ci: run validate on workflow-file changes (fix required-check deadlock)

A PR touching only .github/workflows/** (e.g. an action-SHA re-pin like this one) never matched validate-plugins.yml's pull_request path filter, so the required 'validate' check never ran and the PR sat 'Expected — Waiting for status to be reported' with no way to clear it (workflow_dispatch check runs aren't associated with the PR, so they don't satisfy the required check; the ruleset has no bypass actors). Add .github/workflows/** to the trigger so workflow-only PRs validate in-context and can clear the gate — and so this PR unblocks itself. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
ci: pin scan-plugins + bump-plugin-shas to self-healing action too
2026-06-19 16:14:03 +00:00 · 2026-06-18 21:47:11 -05:00 · 2026-06-18 21:24:31 -05:00 · 2026-06-18 20:55:02 -05:00
3 changed files with 9 additions and 3 deletions
--- a/.github/workflows/bump-plugin-shas.yml
+++ b/.github/workflows/bump-plugin-shas.yml
@@ -51,7 +51,7 @@ jobs:

      # createCommitOnBranch-based bump so commits are signed by GitHub and
      # satisfy the org-level required_signatures ruleset on main.
-      - uses: anthropics/claude-plugins-community/.github/actions/bump-plugin-shas@e2019b2a01f11aa1484c53540b1cfab5eebbc299
+      - uses: anthropics/claude-plugins-community/.github/actions/bump-plugin-shas@d207465eb6ec02b6f3f1dbb131717830dc9ecc68
        id: bump
        with:
          marketplace-path: .claude-plugin/marketplace.json
--- a/.github/workflows/scan-plugins.yml
+++ b/.github/workflows/scan-plugins.yml
@@ -196,7 +196,7 @@ jobs:
        continue-on-error: true
        # Pinned to claude-plugins-community#34 (WIF input support).
        # TODO: re-pin to a main-branch SHA once #34 merges.
-        uses: anthropics/claude-plugins-community/.github/actions/scan-plugins@e85f0d65b4fc87f07862e1dcdc467950514414ec
+        uses: anthropics/claude-plugins-community/.github/actions/scan-plugins@d207465eb6ec02b6f3f1dbb131717830dc9ecc68
        with:
          # Anthropic auth via Workload Identity Federation — the action
          # mints a GitHub OIDC token (id-token: write above) and the claude
--- a/.github/workflows/validate-plugins.yml
+++ b/.github/workflows/validate-plugins.yml
@@ -8,6 +8,12 @@ on:
      - '*/agents/**'
      - '*/skills/**'
      - '*/commands/**'
+      # `validate` is a required status check, so a PR that touches ONLY workflow
+      # files (e.g. an action-SHA re-pin) would otherwise never trigger validate
+      # and sit "Expected — Waiting for status to be reported" forever (workflow_dispatch
+      # check runs aren't associated with the PR, so they don't satisfy it). Run
+      # validate on workflow changes too so those PRs can clear the gate in-context.
+      - '.github/workflows/**'
  push:
    branches: [main]
    paths:
@@ -32,7 +38,7 @@ jobs:
        with:
          fetch-depth: 0

-      - uses: anthropics/claude-plugins-community/.github/actions/validate-plugins@f846a0bcb0e721b1f93d60e8b73e91dafc4a1e87
+      - uses: anthropics/claude-plugins-community/.github/actions/validate-plugins@d207465eb6ec02b6f3f1dbb131717830dc9ecc68
        with:
          marketplace-path: .claude-plugin/marketplace.json
          # Official curated marketplace: SHA-pin (I5) is a HARD error.