mirror of
https://github.com/anthropics/claude-plugins-official.git
synced 2026-05-20 05:12:40 +00:00
b7c0654137
* Cache scan verdicts and drop policy-failing entries from bump PRs Three changes that together let the nightly bump clear any backlog in a single run without blocking on a single bad upstream or re-burning Claude time on already-scanned SHAs: - bump-plugin-shas.yml: raise max-bumps default 20 -> 130 (above the external entry count, so a single run can clear a full backlog) and add an explicit 60-min job timeout. The cap was the only thing bounding the blast radius of a single policy failure; the changes below take over that role so the cap can be lifted. - scan-plugins.yml: add a verdict cache keyed on (plugin, sha, policy hash). The bump action force-resets bump/plugin-shas every night, which makes the same SHAs reappear in the diff on consecutive nights — without the cache the scan would re-burn ~90s of Claude time per entry per night. Cached verdicts (pass and fail) are served from disk; only uncached SHAs are scanned. The job still fails on cached failures so the required check stays honest. - revert-failed-bumps.yml (new): after a Scan Plugins workflow_run on bump/plugin-shas concludes with a failure, drop just the failing entries' source.sha back to main's pin via a follow-up signed commit and re-dispatch the scan. The re-dispatch finds only cached-pass entries and goes green in seconds. Bounded at 3 passes/night, restricted to SHA-only diffs, and aborts if the bump branch was tampered with. * Harden bump cache and revert workflows after review - revert-failed-bumps: replace the time-based revert budget (anchored on the PR head, which a revert commit immediately replaces — never accumulating past 1) with a commit count: every nightly bump force- resets to one commit and every revert pass adds exactly one, so commits > MAX+1 is the budget without date math, pagination, or exposure to comment spoofing. - revert-failed-bumps: filter the bump PR by head owner so a fork PR with a branch named bump/plugin-shas can't be selected. - revert-failed-bumps: continue-on-error on the artifact download so a scan that died before uploading (infra error) doesn't fail the revert job — the missing-file guard downstream handles it. - scan-plugins: add a per-ref concurrency group so concurrent scans don't lose one another's cache writes; key the cache on run_attempt so a re-run can save its own verdicts. - scan-plugins: store the full source object in the cache and require source equality on lookup, so a repo/path change at the same SHA misses the cache instead of getting a stale verdict. - scan-plugins / revert-failed-bumps: strip markdown control chars, wrap model-generated text in code spans (neutralizes auto-linked URLs), and redact key-shaped tokens before they reach the step summary, artifact, cache, or PR comment.
70 lines
2.8 KiB
YAML
70 lines
2.8 KiB
YAML
name: Bump Plugin SHAs
|
|
|
|
# Nightly sweep: for each external entry whose upstream HEAD has moved past
|
|
# its pinned SHA, validate at the new SHA with `claude plugin validate`
|
|
# inline, then open one PR with all passing bumps. Each run force-resets the
|
|
# bump/plugin-shas branch, so a previous night's unmerged PR is replaced (and
|
|
# its review state discarded) — review and merge same-day to avoid churn.
|
|
#
|
|
# Bot-free — uses the default GITHUB_TOKEN. PRs opened with GITHUB_TOKEN don't
|
|
# trigger on:pull_request workflows, so the policy scan (`Scan Plugins`, a
|
|
# required status check on main) would never run and the bump PR could never
|
|
# merge. workflow_dispatch is exempt from that recursion guard, so we dispatch
|
|
# the scan ourselves on the bump branch after the PR is opened. The check run
|
|
# lands on the branch HEAD — the same SHA as the PR head — and satisfies the
|
|
# required check.
|
|
#
|
|
# max-bumps is set above the external-entry count so a single run can clear
|
|
# any backlog. The cost-control mechanisms are downstream:
|
|
# - scan-plugins.yml caches verdicts by (plugin, sha) so an unchanged SHA
|
|
# is never re-scanned across nightly force-resets.
|
|
# - revert-failed-bumps.yml drops policy-failing entries from the bump PR
|
|
# so one bad upstream can't block the rest.
|
|
# See those files for details.
|
|
|
|
on:
|
|
schedule:
|
|
- cron: '23 7 * * *' # Daily 07:23 UTC
|
|
workflow_dispatch:
|
|
inputs:
|
|
max_bumps:
|
|
description: Cap on plugins bumped this run
|
|
required: false
|
|
default: '130'
|
|
|
|
permissions:
|
|
contents: write
|
|
pull-requests: write
|
|
actions: write # gh workflow run scan-plugins.yml on the bump branch
|
|
|
|
concurrency:
|
|
group: bump-plugin-shas
|
|
|
|
jobs:
|
|
bump:
|
|
runs-on: ubuntu-latest
|
|
# Per-bump cost is ~2s (ls-remote + shallow clone + validate); 130 entries
|
|
# is ~5 min. The 60 min ceiling absorbs slow upstreams without letting a
|
|
# pathological run consume the default 360 min budget.
|
|
timeout-minutes: 60
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
# createCommitOnBranch-based bump so commits are signed by GitHub and
|
|
# satisfy the org-level required_signatures ruleset on main.
|
|
- uses: anthropics/claude-plugins-community/.github/actions/bump-plugin-shas@c41c6911de0afffd2bc5cd8b21fb1e06444ee13b
|
|
id: bump
|
|
with:
|
|
marketplace-path: .claude-plugin/marketplace.json
|
|
max-bumps: ${{ inputs.max_bumps || '130' }}
|
|
claude-cli-version: latest
|
|
|
|
# `bump/plugin-shas` is the action's default `pr-branch`. The scan diffs
|
|
# the branch against origin/main (the action's base-ref fallback when
|
|
# there's no pull_request event) and scans only the bumped entries.
|
|
- name: Dispatch policy scan on bump branch
|
|
if: steps.bump.outputs.pr-url != ''
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|
|
run: gh workflow run scan-plugins.yml --ref bump/plugin-shas
|