Bump 20 plugin SHA pin(s) to upstream HEAD

Make Scan Plugins a viable required check; auto-dispatch on bump PRs (#1815 )
Scan Plugins is meant to gate every change to marketplace.json, but two gaps made that unenforceable: 1. The bump workflow opens PRs with GITHUB_TOKEN, which GitHub exempts from on:pull_request triggers. Weekly bump PRs (e.g. #1809) get no scan check at all. 2. The workflow had a paths filter, so a required-check ruleset for `scan` would block every PR that doesn't touch marketplace.json (no check run = pending forever). Fixes: scan-plugins.yml - Drop the paths filter; replace with a step-level `git diff --quiet` early-exit on the same paths. The check now reports on every PR, which makes it safe to require. - Fail closed when ANTHROPIC_API_KEY is unset and a scan is needed. The shared action no-ops gracefully in that case (right default for community repos), but a required check that silently does nothing is a rubber stamp. bump-plugin-shas.yml - After the action opens the bump PR, `gh workflow run scan-plugins.yml --ref bump/plugin-shas`. workflow_dispatch is exempt from the GITHUB_TOKEN recursion guard, and the resulting check run lands on the branch HEAD (= PR head), so it satisfies the required check. - Add `actions: write` so the dispatch is allowed. Follow-up: add a repo ruleset on main requiring the `scan` check (integration: github-actions) once this merges.
2026-05-11 23:02:41 +00:00 · 2026-05-11 21:14:28 +00:00 · 2026-05-11 15:14:33 -05:00 · 2026-05-11 15:12:42 -05:00 · 2026-05-11 20:45:40 +01:00 · 2026-05-11 12:37:36 -05:00
3 changed files with 136 additions and 28 deletions
--- a/.claude-plugin/marketplace.json
+++ b/.claude-plugin/marketplace.json
@@ -19,7 +19,7 @@
        "url": "https://github.com/42Crunch-AI/claude-plugins.git",
        "path": "plugins/api-security-testing",
        "ref": "v1.0.1",
-        "sha": "56273e0e20762d76640838300a7431c4260cad32"
+        "sha": "69534e359680de7e3c40f39aadb343ce3cb53701"
      },
      "homepage": "https://42crunch.com"
    },
@@ -35,7 +35,7 @@
        "url": "https://github.com/adobe/skills.git",
        "path": "plugins/creative-cloud/adobe-for-creativity",
        "ref": "main",
-        "sha": "0f1ad97af8b4de2107c2417184fc4c3114bda9d3"
+        "sha": "7cc6b49b8e2e2681314f59ea1026122330362aa7"
      },
      "homepage": "https://github.com/adobe/skills/tree/main/plugins/creative-cloud/adobe-for-creativity"
    },
@@ -57,7 +57,7 @@
      "source": {
        "source": "url",
        "url": "https://github.com/SalesforceAIResearch/agentforce-adlc.git",
-        "sha": "9ef4d9b1958d4ed21179017d0452a81ec13c1de2"
+        "sha": "d645d2c8ce0689a568224436061872ab9f0ab179"
      },
      "homepage": "https://github.com/SalesforceAIResearch/agentforce-adlc"
    },
@@ -81,6 +81,22 @@
      },
      "homepage": "https://github.com/AikidoSec/aikido-claude-plugin"
    },
+    {
+      "name": "airtable",
+      "description": "Airtable is the database and operations layer for your agents — whether running product, marketing, sales, ops, HR, or a custom business app. It combines structured data with multiplayer visual surfaces (grid, kanban, calendar, gallery, timeline) humans and agents share — plus sync integrations to Jira, Salesforce, Zendesk, Google Drive, Databricks, and the rest of your stack, all backed by enterprise governance. This plugin makes Claude fluent in Airtable: creating bases and schema, working with records, and sharing UI for collaboration. Bundles the official Airtable MCP server.",
+      "author": {
+        "name": "Airtable"
+      },
+      "category": "productivity",
+      "source": {
+        "source": "git-subdir",
+        "url": "https://github.com/Airtable/skills.git",
+        "path": "plugins/airtable",
+        "ref": "main",
+        "sha": "aaeb4f3ec8d462d694a13fe5c3d249c291bf8899"
+      },
+      "homepage": "https://www.airtable.com"
+    },
    {
      "name": "alloydb",
      "description": "Create, connect, and interact with an AlloyDB for PostgreSQL database and data.",
