bump(data-engineering): ed2fe757 → d33a14dd

.claude-plugin/marketplace.json

@@ -77,7 +77,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/AikidoSec/aikido-claude-plugin.git",
-        "sha": "fbe11e287175e5eda448516dd2f741a63b276514"
+        "sha": "01e8cf542500e579cff948a0fa0365e4f819d7b4"
       },
       "homepage": "https://github.com/AikidoSec/aikido-claude-plugin"
     },
@@ -223,7 +223,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/astronomer/agents.git",
-        "sha": "d33a14ddd4cd8045f90acfe49d2552120feeeced"
+        "sha": "ed2fe757381ff42337fd7bce56a50f31134d9dce"
       },
       "homepage": "https://github.com/astronomer/agents"
     },
@@ -276,7 +276,7 @@
         "url": "https://github.com/auth0/agent-skills.git",
         "path": "plugins/auth0",
         "ref": "main",
-        "sha": "aacefa7dcbdf2d32ac14d3d7790b610cf716bd3c"
+        "sha": "3e3a5d84fe922378bd2c2eafb7f7986759e3c87e"
       },
       "homepage": "https://auth0.com"
     },
@@ -337,7 +337,7 @@
         "url": "https://github.com/aws/agent-toolkit-for-aws.git",
         "path": "plugins/aws-core",
         "ref": "main",
-        "sha": "49c4592dc490f569d5adf0c483239886bad2f09b"
+        "sha": "7898a91483218173d096db3de6892c2dc545d160"
       },
       "homepage": "https://github.com/aws/agent-toolkit-for-aws"
     },
@@ -353,7 +353,7 @@
         "url": "https://github.com/aws/agent-toolkit-for-aws.git",
         "path": "plugins/aws-data-analytics",
         "ref": "main",
-        "sha": "49c4592dc490f569d5adf0c483239886bad2f09b"
+        "sha": "49ca75209219a89ac43690d6ca0a59d976933ee8"
       },
       "homepage": "https://github.com/aws/agent-toolkit-for-aws"
     },
@@ -425,7 +425,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/microsoft/azure-skills.git",
-        "sha": "c752fe85c8e499e32e34eb8a5498c22d5dd586c8"
+        "sha": "2cd48ca625cddcc1d377d2861fbddd54417c70cc"
       },
       "homepage": "https://github.com/microsoft/azure-skills"
     },
@@ -551,7 +551,7 @@
         "url": "https://github.com/carta/plugins.git",
         "path": "plugins/carta-cap-table",
         "ref": "main",
-        "sha": "8d49ea8bbb0ef82f3495dc246478ea2eacf3e3a0"
+        "sha": "d73954d3d9ce1e3fce1ec2b9ee6819922dd539e3"
       },
       "homepage": "https://carta.com"
     },
@@ -583,7 +583,7 @@
         "url": "https://github.com/carta/plugins.git",
         "path": "plugins/carta-investors",
         "ref": "main",
-        "sha": "8d49ea8bbb0ef82f3495dc246478ea2eacf3e3a0"
+        "sha": "d73a3615864a5590ad6105df1b3e1b26324d1813"
       },
       "homepage": "https://carta.com"
     },
@@ -610,7 +610,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/ChromeDevTools/chrome-devtools-mcp.git",
-        "sha": "e5bd334c97b4f25207cad586684cca8208f1657e"
+        "sha": "6a9466378c13b6ccba91b54091ea83a5ca37a8db"
       },
       "homepage": "https://github.com/ChromeDevTools/chrome-devtools-mcp"
     },
@@ -935,7 +935,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/CrowdStrike/foundry-skills.git",
-        "sha": "7b2cda5cd3c5383924c365a3194172feb9fbac59"
+        "sha": "20ef548a615a5a8a18de7edbe65eb4bb10c8563b"
       },
       "homepage": "https://github.com/CrowdStrike/foundry-skills"
     },
@@ -981,7 +981,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/dash0hq/dash0-agent-plugin.git",
-        "sha": "4eac30a47b4dd3819e0719f9f01b9772cde7ca24"
+        "sha": "f8c31f6fcdc6588a27153ceed09e561a40da3a86"
       },
       "homepage": "https://dash0.com/"
     },
@@ -992,7 +992,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/astronomer/agents.git",
-        "sha": "d33a14ddd4cd8045f90acfe49d2552120feeeced"
+        "sha": "e4ebf9a7ad3f8dbf3fcfda9c245a65eb1415967b"
       },
       "homepage": "https://github.com/astronomer/agents"
     },
@@ -1006,7 +1006,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/gemini-cli-extensions/data-agent-kit-starter-pack.git",
-        "sha": "9bc90f9ec22b156a71f37c45157cf3f551005a45"
+        "sha": "86cd0201237ed5ac30d8645c2ba50000fac84972"
       },
       "homepage": "https://github.com/gemini-cli-extensions/data-agent-kit-starter-pack"
     },
@@ -1029,7 +1029,7 @@
         "url": "https://github.com/awslabs/agent-plugins.git",
         "path": "plugins/databases-on-aws",
         "ref": "main",
-        "sha": "96a073a195491f2192c256ba66730b631ced03e1"
+        "sha": "66dd3cf5acdf374cc0d79af2bf51fa6fbb975c07"
       },
       "homepage": "https://github.com/awslabs/agent-plugins"
     },
@@ -1045,7 +1045,7 @@
         "url": "https://github.com/databricks/databricks-agent-skills.git",
         "path": "plugins/databricks/claude",
         "ref": "main",
-        "sha": "ae99f56bbadc5ac0bac8df11791eb6a5224a2a36"
+        "sha": "e337277c9771597bd2a67dfc5f8dd1d1afc887c6"
       },
       "homepage": "https://developers.databricks.com/"
     },
@@ -1087,7 +1087,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/gemini-cli-extensions/dataproc.git",
-        "sha": "6d6ac3889bf448e33a0ad96174bc5b0849c74ebe"
+        "sha": "c36c7f8bb53a1f8903382471366986ef226c509d"
       },
       "homepage": "https://github.com/gemini-cli-extensions/dataproc"
     },
@@ -1221,7 +1221,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/exa-labs/exa-mcp-server.git",
-        "sha": "f7e9032308a6dca9dbad76d22bc3cda287ba6775"
