claude-plugins/.github/workflows/validate-plugins.yml
Bryan Thompson 94258c5913
ci: pin validate-plugins + scan-plugins + bump-plugin-shas to self-healing CLI install (#3095)
* ci: bump validate-plugins action pin to self-healing CLI install

Bumps the pinned validate-plugins action SHA (f846a0bc -> 5d75f99) to pick up
two fixes already merged in claude-plugins-community:

1. Self-healing claude CLI install (community#233): the prior pin's install step
   was a bare `npm i -g @anthropic-ai/claude-code@latest && claude --version`,
   which intermittently stalled (a 28-min hang -> "native binary not installed")
   and jammed whichever bump PR caught it (e.g. desktop-commander #2985). The new
   step forces the optional native dep, verifies the binary, re-runs the
   postinstall on a miss, and bounds every network step with a timeout.

2. strict:false skills-only manifest synthesis: the prior pin hard-required a
   plugin.json for external git-subdir sources, false-failing skills-only entries
   that the marketplace server synthesizes a manifest for. This is what blocks
   #2997 (learn-with-coursera) and #2312 (netsuite-suitecloud) today; the bumped
   action synthesizes a minimal manifest for them instead.

No other change. The action stays on claude-cli-version: latest.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* ci: pin scan-plugins + bump-plugin-shas to self-healing action too

Extend the validate-plugins pin bump (this PR) to the other two shared actions
that install the claude CLI the same flaky way. All three now pin the same
claude-plugins-community SHA (d207465) carrying the self-healing install
(community#233 + #234): force the optional native dep, verify, re-run postinstall
on a miss, timeout every network step, retry with real reinstalls.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* ci: run validate on workflow-file changes (fix required-check deadlock)

A PR touching only .github/workflows/** (e.g. an action-SHA re-pin like this one)
never matched validate-plugins.yml's pull_request path filter, so the required
'validate' check never ran and the PR sat 'Expected — Waiting for status to be
reported' with no way to clear it (workflow_dispatch check runs aren't associated
with the PR, so they don't satisfy the required check; the ruleset has no bypass
actors). Add .github/workflows/** to the trigger so workflow-only PRs validate
in-context and can clear the gate — and so this PR unblocks itself.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-18 19:50:51 -07:00

49 lines
1.8 KiB
YAML

name: Validate Plugins
on:
pull_request:
paths:
- '.claude-plugin/**'
- '*/.claude-plugin/**'
- '*/agents/**'
- '*/skills/**'
- '*/commands/**'
# `validate` is a required status check, so a PR that touches ONLY workflow
# files (e.g. an action-SHA re-pin) would otherwise never trigger validate
# and sit "Expected — Waiting for status to be reported" forever (workflow_dispatch
# check runs aren't associated with the PR, so they don't satisfy it). Run
# validate on workflow changes too so those PRs can clear the gate in-context.
- '.github/workflows/**'
push:
branches: [main]
paths:
- '.claude-plugin/**'
# `validate` is a required status check on main. Bump PRs are opened with
# GITHUB_TOKEN, which doesn't fire on:pull_request (recursion guard), so the
# path-filtered trigger above never reports on them and the PR would be
# blocked forever. The bump workflow dispatches this against each per-entry
# bump branch instead; the check run lands on the branch HEAD (= PR head)
# and satisfies the required check. The validate job runs unconditionally,
# so a dispatch always reports.
workflow_dispatch:
permissions:
contents: read
jobs:
validate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: anthropics/claude-plugins-community/.github/actions/validate-plugins@d207465eb6ec02b6f3f1dbb131717830dc9ecc68
with:
marketplace-path: .claude-plugin/marketplace.json
# Official curated marketplace: SHA-pin (I5) is a HARD error.
# I8/I11 are warnings until the 15 known vendored-path/name issues
# are cleaned up (see PR body); tighten to "I1 I3" after.
warn-invariants: "I1 I3 I8 I11"
claude-cli-version: latest