@@ -91,7 +107,7 @@
      "source": {
        "source": "url",
        "url": "https://github.com/gemini-cli-extensions/alloydb.git",
-        "sha": "0723d3ada808fe8f33e1b2808fd7a843c3d63ad2"
+        "sha": "4a75653275b095fcacf1508796b0fee8cc758c07"
      },
      "homepage": "https://cloud.google.com/alloydb"
    },
@@ -104,7 +120,7 @@
        "url": "https://github.com/awslabs/agent-plugins.git",
        "path": "plugins/amazon-location-service",
        "ref": "main",
-        "sha": "6cfb70e55aa142a8eda66e6ef7966d5921bdf9a2"
+        "sha": "08bbd67c02fbbbcc84673efedad62c89c9865e3f"
      },
      "homepage": "https://github.com/awslabs/agent-plugins"
    },
@@ -149,7 +165,7 @@
      "source": {
        "source": "url",
        "url": "https://github.com/astronomer/agents.git",
-        "sha": "5935c4330dea4dfb8e93568956b10a543ecdb3d1"
+        "sha": "535a040ca9e27aaed6da13f0f959625fb3294820"
      },
      "homepage": "https://github.com/astronomer/agents"
    },
@@ -159,7 +175,7 @@
      "source": {
        "source": "url",
        "url": "https://github.com/atlanhq/agent-toolkit.git",
-        "sha": "acdf284da6aa98b14f8dad90a9827006d8df425c"
+        "sha": "790398c87378f128bdc74c31bb7ecfb8e4695f29"
      },
      "homepage": "https://docs.atlan.com/"
    },
@@ -201,7 +217,7 @@
        "url": "https://github.com/auth0/agent-skills.git",
        "path": "plugins/auth0",
        "ref": "main",
-        "sha": "f7724bf7984c5b00496cac0f54526bb1cf505dcb"
+        "sha": "010dd3bf860404708c3dc5fe8e1a50df1f914e3c"
      },
      "homepage": "https://auth0.com/docs/quickstart/agent-skills"
    },
@@ -217,7 +233,7 @@
        "url": "https://github.com/aws/agent-toolkit-for-aws.git",
        "path": "plugins/aws-agents",
        "ref": "main",
-        "sha": "750230758fbf23acd60d075dedd7ead4092127ce"
+        "sha": "01fdfa8d13ca898a210d638c43a3062657056733"
      },
      "homepage": "https://github.com/aws/agent-toolkit-for-aws"
    },
@@ -230,7 +246,7 @@
        "url": "https://github.com/awslabs/agent-plugins.git",
        "path": "plugins/aws-amplify",
        "ref": "main",
-        "sha": "6cfb70e55aa142a8eda66e6ef7966d5921bdf9a2"
+        "sha": "08bbd67c02fbbbcc84673efedad62c89c9865e3f"
      },
      "homepage": "https://github.com/awslabs/agent-plugins"
    },
@@ -246,7 +262,7 @@
        "url": "https://github.com/aws/agent-toolkit-for-aws.git",
        "path": "plugins/aws-core",
        "ref": "main",
-        "sha": "750230758fbf23acd60d075dedd7ead4092127ce"
+        "sha": "01fdfa8d13ca898a210d638c43a3062657056733"
      },
      "homepage": "https://github.com/aws/agent-toolkit-for-aws"
    },
@@ -262,7 +278,7 @@
        "url": "https://github.com/aws/agent-toolkit-for-aws.git",
        "path": "plugins/aws-data-analytics",
        "ref": "main",
-        "sha": "750230758fbf23acd60d075dedd7ead4092127ce"
+        "sha": "01fdfa8d13ca898a210d638c43a3062657056733"
      },
      "homepage": "https://github.com/aws/agent-toolkit-for-aws"
    },
@@ -291,7 +307,7 @@
        "url": "https://github.com/awslabs/agent-plugins.git",
        "path": "plugins/aws-serverless",
        "ref": "main",
-        "sha": "6cfb70e55aa142a8eda66e6ef7966d5921bdf9a2"
+        "sha": "08bbd67c02fbbbcc84673efedad62c89c9865e3f"
      },
      "homepage": "https://github.com/awslabs/agent-plugins"
    },
@@ -302,7 +318,7 @@
      "source": {
        "source": "url",
        "url": "https://github.com/microsoft/azure-skills.git",
-        "sha": "ed25b85a13ec001c53f538b07e0bfbe732673885"
+        "sha": "2fc301fe5ab66ede17d2d738da8398e077e900d9"
      },
      "homepage": "https://github.com/microsoft/azure-skills"
    },
@@ -324,7 +340,7 @@
      "source": {
        "source": "url",
        "url": "https://github.com/base44/skills.git",
-        "sha": "c7039b37eca0e2916a565a7395040c00055bcf8b"
+        "sha": "ec420cf2edd2c7e9a523d5afe2e71498a6357fa4"
      },
      "homepage": "https://docs.base44.com"
