claude-plugins-official

anthropics/claude-plugins-official

Fork 0

mirror of https://github.com/anthropics/claude-plugins-official.git synced 2026-05-11 14:05:52 -03:00

Commit Graph

Author	SHA1	Message	Date
Tobin South	95cc50d132	Adopt validate-plugins action suite; pin all external SHAs (#1762 ) * Adopt validate-plugins action suite; pin all external SHAs Replaces the hand-rolled marketplace validator and bot-based bump workflow with the shared composite actions (pinned at f846a0b). marketplace.json: - 62 external entries that were missing a `sha` are now pinned to their current upstream HEAD (resolved via git ls-remote). Workflows: - validate-plugins.yml: invariants I1-I11 + claude plugin validate + diff-gated clone-at-SHA validation of changed external entries. SHA-pin (I5) is a hard error. I8/I11 stay warnings until the 15 known data issues (vendored dirs without manifests; one dotted name) are cleaned up. - bump-plugin-shas.yml: bot-free weekly refresh. Validates each new SHA with claude plugin validate before opening one PR; works with the default GITHUB_TOKEN (contents:write + pull-requests:write). - scan-plugins.yml: Claude policy scan of changed external entries. Non-blocking; graceful no-op if ANTHROPIC_API_KEY isn't set. Removed: - validate-marketplace.yml + the two TS helper scripts (superseded by step 11/20 of validate-plugins). validate-frontmatter.yml is kept — it's complementary (targeted checks on agent/skill/command files for in-repo plugins). * Remove 5 external entries that fail validation at HEAD Step 30 (clone at pinned SHA + claude plugin validate) fails for these at their current HEAD: aiven Unrecognized key "logo" in plugin.json atlassian-forge-skills skill YAML frontmatter parse error sagemaker-ai skill YAML frontmatter parse error speakai no plugin manifest at repo root stagehand no plugin manifest at repo root These can be re-added once the upstream repos are fixed. * Wire scan-plugins to the detailed policy prompt Adds .github/policy/prompt.md and schema.json (the full security review rubric — malicious code, privacy, deception, safety circumvention, exfiltration; plus network-call and software-install flags) and points scan-plugins at it via the policy-prompt input. With ANTHROPIC_API_KEY now configured on the repo, scan-plugins runs the actual policy review on changed external entries instead of no-op'ing. * Bump scan-plugins action pin to include L11/L12 fixes	2026-05-07 14:18:52 -05:00
Bryan Thompson	167f01f2e0	Add auto-SHA-bump workflow for marketplace plugins (#1392 ) * Add auto-SHA-bump workflow for marketplace plugins Weekly CI action that discovers stale SHA pins in marketplace.json and opens a batched PR with updated SHAs. Adapted from the claude-plugins-community-internal bump-plugin-shas workflow for the single-file marketplace.json format. - discover_bumps.py: checks 56 SHA-pinned plugins against upstream repos, oldest-stale-first rotation, capped at 20 bumps/run - bump-plugin-shas.yml: weekly Monday schedule + manual dispatch with dry_run and per-plugin targeting options Entries without SHA pins (intentionally tracking HEAD) are never touched. Existing validate-marketplace CI runs on the resulting PR. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Fix input interpolation and add BASE_BRANCH overlay - Pass workflow_dispatch inputs through env vars instead of direct ${{ inputs.* }} interpolation in run blocks (avoids shell injection) - Add marketplace.json overlay from main so the workflow can be tested via dispatch from a feature branch against main's real plugin data Both patterns match claude-plugins-community-internal's implementation. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Use GitHub App token for PR creation The anthropics org disables "Allow GitHub Actions to create and approve pull requests", so GITHUB_TOKEN cannot call gh pr create. Split the workflow: GITHUB_TOKEN pushes the branch, then the same GitHub App used by -internal's bump workflow (app-id 2812036) creates the PR. Prerequisite: app must be installed on this repo and the PEM secret (CLAUDE_DIRECTORY_BOT_PRIVATE_KEY) must exist in repo settings. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Use --force-with-lease for bump branch push Prevents push failure if the branch exists from a previous same-day run whose PR was merged but whose branch wasn't auto-deleted. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-17 09:12:36 -07:00

Author

SHA1

Message

Date

Tobin South

95cc50d132

Adopt validate-plugins action suite; pin all external SHAs (#1762 )

* Adopt validate-plugins action suite; pin all external SHAs

Replaces the hand-rolled marketplace validator and bot-based bump
workflow with the shared composite actions (pinned at f846a0b).

marketplace.json:
- 62 external entries that were missing a `sha` are now pinned to
  their current upstream HEAD (resolved via git ls-remote).

