mirror of
https://github.com/lucas-labs/claude-plugins.git
synced 2026-07-10 19:25:44 -03:00
* ci: migrate scan-plugins.yml to Workload Identity Federation auth Replaces the static ANTHROPIC_API_KEY repo secret with Workload Identity Federation: the scan-plugins shared action mints a GitHub OIDC token (id-token: write) and the claude CLI exchanges it for a short-lived bearer. The federation rule is bound to this repository (repository_id-pinned). Depends on anthropics/claude-plugins-community#34 (adds the WIF inputs to the shared action). Pinned to that PR's head SHA; will re-pin to a main-branch SHA once #34 merges. Drops the 'Require ANTHROPIC_API_KEY' fail-closed guard — the WIF inputs are literal in this file, so the action's skip-if-no-auth path can't trigger. Updates the prompt-injection security comment to reflect the short-lived bearer model. * scan-plugins: re-pin to cpc#34 merge commit on main claude-plugins-community#34 merged at e85f0d65b4fc87f07862e1dcdc467950514414ec — re-pinning from the PR head SHA to the squash-merge commit on main so the pin survives any future branch GC.