    },
@@ -340,7 +356,7 @@
        "url": "https://github.com/Bigdata-com/bigdata-plugins-marketplace.git",
        "path": "plugins/bigdata-com",
        "ref": "main",
-        "sha": "274b5365bdc61130225de736d3f3ca5210c0e37d"
+        "sha": "c77a09caabdc8783adbcbf8bbe05a0f57da12b19"
      },
      "homepage": "https://docs.bigdata.com"
    },
@@ -351,7 +367,7 @@
      "source": {
        "source": "url",
        "url": "https://github.com/box/box-for-ai.git",
-        "sha": "0fb23244e3c35cd562206c80eff1e22c456046ea"
+        "sha": "16f1a0427710b0812519ea634cd5ce6830bde8fc"
      },
      "homepage": "https://github.com/box/box-for-ai"
    },
@@ -361,18 +377,23 @@
      "source": {
        "source": "url",
        "url": "https://github.com/brightdata/skills.git",
-        "sha": "44b24797d82cfd535c5b97831d5c6ba86c9d60df"
+        "sha": "d357bf7bc3a2cd39eb3ef66491e3a40f91a055fb"
      },
      "homepage": "https://docs.brightdata.com"
    },
    {
      "name": "cds-mcp",
      "description": "AI-assisted development of SAP Cloud Application Programming Model (CAP) projects. Search CDS models and CAP documentation.",
+      "author": {
+        "name": "SAP SE",
+        "email": "ospo@sap.com",
+        "url": "https://www.sap.com"
+      },
      "category": "development",
      "source": {
        "source": "url",
        "url": "https://github.com/cap-js/mcp-server.git",
-        "sha": "4d59d7070a52761a9b8028cbe710c8d7477cbc92"
+        "sha": "8ce2e13ac70bd78415aedeaab0061af9396d3372"
      },
      "homepage": "https://cap.cloud.sap/"
    },
@@ -383,7 +404,7 @@
      "source": {
        "source": "url",
        "url": "https://github.com/ChromeDevTools/chrome-devtools-mcp.git",
-        "sha": "a1612be8e01401cf1711c64bc2ef5da5763ba956"
+        "sha": "178b79049318a63d1df1bd40e069f0627fa06fcc"
      },
      "homepage": "https://github.com/ChromeDevTools/chrome-devtools-mcp"
    },
@@ -1163,6 +1184,22 @@
      "category": "development",
      "homepage": "https://github.com/anthropics/claude-plugins-official/tree/main/plugins/mcp-server-dev"
    },
+    {
+      "name": "mercadopago",
+      "description": "Mercado Pago full-product integration toolkit. Covers online checkout (Pro, Bricks, API), in-store (QR, Point), subscriptions, marketplace, wallet, money-out, security (3DS, PCI), reporting, SDKs, and specialized integrations. Hybrid architecture: 13 skills provide stable integration intelligence, MCP provides live API data.",
+      "author": {
+        "name": "Mercado Pago Developer Experience"
+      },
+      "category": "development",
+      "source": {
+        "source": "git-subdir",
+        "url": "https://github.com/mercadopago/mercadopago-claude-marketplace.git",
+        "path": "plugins/mercadopago",
+        "ref": "main",
+        "sha": "1de8d97e1c875136e93bc8eea8494ebf982a08b8"
+      },
+      "homepage": "https://github.com/mercadopago/mercadopago-claude-marketplace/tree/main/plugins/mercadopago"
+    },
    {
      "name": "microsoft-docs",
      "description": "Access official Microsoft documentation, API references, and code samples for Azure, .NET, Windows, and more.",
@@ -1677,6 +1714,22 @@
      },
      "homepage": "https://www.sanity.io"
    },
+    {
+      "name": "sap-cds-mcp",
+      "description": "AI-assisted development of SAP Cloud Application Programming Model (CAP) projects. Search CDS models and CAP documentation.",
+      "author": {
+        "name": "SAP SE",
+        "email": "ospo@sap.com",
+        "url": "https://www.sap.com"
+      },
+      "category": "development",
+      "source": {
+        "source": "url",
+        "url": "https://github.com/cap-js/mcp-server.git",
+        "sha": "8ce2e13ac70bd78415aedeaab0061af9396d3372"
+      },
+      "homepage": "https://cap.cloud.sap/"
+    },
    {
      "name": "sap-fiori-mcp-server",
      "description": "MCP server for SAP Fiori development tools for Claude Code. Build and modify SAP Fiori applications with AI assistance.",
