Fix servicenow-sdk ref: ServiceNow/sdk uses master, not main

The ServiceNow/sdk repository's default branch is 'master' and there is
no 'main' branch. The pinned SHA (06adf37) is the current head of
'master'. Update the ref so future SHA bumps target the correct branch.

.claude-plugin/marketplace.json

@@ -81,6 +81,22 @@
       },
       "homepage": "https://github.com/AikidoSec/aikido-claude-plugin"
     },
+    {
+      "name": "airtable",
+      "description": "Airtable is the database and operations layer for your agents — whether running product, marketing, sales, ops, HR, or a custom business app. It combines structured data with multiplayer visual surfaces (grid, kanban, calendar, gallery, timeline) humans and agents share — plus sync integrations to Jira, Salesforce, Zendesk, Google Drive, Databricks, and the rest of your stack, all backed by enterprise governance. This plugin makes Claude fluent in Airtable: creating bases and schema, working with records, and sharing UI for collaboration. Bundles the official Airtable MCP server.",
+      "author": {
+        "name": "Airtable"
+      },
+      "category": "productivity",
+      "source": {
+        "source": "git-subdir",
+        "url": "https://github.com/Airtable/skills.git",
+        "path": "plugins/airtable",
+        "ref": "main",
+        "sha": "aaeb4f3ec8d462d694a13fe5c3d249c291bf8899"
+      },
+      "homepage": "https://www.airtable.com"
+    },
     {
       "name": "alloydb",
       "description": "Create, connect, and interact with an AlloyDB for PostgreSQL database and data.",
@@ -368,6 +384,11 @@
     {
       "name": "cds-mcp",
       "description": "AI-assisted development of SAP Cloud Application Programming Model (CAP) projects. Search CDS models and CAP documentation.",
+      "author": {
+        "name": "SAP SE",
+        "email": "ospo@sap.com",
+        "url": "https://www.sap.com"
+      },
       "category": "development",
       "source": {
         "source": "url",
@@ -1693,6 +1714,22 @@
       },
       "homepage": "https://www.sanity.io"
     },
+    {
+      "name": "sap-cds-mcp",
+      "description": "AI-assisted development of SAP Cloud Application Programming Model (CAP) projects. Search CDS models and CAP documentation.",
+      "author": {
+        "name": "SAP SE",
+        "email": "ospo@sap.com",
+        "url": "https://www.sap.com"
+      },
+      "category": "development",
+      "source": {
+        "source": "url",
+        "url": "https://github.com/cap-js/mcp-server.git",
+        "sha": "8ce2e13ac70bd78415aedeaab0061af9396d3372"
+      },
+      "homepage": "https://cap.cloud.sap/"
+    },
     {
       "name": "sap-fiori-mcp-server",
       "description": "MCP server for SAP Fiori development tools for Claude Code. Build and modify SAP Fiori applications with AI assistance.",
@@ -1782,7 +1819,7 @@
         "source": "git-subdir",
         "url": "https://github.com/ServiceNow/sdk.git",
         "path": "providers/claude/plugin",
-        "ref": "main",
+        "ref": "master",
         "sha": "06adf37ca78c270a57f93e7b9dfbb7bf16e24611"
       },
       "homepage": "https://servicenow.github.io/sdk/"

.github/workflows/bump-plugin-shas.yml

@@ -4,9 +4,13 @@ name: Bump Plugin SHAs
 # its pinned SHA, validate at the new SHA with `claude plugin validate`
 # inline, then open one PR with all passing bumps.
 #
-# Bot-free — uses the default GITHUB_TOKEN. Because GITHUB_TOKEN-opened PRs
-# don't trigger on:pull_request workflows, validation runs in this workflow
-# before the PR is opened; the PR body links back here as the CI evidence.
+# Bot-free — uses the default GITHUB_TOKEN. PRs opened with GITHUB_TOKEN don't
+# trigger on:pull_request workflows, so the policy scan (`Scan Plugins`, a
+# required status check on main) would never run and the bump PR could never
+# merge. workflow_dispatch is exempt from that recursion guard, so we dispatch
+# the scan ourselves on the bump branch after the PR is opened. The check run
+# lands on the branch HEAD — the same SHA as the PR head — and satisfies the
+# required check.
 
