2 Commits

Author SHA1 Message Date
Bryan Thompson
f8310109cd
bump: dispatch all three required checks per per-entry PR
Bump PRs are opened with GITHUB_TOKEN, which doesn't fire on:pull_request
(recursion guard). The per-entry cutover already dispatched scan-plugins.yml
per branch to satisfy the `scan` required check, but `check` (Check MCP URLs)
and `validate` (Validate Plugins) are also required on main and likewise
never fired — leaving every bump PR BLOCKED on missing checks (observed on
the batched #2079, which only cleared after a human-authored push re-fired
the pull_request workflows).

Fix: dispatch all three workflows per per-entry bump branch. Each runs its
job unconditionally on workflow_dispatch, so the check run lands on the
branch HEAD (= PR head) and satisfies the required check.

- validate-plugins.yml: add workflow_dispatch trigger (check-mcp-urls.yml
  already had one). gh workflow run requires the trigger on the default
  branch; this lands together with the per-entry bump so main stays
  consistent.
- bump-plugin-shas.yml: loop the dispatch over
  {scan-plugins,check-mcp-urls,validate-plugins}; tolerate a single
  transient dispatch failure (warn, don't abort) so one hiccup can't
  strand the rest of the batch.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-29 16:52:06 -05:00
Tobin South
95cc50d132
Adopt validate-plugins action suite; pin all external SHAs (#1762)
* Adopt validate-plugins action suite; pin all external SHAs

Replaces the hand-rolled marketplace validator and bot-based bump
workflow with the shared composite actions (pinned at f846a0b).

marketplace.json:
- 62 external entries that were missing a `sha` are now pinned to
  their current upstream HEAD (resolved via git ls-remote).

Workflows:
- validate-plugins.yml: invariants I1-I11 + claude plugin validate +
  diff-gated clone-at-SHA validation of changed external entries.
  SHA-pin (I5) is a hard error. I8/I11 stay warnings until the 15
  known data issues (vendored dirs without manifests; one dotted
  name) are cleaned up.
- bump-plugin-shas.yml: bot-free weekly refresh. Validates each new
  SHA with claude plugin validate before opening one PR; works with
  the default GITHUB_TOKEN (contents:write + pull-requests:write).
- scan-plugins.yml: Claude policy scan of changed external entries.
  Non-blocking; graceful no-op if ANTHROPIC_API_KEY isn't set.

Removed:
- validate-marketplace.yml + the two TS helper scripts (superseded
  by step 11/20 of validate-plugins).

validate-frontmatter.yml is kept — it's complementary (targeted
checks on agent/skill/command files for in-repo plugins).

* Remove 5 external entries that fail validation at HEAD

Step 30 (clone at pinned SHA + claude plugin validate) fails for
these at their current HEAD:

  aiven                   Unrecognized key "logo" in plugin.json
  atlassian-forge-skills  skill YAML frontmatter parse error
  sagemaker-ai            skill YAML frontmatter parse error
  speakai                 no plugin manifest at repo root
  stagehand               no plugin manifest at repo root

These can be re-added once the upstream repos are fixed.

* Wire scan-plugins to the detailed policy prompt

Adds .github/policy/prompt.md and schema.json (the full security
review rubric — malicious code, privacy, deception, safety
circumvention, exfiltration; plus network-call and software-install
flags) and points scan-plugins at it via the policy-prompt input.

With ANTHROPIC_API_KEY now configured on the repo, scan-plugins runs
the actual policy review on changed external entries instead of
no-op'ing.

* Bump scan-plugins action pin to include L11/L12 fixes
2026-05-07 14:18:52 -05:00