--- a/.github/workflows/bump-plugin-shas.yml
+++ b/.github/workflows/bump-plugin-shas.yml
@@ -4,9 +4,13 @@ name: Bump Plugin SHAs
 # its pinned SHA, validate at the new SHA with `claude plugin validate`
 # inline, then open one PR with all passing bumps.
 #
-# Bot-free — uses the default GITHUB_TOKEN. Because GITHUB_TOKEN-opened PRs
-# don't trigger on:pull_request workflows, validation runs in this workflow
-# before the PR is opened; the PR body links back here as the CI evidence.
+# Bot-free — uses the default GITHUB_TOKEN. PRs opened with GITHUB_TOKEN don't
+# trigger on:pull_request workflows, so the policy scan (`Scan Plugins`, a
+# required status check on main) would never run and the bump PR could never
+# merge. workflow_dispatch is exempt from that recursion guard, so we dispatch
+# the scan ourselves on the bump branch after the PR is opened. The check run
+# lands on the branch HEAD — the same SHA as the PR head — and satisfies the
+# required check.

 on:
  schedule:
@@ -21,6 +25,7 @@ on:
 permissions:
  contents: write
  pull-requests: write
+  actions: write  # gh workflow run scan-plugins.yml on the bump branch

 concurrency:
  group: bump-plugin-shas
@@ -31,8 +36,20 @@ jobs:
    steps:
      - uses: actions/checkout@v4

-      - uses: anthropics/claude-plugins-community/.github/actions/bump-plugin-shas@f846a0bcb0e721b1f93d60e8b73e91dafc4a1e87
+      # createCommitOnBranch-based bump so commits are signed by GitHub and
+      # satisfy the org-level required_signatures ruleset on main.
+      - uses: anthropics/claude-plugins-community/.github/actions/bump-plugin-shas@c41c6911de0afffd2bc5cd8b21fb1e06444ee13b
+        id: bump
        with:
          marketplace-path: .claude-plugin/marketplace.json
          max-bumps: ${{ inputs.max_bumps || '20' }}
          claude-cli-version: latest
+
+      # `bump/plugin-shas` is the action's default `pr-branch`. The scan diffs
+      # the branch against origin/main (the action's base-ref fallback when
+      # there's no pull_request event) and scans only the bumped entries.
+      - name: Dispatch policy scan on bump branch
+        if: steps.bump.outputs.pr-url != ''
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: gh workflow run scan-plugins.yml --ref bump/plugin-shas
--- a/.github/workflows/scan-plugins.yml
+++ b/.github/workflows/scan-plugins.yml
@@ -1,10 +1,15 @@
 name: Scan Plugins

+# Claude policy scan of changed external marketplace entries.
+#
+# `scan` is a required status check on main. A path-filtered workflow never
+# reports a check run when its paths don't match, which would leave unrelated
+# PRs blocked forever — so this workflow runs on every PR and skips the heavy
+# scan setup at the step level when nothing scan-relevant changed. The check
+# always reports.
+
 on:
  pull_request:
-    paths:
-      - '.claude-plugin/marketplace.json'
-      - '.github/policy/**'
  workflow_dispatch:
    inputs:
      scan_all:
@@ -24,9 +29,42 @@ jobs:
        with:
          fetch-depth: 0

+      # Same paths the workflow-level filter used to gate on. workflow_dispatch
+      # always runs the scan (no PR diff to inspect).
+      - name: Check for scan-relevant changes
+        id: changes
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          BASE_SHA: ${{ github.event.pull_request.base.sha }}
+        run: |
+          if [[ "$EVENT_NAME" == "workflow_dispatch" ]]; then
+            echo "relevant=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          if git diff --quiet "$BASE_SHA" HEAD -- .claude-plugin/marketplace.json .github/policy/; then
+            echo "relevant=false" >> "$GITHUB_OUTPUT"
+            echo "::notice::No changes to marketplace.json or policy/ — skipping policy scan."
+          else
+            echo "relevant=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      # The shared action no-ops gracefully when ANTHROPIC_API_KEY is unset
+      # (sensible default for community repos). Here `scan` is a required
+      # check, so a silent no-op would make it a rubber stamp — fail closed.
+      - name: Require ANTHROPIC_API_KEY when a scan is needed
+        if: steps.changes.outputs.relevant == 'true'
+        env:
+          API_KEY_SET: ${{ secrets.ANTHROPIC_API_KEY != '' }}
+        run: |
+          if [[ "$API_KEY_SET" != "true" ]]; then
+            echo "::error::ANTHROPIC_API_KEY is not configured; refusing to skip a required policy scan."
