git diff --quiet "$BASE_SHA" HEAD -- .claude-plugin/marketplace.json .github/policy/; then
+            echo "relevant=false" >> "$GITHUB_OUTPUT"
+            echo "::notice::No changes to marketplace.json or policy/ — skipping policy scan."
+          else
+            echo "relevant=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      # The shared action no-ops gracefully when ANTHROPIC_API_KEY is unset
+      # (sensible default for community repos). Here `scan` is a required
+      # check, so a silent no-op would make it a rubber stamp — fail closed.
+      - name: Require ANTHROPIC_API_KEY when a scan is needed
+        if: steps.changes.outputs.relevant == 'true'
+        env:
+          API_KEY_SET: ${{ secrets.ANTHROPIC_API_KEY != '' }}
+        run: |
+          if [[ "$API_KEY_SET" != "true" ]]; then
+            echo "::error::ANTHROPIC_API_KEY is not configured; refusing to skip a required policy scan."
+            exit 1
+          fi
+
       # Blocking: policy failures fail the job. Loosen by removing
       # fail-on-findings if the false-positive rate is too high.
-      - uses: anthropics/claude-plugins-community/.github/actions/scan-plugins@b277757588871fe55b2620de8c6dfda470e2e9d8
+      - if: steps.changes.outputs.relevant == 'true'
+        uses: anthropics/claude-plugins-community/.github/actions/scan-plugins@b277757588871fe55b2620de8c6dfda470e2e9d8
         with:
           anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
           policy-prompt: .github/policy/prompt.md