Adds a step to the validate job that diffs plugins[].name against the
PR base and fails if any name disappeared without a corresponding key
in the top-level "renames" map. Prevents the next airwallex-style
plugin-not-found regression.
Part of CC-2871. Depends on the renames map (PR A).
Co-authored-by: Claude <noreply@anthropic.com>
* chore(bump-plugin-shas): re-pin to community 426e469f (subdir-existence guard #267)
Picks up anthropics/claude-plugins-community#267 — guards subdir existence
before manifest synthesis, so a strict:false external whose source.path subdir
vanished at the new SHA is a clean "subdir not found" skip instead of a phantom
synthesized manifest + false bump. Clean one-commit pull-forward from a27629fc.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* chore(validate-plugins,scan-plugins): re-pin to community 426e469f
Aligns all three shared community action pins on the same SHA (426e469f). The
validate-plugins/scan-plugins actions are unchanged between d207465 and 426e469f
(only bump-plugin-shas changed in #266/#267) — SHA-consistency, no behavior change.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* ci: bump validate-plugins action pin to self-healing CLI install
Bumps the pinned validate-plugins action SHA (f846a0bc -> 5d75f99) to pick up
two fixes already merged in claude-plugins-community:
1. Self-healing claude CLI install (community#233): the prior pin's install step
was a bare `npm i -g @anthropic-ai/claude-code@latest && claude --version`,
which intermittently stalled (a 28-min hang -> "native binary not installed")
and jammed whichever bump PR caught it (e.g. desktop-commander #2985). The new
step forces the optional native dep, verifies the binary, re-runs the
postinstall on a miss, and bounds every network step with a timeout.
2. strict:false skills-only manifest synthesis: the prior pin hard-required a
plugin.json for external git-subdir sources, false-failing skills-only entries
that the marketplace server synthesizes a manifest for. This is what blocks
#2997 (learn-with-coursera) and #2312 (netsuite-suitecloud) today; the bumped
action synthesizes a minimal manifest for them instead.
No other change. The action stays on claude-cli-version: latest.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* ci: pin scan-plugins + bump-plugin-shas to self-healing action too
Extend the validate-plugins pin bump (this PR) to the other two shared actions
that install the claude CLI the same flaky way. All three now pin the same
claude-plugins-community SHA (d207465) carrying the self-healing install
(community#233 + #234): force the optional native dep, verify, re-run postinstall
on a miss, timeout every network step, retry with real reinstalls.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* ci: run validate on workflow-file changes (fix required-check deadlock)
A PR touching only .github/workflows/** (e.g. an action-SHA re-pin like this one)
never matched validate-plugins.yml's pull_request path filter, so the required
'validate' check never ran and the PR sat 'Expected — Waiting for status to be
reported' with no way to clear it (workflow_dispatch check runs aren't associated
with the PR, so they don't satisfy the required check; the ruleset has no bypass
actors). Add .github/workflows/** to the trigger so workflow-only PRs validate
in-context and can clear the gate — and so this PR unblocks itself.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* bump: switch to per-entry PR mode (one PR per stale plugin)
Replaces the single batched bump PR with one PR per stale plugin so a
single failing plugin no longer blocks the rest. Pins to a feature
branch of the bump-plugin-shas action that adds 'pr-mode: per-entry';
re-pin to the merge commit on the action's main when that lands.
- pr-mode: per-entry → one PR per plugin on bump/<slug>
- max_bumps default lowered 130 → 30 (per-entry scans cost more)
- scan dispatch fanned out over pr-urls JSON (one per per-entry branch)
- header comments updated for per-entry semantics
* bump: re-pin to merged composite action SHA on -community main
The pr-mode: per-entry input now lives on main of the bump-plugin-shas
action (merged at e2019b2a). Update the pin and drop the now-stale
header comment that tracked the feature branch.
* bump: dispatch all three required checks per per-entry PR
Bump PRs are opened with GITHUB_TOKEN, which doesn't fire on:pull_request
(recursion guard). The per-entry cutover already dispatched scan-plugins.yml
per branch to satisfy the `scan` required check, but `check` (Check MCP URLs)
and `validate` (Validate Plugins) are also required on main and likewise
never fired — leaving every bump PR BLOCKED on missing checks (observed on
the batched #2079, which only cleared after a human-authored push re-fired
the pull_request workflows).
Fix: dispatch all three workflows per per-entry bump branch. Each runs its
job unconditionally on workflow_dispatch, so the check run lands on the
branch HEAD (= PR head) and satisfies the required check.
- validate-plugins.yml: add workflow_dispatch trigger (check-mcp-urls.yml
already had one). gh workflow run requires the trigger on the default
branch; this lands together with the per-entry bump so main stays
consistent.
- bump-plugin-shas.yml: loop the dispatch over
{scan-plugins,check-mcp-urls,validate-plugins}; tolerate a single
transient dispatch failure (warn, don't abort) so one hiccup can't
strand the rest of the batch.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* bump: fail the per-entry check-dispatch step when a dispatch fails
The dispatch step logged each failed gh workflow run as a warning and exited 0, so a transient API error or rate limit could leave a per-entry bump PR missing a required check while the bump run still showed green. The composite action skips slugs with an open PR, so the stranded PR was never retried.
Attempt every dispatch (one failure must not strand the other branches), record failures via a temp file (the while loop runs in a pipe subshell), then emit an error and exit non-zero if any dispatch failed, so the bump run goes red and the affected PR can be re-dispatched.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* Adopt validate-plugins action suite; pin all external SHAs
Replaces the hand-rolled marketplace validator and bot-based bump
workflow with the shared composite actions (pinned at f846a0b).
marketplace.json:
- 62 external entries that were missing a `sha` are now pinned to
their current upstream HEAD (resolved via git ls-remote).
Workflows:
- validate-plugins.yml: invariants I1-I11 + claude plugin validate +
diff-gated clone-at-SHA validation of changed external entries.
SHA-pin (I5) is a hard error. I8/I11 stay warnings until the 15
known data issues (vendored dirs without manifests; one dotted
name) are cleaned up.
- bump-plugin-shas.yml: bot-free weekly refresh. Validates each new
SHA with claude plugin validate before opening one PR; works with
the default GITHUB_TOKEN (contents:write + pull-requests:write).
- scan-plugins.yml: Claude policy scan of changed external entries.
Non-blocking; graceful no-op if ANTHROPIC_API_KEY isn't set.
Removed:
- validate-marketplace.yml + the two TS helper scripts (superseded
by step 11/20 of validate-plugins).
validate-frontmatter.yml is kept — it's complementary (targeted
checks on agent/skill/command files for in-repo plugins).
* Remove 5 external entries that fail validation at HEAD
Step 30 (clone at pinned SHA + claude plugin validate) fails for
these at their current HEAD:
aiven Unrecognized key "logo" in plugin.json
atlassian-forge-skills skill YAML frontmatter parse error
sagemaker-ai skill YAML frontmatter parse error
speakai no plugin manifest at repo root
stagehand no plugin manifest at repo root
These can be re-added once the upstream repos are fixed.
* Wire scan-plugins to the detailed policy prompt
Adds .github/policy/prompt.md and schema.json (the full security
review rubric — malicious code, privacy, deception, safety
circumvention, exfiltration; plus network-call and software-install
flags) and points scan-plugins at it via the policy-prompt input.
With ANTHROPIC_API_KEY now configured on the repo, scan-plugins runs
the actual policy review on changed external entries instead of
no-op'ing.
* Bump scan-plugins action pin to include L11/L12 fixes