+            exit 1
+          fi
+
      # Blocking: policy failures fail the job. Loosen by removing
      # fail-on-findings if the false-positive rate is too high.
-      - uses: anthropics/claude-plugins-community/.github/actions/scan-plugins@b277757588871fe55b2620de8c6dfda470e2e9d8
+      - if: steps.changes.outputs.relevant == 'true'
+        uses: anthropics/claude-plugins-community/.github/actions/scan-plugins@b277757588871fe55b2620de8c6dfda470e2e9d8
        with:
          anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
          policy-prompt: .github/policy/prompt.md
Author	SHA1	Message	Date
github-actions[bot]	7665548c5a	Bump 20 plugin SHA pin(s) to upstream HEAD	2026-05-11 21:14:28 +00:00
Tobin South	45896c8f2f	Make Scan Plugins a viable required check; auto-dispatch on bump PRs (#1815 ) Scan Plugins is meant to gate every change to marketplace.json, but two gaps made that unenforceable: 1. The bump workflow opens PRs with GITHUB_TOKEN, which GitHub exempts from on:pull_request triggers. Weekly bump PRs (e.g. #1809) get no scan check at all. 2. The workflow had a paths filter, so a required-check ruleset for `scan` would block every PR that doesn't touch marketplace.json (no check run = pending forever). Fixes: scan-plugins.yml - Drop the paths filter; replace with a step-level `git diff --quiet` early-exit on the same paths. The check now reports on every PR, which makes it safe to require. - Fail closed when ANTHROPIC_API_KEY is unset and a scan is needed. The shared action no-ops gracefully in that case (right default for community repos), but a required check that silently does nothing is a rubber stamp. bump-plugin-shas.yml - After the action opens the bump PR, `gh workflow run scan-plugins.yml --ref bump/plugin-shas`. workflow_dispatch is exempt from the GITHUB_TOKEN recursion guard, and the resulting check run lands on the branch HEAD (= PR head), so it satisfies the required check. - Add `actions: write` so the dispatch is allowed. Follow-up: add a repo ruleset on main requiring the `scan` check (integration: github-actions) once this merges.	2026-05-11 15:14:33 -05:00
Tobin South	7f6f5a8836	Add airtable plugin (#1817 ) Adds the airtable marketplace entry. Sourced from Airtable/skills at plugins/airtable, pinned to aaeb4f3e (latest main, tag 2026-05-06). Bundles the official Airtable MCP server (mcp.airtable.com/mcp) plus skills for the Airtable data model and filter syntax. https://claude.ai/code/session_01Vom6RzMA4p6erqGiZxg8yE Co-authored-by: Claude <noreply@anthropic.com>	2026-05-11 15:12:42 -05:00
Tobin South	fe8f81309e	Bump bump-plugin-shas action so bump commits are signed (#1814 ) The pinned version of anthropics/claude-plugins-community's bump-plugin-shas action creates the bump commit with a local git commit, which is unsigned and unmergeable under the required_signatures ruleset on main. The new SHA creates the commit via the GraphQL createCommitOnBranch mutation, which GitHub signs server-side, so weekly bump PRs (e.g. #1809) become mergeable.	2026-05-11 20:45:40 +01:00
Tobin South	6196a61bde	Add mercadopago plugin (#1813 ) Mercado Pago full-product integration toolkit — 13 skills, agents, and a bundled MCP for live API data. Sourced from mercadopago/mercadopago-claude-marketplace at plugins/mercadopago, pinned to 1de8d97e. Closes #1272 https://claude.ai/code/session_01XCupEyAPLqxo2eHgVoWevi Co-authored-by: Claude <noreply@anthropic.com>	2026-05-11 12:37:36 -05:00
Bryan Thompson	480a410cc0	Add sap-cds-mcp plugin + SAP SE author block on cds-mcp (#1778 ) CAP CDS work as one cohesive unit, split out of #1616 to keep that PR narrowly scoped to sap-hana-cli (which is currently held on an upstream plugin.json fix). - Adds new sap-cds-mcp entry alongside existing cds-mcp (additive, non-breaking — both point to cap-js/mcp-server). Pinned at 8ce2e13a. - Adds the unified SAP SE author block to existing cds-mcp. Per the SAP namespace policy agreed with SAP (Tobin 2026-04-29 + Florian/Klaus/Avital 2026-05-04 email).	2026-05-11 17:54:50 +01:00