Bump 20 plugin SHA pin(s) to upstream HEAD

.claude-plugin/marketplace.json

@@ -1787,22 +1787,6 @@
       },
       "homepage": "https://help.sap.com/docs/MDK"
     },
-    {
-      "name": "save-to-spotify",
-      "description": "Create polished audio episodes with TTS narration, rich timelines, cover images, and save them to Spotify via the save-to-spotify CLI.",
-      "author": {
-        "name": "Spotify"
-      },
-      "category": "productivity",
-      "source": {
-        "source": "git-subdir",
-        "url": "https://github.com/spotify/save-to-spotify.git",
-        "path": "plugin",
-        "ref": "main",
-        "sha": "b3d362f7851d184098dcb220ba2fab10c996d1f2"
-      },
-      "homepage": "https://github.com/spotify/save-to-spotify"
-    },
     {
       "name": "security-guidance",
       "description": "Security reminder hook that warns about potential security issues when editing files, including command injection, XSS, and unsafe code patterns",

.github/workflows/bump-plugin-shas.yml

@@ -1,10 +1,8 @@
 name: Bump Plugin SHAs
 
-# Nightly sweep: for each external entry whose upstream HEAD has moved past
+# Weekly sweep: for each external entry whose upstream HEAD has moved past
 # its pinned SHA, validate at the new SHA with `claude plugin validate`
-# inline, then open one PR with all passing bumps. Each run force-resets the
-# bump/plugin-shas branch, so a previous night's unmerged PR is replaced (and
-# its review state discarded) — review and merge same-day to avoid churn.
+# inline, then open one PR with all passing bumps.
 #
 # Bot-free — uses the default GITHUB_TOKEN. PRs opened with GITHUB_TOKEN don't
 # trigger on:pull_request workflows, so the policy scan (`Scan Plugins`, a
@@ -16,7 +14,7 @@ name: Bump Plugin SHAs
 
 on:
   schedule:
-    - cron: '23 7 * * *'  # Daily 07:23 UTC
+    - cron: '23 7 * * 1'  # Monday 07:23 UTC
   workflow_dispatch:
     inputs:
       max_bumps: