From 94258c5913c482462e8c242ef3060a011a4e186d Mon Sep 17 00:00:00 2001 From: Bryan Thompson Date: Thu, 18 Jun 2026 21:50:51 -0500 Subject: [PATCH] ci: pin validate-plugins + scan-plugins + bump-plugin-shas to self-healing CLI install (#3095) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * ci: bump validate-plugins action pin to self-healing CLI install Bumps the pinned validate-plugins action SHA (f846a0bc -> 5d75f99) to pick up two fixes already merged in claude-plugins-community: 1. Self-healing claude CLI install (community#233): the prior pin's install step was a bare `npm i -g @anthropic-ai/claude-code@latest && claude --version`, which intermittently stalled (a 28-min hang -> "native binary not installed") and jammed whichever bump PR caught it (e.g. desktop-commander #2985). The new step forces the optional native dep, verifies the binary, re-runs the postinstall on a miss, and bounds every network step with a timeout. 2. strict:false skills-only manifest synthesis: the prior pin hard-required a plugin.json for external git-subdir sources, false-failing skills-only entries that the marketplace server synthesizes a manifest for. This is what blocks #2997 (learn-with-coursera) and #2312 (netsuite-suitecloud) today; the bumped action synthesizes a minimal manifest for them instead. No other change. The action stays on claude-cli-version: latest. Co-Authored-By: Claude Opus 4.8 (1M context) * ci: pin scan-plugins + bump-plugin-shas to self-healing action too Extend the validate-plugins pin bump (this PR) to the other two shared actions that install the claude CLI the same flaky way. All three now pin the same claude-plugins-community SHA (d207465) carrying the self-healing install (community#233 + #234): force the optional native dep, verify, re-run postinstall on a miss, timeout every network step, retry with real reinstalls. Co-Authored-By: Claude Opus 4.8 (1M context) * ci: run validate on workflow-file changes (fix required-check deadlock) A PR touching only .github/workflows/** (e.g. an action-SHA re-pin like this one) never matched validate-plugins.yml's pull_request path filter, so the required 'validate' check never ran and the PR sat 'Expected — Waiting for status to be reported' with no way to clear it (workflow_dispatch check runs aren't associated with the PR, so they don't satisfy the required check; the ruleset has no bypass actors). Add .github/workflows/** to the trigger so workflow-only PRs validate in-context and can clear the gate — and so this PR unblocks itself. Co-Authored-By: Claude Opus 4.8 (1M context) --------- Co-authored-by: Claude Opus 4.8 (1M context) --- .github/workflows/bump-plugin-shas.yml | 2 +- .github/workflows/scan-plugins.yml | 2 +- .github/workflows/validate-plugins.yml | 8 +++++++- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/.github/workflows/bump-plugin-shas.yml b/.github/workflows/bump-plugin-shas.yml index 4fb48e5..25ad0cd 100644 --- a/.github/workflows/bump-plugin-shas.yml +++ b/.github/workflows/bump-plugin-shas.yml @@ -51,7 +51,7 @@ jobs: # createCommitOnBranch-based bump so commits are signed by GitHub and # satisfy the org-level required_signatures ruleset on main. - - uses: anthropics/claude-plugins-community/.github/actions/bump-plugin-shas@e2019b2a01f11aa1484c53540b1cfab5eebbc299 + - uses: anthropics/claude-plugins-community/.github/actions/bump-plugin-shas@d207465eb6ec02b6f3f1dbb131717830dc9ecc68 id: bump with: marketplace-path: .claude-plugin/marketplace.json diff --git a/.github/workflows/scan-plugins.yml b/.github/workflows/scan-plugins.yml index 176a99d..5ec2300 100644 --- a/.github/workflows/scan-plugins.yml +++ b/.github/workflows/scan-plugins.yml @@ -196,7 +196,7 @@ jobs: continue-on-error: true # Pinned to claude-plugins-community#34 (WIF input support). # TODO: re-pin to a main-branch SHA once #34 merges. - uses: anthropics/claude-plugins-community/.github/actions/scan-plugins@e85f0d65b4fc87f07862e1dcdc467950514414ec + uses: anthropics/claude-plugins-community/.github/actions/scan-plugins@d207465eb6ec02b6f3f1dbb131717830dc9ecc68 with: # Anthropic auth via Workload Identity Federation — the action # mints a GitHub OIDC token (id-token: write above) and the claude diff --git a/.github/workflows/validate-plugins.yml b/.github/workflows/validate-plugins.yml index 798cde5..6442ea1 100644 --- a/.github/workflows/validate-plugins.yml +++ b/.github/workflows/validate-plugins.yml @@ -8,6 +8,12 @@ on: - '*/agents/**' - '*/skills/**' - '*/commands/**' + # `validate` is a required status check, so a PR that touches ONLY workflow + # files (e.g. an action-SHA re-pin) would otherwise never trigger validate + # and sit "Expected — Waiting for status to be reported" forever (workflow_dispatch + # check runs aren't associated with the PR, so they don't satisfy it). Run + # validate on workflow changes too so those PRs can clear the gate in-context. + - '.github/workflows/**' push: branches: [main] paths: @@ -32,7 +38,7 @@ jobs: with: fetch-depth: 0 - - uses: anthropics/claude-plugins-community/.github/actions/validate-plugins@f846a0bcb0e721b1f93d60e8b73e91dafc4a1e87 + - uses: anthropics/claude-plugins-community/.github/actions/validate-plugins@d207465eb6ec02b6f3f1dbb131717830dc9ecc68 with: marketplace-path: .claude-plugin/marketplace.json # Official curated marketplace: SHA-pin (I5) is a HARD error.