name: Bump Plugin SHAs # Weekly sweep: for each external entry whose upstream HEAD has moved past # its pinned SHA, validate at the new SHA with `claude plugin validate` # inline, then open one PR with all passing bumps. # # Bot-free — uses the default GITHUB_TOKEN. PRs opened with GITHUB_TOKEN don't # trigger on:pull_request workflows, so the policy scan (`Scan Plugins`, a # required status check on main) would never run and the bump PR could never # merge. workflow_dispatch is exempt from that recursion guard, so we dispatch # the scan ourselves on the bump branch after the PR is opened. The check run # lands on the branch HEAD — the same SHA as the PR head — and satisfies the # required check. on: schedule: - cron: '23 7 * * 1' # Monday 07:23 UTC workflow_dispatch: inputs: max_bumps: description: Cap on plugins bumped this run required: false default: '20' permissions: contents: write pull-requests: write actions: write # gh workflow run scan-plugins.yml on the bump branch concurrency: group: bump-plugin-shas jobs: bump: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 # createCommitOnBranch-based bump so commits are signed by GitHub and # satisfy the org-level required_signatures ruleset on main. - uses: anthropics/claude-plugins-community/.github/actions/bump-plugin-shas@c41c6911de0afffd2bc5cd8b21fb1e06444ee13b id: bump with: marketplace-path: .claude-plugin/marketplace.json max-bumps: ${{ inputs.max_bumps || '20' }} claude-cli-version: latest # `bump/plugin-shas` is the action's default `pr-branch`. The scan diffs # the branch against origin/main (the action's base-ref fallback when # there's no pull_request event) and scans only the bumped entries. - name: Dispatch policy scan on bump branch if: steps.bump.outputs.pr-url != '' env: GH_TOKEN: ${{ github.token }} run: gh workflow run scan-plugins.yml --ref bump/plugin-shas