+        "sha": "40d9990f48c55301535b0ea2d950176e6f115df3"
       },
       "homepage": "https://exa.ai/docs/reference/exa-mcp"
     },
@@ -1442,7 +1442,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/hunter-io/claude-plugin.git",
-        "sha": "6db1c0ae9a789da21b415d65a59a3409dd99ca38"
+        "sha": "0a03795dfe7258f46e702a2898bfc25aebbfcc58"
       },
       "homepage": "https://hunter.io"
     },
@@ -1456,7 +1456,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/heygen-com/hyperframes.git",
-        "sha": "13b115e00684a8b6ed1ebed952b6fec2868d5c86"
+        "sha": "56859b618f45f646835c717a8a6dfaabbbda636d"
       },
       "homepage": "https://hyperframes.heygen.com"
     },
@@ -1563,7 +1563,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/langfuse/claude-observability-plugin.git",
-        "sha": "4615df55428bdcd8a2095fdea2cbe970b2c5152e"
+        "sha": "938df41639efcaa22790b1a216308b6ed626a8b7"
       },
       "homepage": "https://langfuse.com/integrations/other/claude-code"
     },
@@ -1867,7 +1867,7 @@
         "url": "https://github.com/awslabs/startups.git",
         "path": "migrate/plugins/migration-to-aws",
         "ref": "main",
-        "sha": "59db838b8731291753007a31a4a370472bbdb6d5"
+        "sha": "e49c21bf8b4883a9646938c00091633dfb8f483f"
       },
       "homepage": "https://github.com/awslabs/startups"
     },
@@ -1991,7 +1991,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/Nimbleway/agent-skills.git",
-        "sha": "958fca1cca704c247fe75929c572fbad6a302ba5"
+        "sha": "1a599ea15f71d20cc6f85692030021146931997a"
       },
       "homepage": "https://docs.nimbleway.com/integrations/agent-skills/plugin-installation"
     },
@@ -2066,7 +2066,7 @@
         "url": "https://github.com/oracle-samples/oracle-aidp-samples.git",
         "path": "ai/claude-code-plugins/oracle-ai-data-platform-workbench-spark-connectors",
         "ref": "main",
-        "sha": "ca1ab4e5689bdc6cb22b842fed5d98829847fd64"
+        "sha": "13e7a9139b3b62172119c7fc1a63bf4a2eac919d"
       },
       "homepage": "https://docs.oracle.com/en/cloud/paas/ai-data-platform/index.html"
     },
@@ -2272,7 +2272,7 @@
         "url": "https://github.com/pydantic/skills.git",
         "path": "plugins/ai",
         "ref": "main",
-        "sha": "96e5d761173b496a4ce4188ce4aaada86d93a5c3"
+        "sha": "f0c20b9895f06d58823032f13e68c6aaae9dd3fa"
       },
       "homepage": "https://github.com/pydantic/skills/tree/main/plugins/ai"
     },
@@ -2411,7 +2411,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/Digital-Process-Tools/claude-remember.git",
-        "sha": "9d7324957b4d6e92fd57d265a2685a363e93f63e"
+        "sha": "f1a00382598ef627c858d9eed6438047b072ba41"
       },
       "homepage": "https://github.com/Digital-Process-Tools/claude-remember"
     },
@@ -2656,7 +2656,7 @@
         "source": "git-subdir",
         "url": "https://github.com/semgrep/mcp-marketplace.git",
         "path": "plugin",
-        "sha": "8e652ba6f586bb20377a72792c402c5a85a9b284"
+        "sha": "5ee984a4aeee83b3edae3ed44be4be8d333d24d1"
       },
       "homepage": "https://github.com/semgrep/mcp-marketplace.git"
     },
@@ -2667,7 +2667,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/getsentry/plugin-claude.git",
-        "sha": "83df938b934e154c5be2a059fab500711ac54c3f"
+        "sha": "f69cf097dd4c2fd56cab2738442e78848ff6d206"
       },
       "homepage": "https://github.com/getsentry/plugin-claude"
     },
@@ -2683,7 +2683,7 @@
         "url": "https://github.com/getsentry/cli.git",
         "path": "plugins/sentry-cli",
         "ref": "main",
-        "sha": "97e7fccea763d388c49f5f69eaebac59749bf65d"
+        "sha": "6acb9aa84a8e02d2cc4b029e05266427fdb79559"
       },
       "homepage": "https://sentry.io"
     },
@@ -2860,7 +2860,7 @@
         "url": "https://github.com/stripe/ai.git",
         "path": "providers/claude/plugin",
         "ref": "main",
-        "sha": "f54c9e6c0e8b6cfe4e648745eec68ecab3ddc994"
+        "sha": "23b54f12503eb18bb05eb9de9fbaeb301bec80b0"
       },
       "homepage": "https://github.com/stripe/ai/tree/main/providers/claude/plugin"
     },
@@ -2872,7 +2872,7 @@
         "source": "url",
         "url": "https://github.com/sumup/sumup-skills.git",
         "path": "providers/claude/plugin",
-        "sha": "700da2e866a71c7acbfcb0f2940ad7fa19955ae4"
+        "sha": "b69ff6f5afcd5934af70529e529c0dd8abe46cbe"
       },
       "homepage": "https://www.sumup.com/"
     },
@@ -2928,7 +2928,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/JetBrains/teamcity-cli.git",
-        "sha": "32dfd91cc8a9b6d44f47896c1ef1b183ab58e973"
+        "sha": "42ce6a22b1a8167120adbfa8de8b79f36e698133"
       },
       "homepage": "https://www.jetbrains.com/teamcity/"
     },
@@ -3039,7 +3039,7 @@
         "url": "https://github.com/UI5/plugins-coding-agents.git",
         "path": "plugins/ui5-modernization",
         "ref": "main",
-        "sha": "d1e3a43fa80ef160cb42689b88d665e25a5a81a1"
+        "sha": "1d4dedd56afcd1c3269c4d80f09e2ddb7f1bf5be"
       },
       "homepage": "https://github.com/UI5/plugins-coding-agents"
     },
@@ -3272,7 +3272,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/langfuse/skills.git",
-        "sha": "6b6c44cfe3c4e00860401a697d401dcb3b6e3737"
+        "sha": "c39789078b848160a695947907db3ba40b7a2bce"
       },
       "homepage": "https://langfuse.com"
     }

