Repoint action pins to include allowlist matching hardening

Wire sha-exempt allowlist into validate + bump workflows
Adds the sha-exempt input (claude-plugins-community#47) to both workflows, with an initially empty list: - validate-plugins.yml: names listed here may omit source.sha (invariant I5) instead of failing CI repo-wide - bump-plugin-shas.yml: the same names are skipped by the nightly bump so it does not re-pin a deliberately unpinned entry Action pins bumped to the commit introducing the input. Neither action changed otherwise between the old pins and this one. Empty lists mean no behavior change until a name is added.
2026-06-10 10:13:36 +00:00 · 2026-06-03 17:04:12 +00:00 · 2026-06-03 17:00:28 +00:00
2 changed files with 12 additions and 2 deletions
--- a/.github/workflows/bump-plugin-shas.yml
+++ b/.github/workflows/bump-plugin-shas.yml
@@ -51,12 +51,16 @@ jobs:

      # createCommitOnBranch-based bump so commits are signed by GitHub and
      # satisfy the org-level required_signatures ruleset on main.
-      - uses: anthropics/claude-plugins-community/.github/actions/bump-plugin-shas@e2019b2a01f11aa1484c53540b1cfab5eebbc299
+      - uses: anthropics/claude-plugins-community/.github/actions/bump-plugin-shas@2324c6d8d9d8ceebc9bf253e5d683320dbf40760
        id: bump
        with:
          marketplace-path: .claude-plugin/marketplace.json
          max-bumps: ${{ inputs.max_bumps || '30' }}
          pr-mode: per-entry
+          # Keep in sync with sha-exempt in validate-plugins.yml: names
+          # listed there have no source.sha on purpose, so the nightly bump
+          # must skip them instead of re-pinning them.
+          sha-exempt: ""
          claude-cli-version: latest

      # Per-entry fan-out: dispatch the three required checks against each bump
--- a/.github/workflows/validate-plugins.yml
+++ b/.github/workflows/validate-plugins.yml
@@ -32,11 +32,17 @@ jobs:
        with:
          fetch-depth: 0

-      - uses: anthropics/claude-plugins-community/.github/actions/validate-plugins@f846a0bcb0e721b1f93d60e8b73e91dafc4a1e87
+      - uses: anthropics/claude-plugins-community/.github/actions/validate-plugins@2324c6d8d9d8ceebc9bf253e5d683320dbf40760
        with:
          marketplace-path: .claude-plugin/marketplace.json
          # Official curated marketplace: SHA-pin (I5) is a HARD error.
          # I8/I11 are warnings until the 15 known vendored-path/name issues
          # are cleaned up (see PR body); tighten to "I1 I3" after.
          warn-invariants: "I1 I3 I8 I11"
+          # Plugins allowed to omit source.sha (deliberately unpinned,
+          # tracking a branch). Space-separated names. Any name added here
+          # MUST also be added to sha-exempt in bump-plugin-shas.yml, or the
+          # nightly bump re-pins it. A malformed sha still fails even for
+          # listed names.
+          sha-exempt: ""
          claude-cli-version: latest