name: Scan Plugins

# Claude policy scan of changed external marketplace entries.
#
# `scan` is a required status check on main. A path-filtered workflow never
# reports a check run when its paths don't match, which would leave unrelated
# PRs blocked forever — so this workflow runs on every PR and skips the heavy
# scan setup at the step level when nothing scan-relevant changed. The check
# always reports.

on:
  pull_request:
  workflow_dispatch:
    inputs:
      scan_all:
        description: Scan every external entry (full re-review). Slow.
        type: boolean
        default: false

permissions:
  contents: read

jobs:
  scan:
    runs-on: ubuntu-latest
    timeout-minutes: 360
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      # Same paths the workflow-level filter used to gate on. workflow_dispatch
      # always runs the scan (no PR diff to inspect).
      - name: Check for scan-relevant changes
        id: changes
        env:
          EVENT_NAME: ${{ github.event_name }}
          BASE_SHA: ${{ github.event.pull_request.base.sha }}
        run: |
          if [[ "$EVENT_NAME" == "workflow_dispatch" ]]; then
            echo "relevant=true" >> "$GITHUB_OUTPUT"
            exit 0
          fi
          if git diff --quiet "$BASE_SHA" HEAD -- .claude-plugin/marketplace.json .github/policy/; then
            echo "relevant=false" >> "$GITHUB_OUTPUT"
            echo "::notice::No changes to marketplace.json or policy/ — skipping policy scan."
          else
            echo "relevant=true" >> "$GITHUB_OUTPUT"
          fi

      # The shared action no-ops gracefully when ANTHROPIC_API_KEY is unset
      # (sensible default for community repos). Here `scan` is a required
      # check, so a silent no-op would make it a rubber stamp — fail closed.
      - name: Require ANTHROPIC_API_KEY when a scan is needed
        if: steps.changes.outputs.relevant == 'true'
        env:
          API_KEY_SET: ${{ secrets.ANTHROPIC_API_KEY != '' }}
        run: |
          if [[ "$API_KEY_SET" != "true" ]]; then
            echo "::error::ANTHROPIC_API_KEY is not configured; refusing to skip a required policy scan."
            exit 1
          fi

      # Blocking: policy failures fail the job. Loosen by removing
      # fail-on-findings if the false-positive rate is too high.
      - if: steps.changes.outputs.relevant == 'true'
        uses: anthropics/claude-plugins-community/.github/actions/scan-plugins@b277757588871fe55b2620de8c6dfda470e2e9d8
        with:
          anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
          policy-prompt: .github/policy/prompt.md
          fail-on-findings: "true"
          scan-all-external: ${{ inputs.scan_all || 'false' }}
          claude-cli-version: latest