.github/scripts/external-pr-scope.js

@@ -121,33 +121,4 @@ async function evaluate({ github, context }) {
   return analyze({ changedFiles, before, after, liveRepos: liveReposOf(liveBase) });
 }
 
-// Authors that are NOT subject to the external-contributor scope rules:
-//   - the repo's own automation bot — its bump PRs legitimately MODIFY existing entries
-//     (SHA bumps), which the additions-only external-contributor rule forbids; AND
-//   - org members (write/admin).
-// Safe under pull_request_target: a fork PR cannot set its author to github-actions[bot]
-// (that login is only ever the org's own GITHUB_TOKEN workflow), and the member path is a
-// real permission lookup. Wrapped in try/catch because getCollaboratorPermissionLevel throws
-// for a non-collaborator/unknown user — without this, both callers would error the job rather
-// than fall through to scope evaluation.
-const EXEMPT_BOTS = new Set(['github-actions[bot]']);
-
-async function isExemptAuthor({ github, context }) {
-  const author = context.payload.pull_request.user.login;
-  if (EXEMPT_BOTS.has(author)) {
-    return { exempt: true, reason: `${author} is the trusted automation bot` };
-  }
-  try {
-    const { data } = await github.rest.repos.getCollaboratorPermissionLevel({
-      owner: context.repo.owner, repo: context.repo.repo, username: author,
-    });
-    if (['admin', 'write'].includes(data.permission)) {
-      return { exempt: true, reason: `${author} is ${data.permission} (member)` };
-    }
-  } catch (e) {
-    // not a collaborator / lookup failed → not exempt; fall through to scope evaluation
-  }
-  return { exempt: false };
-}
-
-module.exports = { normalizeRepo, liveReposOf, analyze, readPlugins, evaluate, isExemptAuthor, MARKETPLACE };
+module.exports = { normalizeRepo, liveReposOf, analyze, readPlugins, evaluate, MARKETPLACE };