Workflows:
- validate-plugins.yml: invariants I1-I11 + claude plugin validate +
  diff-gated clone-at-SHA validation of changed external entries.
  SHA-pin (I5) is a hard error. I8/I11 stay warnings until the 15
  known data issues (vendored dirs without manifests; one dotted
  name) are cleaned up.
- bump-plugin-shas.yml: bot-free weekly refresh. Validates each new
  SHA with claude plugin validate before opening one PR; works with
  the default GITHUB_TOKEN (contents:write + pull-requests:write).
- scan-plugins.yml: Claude policy scan of changed external entries.
  Non-blocking; graceful no-op if ANTHROPIC_API_KEY isn't set.

Removed:
- validate-marketplace.yml + the two TS helper scripts (superseded
  by step 11/20 of validate-plugins).

validate-frontmatter.yml is kept — it's complementary (targeted
checks on agent/skill/command files for in-repo plugins).

* Remove 5 external entries that fail validation at HEAD

Step 30 (clone at pinned SHA + claude plugin validate) fails for
these at their current HEAD:

  aiven                   Unrecognized key "logo" in plugin.json
  atlassian-forge-skills  skill YAML frontmatter parse error
  sagemaker-ai            skill YAML frontmatter parse error
  speakai                 no plugin manifest at repo root
  stagehand               no plugin manifest at repo root

These can be re-added once the upstream repos are fixed.

* Wire scan-plugins to the detailed policy prompt

Adds .github/policy/prompt.md and schema.json (the full security
review rubric — malicious code, privacy, deception, safety
circumvention, exfiltration; plus network-call and software-install
flags) and points scan-plugins at it via the policy-prompt input.

With ANTHROPIC_API_KEY now configured on the repo, scan-plugins runs
the actual policy review on changed external entries instead of
no-op'ing.

* Bump scan-plugins action pin to include L11/L12 fixes

2026-05-07 14:18:52 -05:00

Bryan Thompson

167f01f2e0

Add auto-SHA-bump workflow for marketplace plugins (#1392 )

* Add auto-SHA-bump workflow for marketplace plugins

Weekly CI action that discovers stale SHA pins in marketplace.json
and opens a batched PR with updated SHAs. Adapted from the
claude-plugins-community-internal bump-plugin-shas workflow for
the single-file marketplace.json format.

- discover_bumps.py: checks 56 SHA-pinned plugins against upstream
  repos, oldest-stale-first rotation, capped at 20 bumps/run
- bump-plugin-shas.yml: weekly Monday schedule + manual dispatch
  with dry_run and per-plugin targeting options

Entries without SHA pins (intentionally tracking HEAD) are never
touched. Existing validate-marketplace CI runs on the resulting PR.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Fix input interpolation and add BASE_BRANCH overlay

- Pass workflow_dispatch inputs through env vars instead of direct
  ${{ inputs.* }} interpolation in run blocks (avoids shell injection)
- Add marketplace.json overlay from main so the workflow can be tested
  via dispatch from a feature branch against main's real plugin data

Both patterns match claude-plugins-community-internal's implementation.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Use GitHub App token for PR creation

The anthropics org disables "Allow GitHub Actions to create and approve
pull requests", so GITHUB_TOKEN cannot call gh pr create. Split the
workflow: GITHUB_TOKEN pushes the branch, then the same GitHub App
used by -internal's bump workflow (app-id 2812036) creates the PR.

Prerequisite: app must be installed on this repo and the PEM secret
(CLAUDE_DIRECTORY_BOT_PRIVATE_KEY) must exist in repo settings.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Use --force-with-lease for bump branch push

Prevents push failure if the branch exists from a previous same-day
run whose PR was merged but whose branch wasn't auto-deleted.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-17 09:12:36 -07:00

2 Commits