 on:
   schedule:
@@ -21,6 +25,7 @@ on:
 permissions:
   contents: write
   pull-requests: write
+  actions: write  # gh workflow run scan-plugins.yml on the bump branch
 
 concurrency:
   group: bump-plugin-shas
@@ -31,8 +36,20 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - uses: anthropics/claude-plugins-community/.github/actions/bump-plugin-shas@f846a0bcb0e721b1f93d60e8b73e91dafc4a1e87
+      # createCommitOnBranch-based bump so commits are signed by GitHub and
+      # satisfy the org-level required_signatures ruleset on main.
+      - uses: anthropics/claude-plugins-community/.github/actions/bump-plugin-shas@c41c6911de0afffd2bc5cd8b21fb1e06444ee13b
+        id: bump
         with:
           marketplace-path: .claude-plugin/marketplace.json
           max-bumps: ${{ inputs.max_bumps || '20' }}
           claude-cli-version: latest
+
+      # `bump/plugin-shas` is the action's default `pr-branch`. The scan diffs
+      # the branch against origin/main (the action's base-ref fallback when
+      # there's no pull_request event) and scans only the bumped entries.
+      - name: Dispatch policy scan on bump branch
+        if: steps.bump.outputs.pr-url != ''
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: gh workflow run scan-plugins.yml --ref bump/plugin-shas

.github/workflows/scan-plugins.yml

@@ -1,10 +1,15 @@
 name: Scan Plugins
 
+# Claude policy scan of changed external marketplace entries.
+#
+# `scan` is a required status check on main. A path-filtered workflow never
+# reports a check run when its paths don't match, which would leave unrelated
+# PRs blocked forever — so this workflow runs on every PR and skips the heavy
+# scan setup at the step level when nothing scan-relevant changed. The check
+# always reports.
+
 on:
   pull_request:
-    paths:
-      - '.claude-plugin/marketplace.json'
-      - '.github/policy/**'
   workflow_dispatch:
     inputs:
       scan_all:
@@ -24,9 +29,42 @@ jobs:
         with:
           fetch-depth: 0
 
+      # Same paths the workflow-level filter used to gate on. workflow_dispatch
+      # always runs the scan (no PR diff to inspect).
+      - name: Check for scan-relevant changes
+        id: changes
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          BASE_SHA: ${{ github.event.pull_request.base.sha }}
+        run: |
+          if [[ "$EVENT_NAME" == "workflow_dispatch" ]]; then
+            echo "relevant=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          if git diff --quiet "$BASE_SHA" HEAD -- .claude-plugin/marketplace.json .github/policy/; then
+            echo "relevant=false" >> "$GITHUB_OUTPUT"
+            echo "::notice::No changes to marketplace.json or policy/ — skipping policy scan."
+          else
+            echo "relevant=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      # The shared action no-ops gracefully when ANTHROPIC_API_KEY is unset
+      # (sensible default for community repos). Here `scan` is a required
+      # check, so a silent no-op would make it a rubber stamp — fail closed.
+      - name: Require ANTHROPIC_API_KEY when a scan is needed
+        if: steps.changes.outputs.relevant == 'true'
+        env:
+          API_KEY_SET: ${{ secrets.ANTHROPIC_API_KEY != '' }}
+        run: |
+          if [[ "$API_KEY_SET" != "true" ]]; then
+            echo "::error::ANTHROPIC_API_KEY is not configured; refusing to skip a required policy scan."
+            exit 1
+          fi
+
       # Blocking: policy failures fail the job. Loosen by removing
       # fail-on-findings if the false-positive rate is too high.
-      - uses: anthropics/claude-plugins-community/.github/actions/scan-plugins@b277757588871fe55b2620de8c6dfda470e2e9d8
+      - if: steps.changes.outputs.relevant == 'true'
+        uses: anthropics/claude-plugins-community/.github/actions/scan-plugins@b277757588871fe55b2620de8c6dfda470e2e9d8
         with:
           anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
           policy-prompt: .github/policy/prompt.md