.github/workflows/close-external-prs.yml

@@ -23,13 +23,14 @@ jobs:
           script: |
             const author = context.payload.pull_request.user.login;
 
-            const { evaluate, isExemptAuthor } = require(`${process.env.GITHUB_WORKSPACE}/.github/scripts/external-pr-scope.js`);
+            const { data } = await github.rest.repos.getCollaboratorPermissionLevel({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              username: author
+            });
 
-            // Members (write/admin) and the repo's own automation bot (bump SHA PRs) are never
-            // auto-closed.
-            const ex = await isExemptAuthor({ github, context });
-            if (ex.exempt) {
-              console.log(`${ex.reason} — allowing PR`);
+            if (['admin', 'write'].includes(data.permission)) {
+              console.log(`${author} has ${data.permission} access, allowing PR`);
               return;
             }
 
@@ -37,9 +38,9 @@ jobs:
             // contribution — it adds marketplace.json entries whose source repo ALREADY backs
             // a live plugin here, and changes nothing else. (No maintained allowlist: the set
             // of allowed repos is derived from the live marketplace.) This grants only the
-            // right to open a reviewable PR; the validate + scan checks and a maintainer
-            // approval still gate the merge (the External PR Scope Guard is advisory signal,
-            // not a required check).
+            // right to open a reviewable PR; the External PR Scope Guard required check and a
+            // maintainer approval still gate the merge.
+            const { evaluate } = require(`${process.env.GITHUB_WORKSPACE}/.github/scripts/external-pr-scope.js`);
             const result = await evaluate({ github, context });
             if (result.ok && result.added.length > 0) {
               console.log(`In-scope external contribution (adds: ${result.added.join(', ')}) — allowing PR.`);

.github/workflows/external-pr-scope-guard.yml

@@ -1,17 +1,14 @@
 name: External PR Scope Guard
 
-# Advisory check that surfaces what a NON-MEMBER pull request may change.
-# Members (write/admin) and the repo's own automation bot (bump SHA PRs) are unrestricted and
-# skip this check. For a non-member PR this fails unless the PR is an in-scope external
-# contribution per .github/scripts/external-pr-scope.js: it changes ONLY
-# .claude-plugin/marketplace.json, the delta is additions-only (no existing entry modified or
-# removed), and every ADDED entry's source.url is a repo that ALREADY backs a live plugin in
-# this marketplace (the allowed set is derived from the live marketplace — there is no
-# maintained allowlist).
+# Required status check that constrains what a NON-MEMBER pull request may change.
+# Members (write/admin) are unrestricted and skip this check. For a non-member PR this
+# fails unless the PR is an in-scope external contribution per .github/scripts/external-pr-scope.js:
+# it changes ONLY .claude-plugin/marketplace.json, the delta is additions-only (no existing
+# entry modified or removed), and every ADDED entry's source.url is a repo that ALREADY backs
+# a live plugin in this marketplace (the allowed set is derived from the live marketplace —
+# there is no maintained allowlist).
 #
-# Do NOT add this job to branch protection as a required status check. The merge gate is the
-# `validate` + `scan` checks plus a maintainer approval; this guard is advisory signal for the
-# reviewer, not a hard gate. (Making it required would block the no-approval bump-merge path.)
+# Add the scope-guard job as a REQUIRED status check in branch protection for it to block merge.
 #
 # Security: runs on pull_request_target but checks out only the BASE repo (trusted) for the
 # shared script; the head marketplace.json is fetched as DATA via the API and parsed, never executed.
@@ -32,16 +29,17 @@ jobs:
       - uses: actions/github-script@v7
         with:
           script: |
-            const { evaluate, isExemptAuthor } = require(`${process.env.GITHUB_WORKSPACE}/.github/scripts/external-pr-scope.js`);
+            const author = context.payload.pull_request.user.login;
 
-            // Members (write/admin) and the repo's own automation bot (bump SHA PRs) are
-            // unrestricted; only genuinely external contributions are scope-checked.
-            const ex = await isExemptAuthor({ github, context });
-            if (ex.exempt) {
-              console.log(`${ex.reason} — scope guard not applicable.`);
+            const { data: perm } = await github.rest.repos.getCollaboratorPermissionLevel({
+              owner: context.repo.owner, repo: context.repo.repo, username: author,
+            });
+            if (['admin', 'write'].includes(perm.permission)) {
+              console.log(`${author} is ${perm.permission} (member) — scope guard not applicable.`);
               return;
             }
 
+            const { evaluate } = require(`${process.env.GITHUB_WORKSPACE}/.github/scripts/external-pr-scope.js`);
             const result = await evaluate({ github, context });
 
             if (!result.ok) {