mirror of
https://github.com/anthropics/claude-plugins-official.git
synced 2026-05-09 13:22:40 +00:00
95cc50d132
* Adopt validate-plugins action suite; pin all external SHAs Replaces the hand-rolled marketplace validator and bot-based bump workflow with the shared composite actions (pinned at f846a0b). marketplace.json: - 62 external entries that were missing a `sha` are now pinned to their current upstream HEAD (resolved via git ls-remote). Workflows: - validate-plugins.yml: invariants I1-I11 + claude plugin validate + diff-gated clone-at-SHA validation of changed external entries. SHA-pin (I5) is a hard error. I8/I11 stay warnings until the 15 known data issues (vendored dirs without manifests; one dotted name) are cleaned up. - bump-plugin-shas.yml: bot-free weekly refresh. Validates each new SHA with claude plugin validate before opening one PR; works with the default GITHUB_TOKEN (contents:write + pull-requests:write). - scan-plugins.yml: Claude policy scan of changed external entries. Non-blocking; graceful no-op if ANTHROPIC_API_KEY isn't set. Removed: - validate-marketplace.yml + the two TS helper scripts (superseded by step 11/20 of validate-plugins). validate-frontmatter.yml is kept — it's complementary (targeted checks on agent/skill/command files for in-repo plugins). * Remove 5 external entries that fail validation at HEAD Step 30 (clone at pinned SHA + claude plugin validate) fails for these at their current HEAD: aiven Unrecognized key "logo" in plugin.json atlassian-forge-skills skill YAML frontmatter parse error sagemaker-ai skill YAML frontmatter parse error speakai no plugin manifest at repo root stagehand no plugin manifest at repo root These can be re-added once the upstream repos are fixed. * Wire scan-plugins to the detailed policy prompt Adds .github/policy/prompt.md and schema.json (the full security review rubric — malicious code, privacy, deception, safety circumvention, exfiltration; plus network-call and software-install flags) and points scan-plugins at it via the policy-prompt input. With ANTHROPIC_API_KEY now configured on the repo, scan-plugins runs the actual policy review on changed external entries instead of no-op'ing. * Bump scan-plugins action pin to include L11/L12 fixes
39 lines
1.1 KiB
YAML
39 lines
1.1 KiB
YAML
name: Bump Plugin SHAs
|
|
|
|
# Weekly sweep: for each external entry whose upstream HEAD has moved past
|
|
# its pinned SHA, validate at the new SHA with `claude plugin validate`
|
|
# inline, then open one PR with all passing bumps.
|
|
#
|
|
# Bot-free — uses the default GITHUB_TOKEN. Because GITHUB_TOKEN-opened PRs
|
|
# don't trigger on:pull_request workflows, validation runs in this workflow
|
|
# before the PR is opened; the PR body links back here as the CI evidence.
|
|
|
|
on:
|
|
schedule:
|
|
- cron: '23 7 * * 1' # Monday 07:23 UTC
|
|
workflow_dispatch:
|
|
inputs:
|
|
max_bumps:
|
|
description: Cap on plugins bumped this run
|
|
required: false
|
|
default: '20'
|
|
|
|
permissions:
|
|
contents: write
|
|
pull-requests: write
|
|
|
|
concurrency:
|
|
group: bump-plugin-shas
|
|
|
|
jobs:
|
|
bump:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- uses: anthropics/claude-plugins-community/.github/actions/bump-plugin-shas@f846a0bcb0e721b1f93d60e8b73e91dafc4a1e87
|
|
with:
|
|
marketplace-path: .claude-plugin/marketplace.json
|
|
max-bumps: ${{ inputs.max_bumps || '20' }}
|
|
claude-cli-version: latest
|