chore: import upstream snapshot with attribution
plugin-validate / validate (push) Failing after 1s
secret-scan / gitleaks (push) Failing after 4s

This commit is contained in:
wehub-resource-sync
2026-07-13 12:11:14 +08:00
commit 39a1aa29cb
373 changed files with 46576 additions and 0 deletions
+64
View File
@@ -0,0 +1,64 @@
name: plugin-validate
# Runs the official Claude Code plugin linter over every plugin and the
# marketplace manifest. Catches malformed manifests (e.g. hooks.json as a
# bare [] instead of {"hooks": {}}) before they reach users.
on:
pull_request:
push:
branches: [main]
permissions:
contents: read
env:
# Pinned for reproducible builds + a stable cache key. Bump by setting this
# to a newer version from https://downloads.claude.ai/claude-code-releases/stable
# 2.1.143: first release whose `plugin validate` accepts `displayName` on
# marketplace entries (2.1.140 and earlier reject it as an unrecognized key).
CLAUDE_VERSION: 2.1.143
jobs:
validate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Cache Claude Code CLI
id: cli-cache
uses: actions/cache@v4
with:
# ~/.local/bin/claude is a symlink into the versioned dir below —
# both must be cached or the restored symlink dangles (exit 127).
path: |
~/.local/bin/claude
~/.local/share/claude
key: claude-cli-${{ runner.os }}-${{ env.CLAUDE_VERSION }}-v2
- name: Install Claude Code CLI
if: steps.cli-cache.outputs.cache-hit != 'true'
run: curl -fsSL https://claude.ai/install.sh | bash -s "$CLAUDE_VERSION"
- name: Validate marketplace + every plugin
run: |
set -euo pipefail
export PATH="$HOME/.local/bin:$PATH"
claude --version
fail=0
echo "::group::marketplace"
claude plugin validate .claude-plugin/marketplace.json || fail=1
echo "::endgroup::"
while IFS= read -r manifest; do
plugin_dir="$(dirname "$(dirname "$manifest")")"
echo "::group::$plugin_dir"
claude plugin validate "$plugin_dir" || fail=1
echo "::endgroup::"
done < <(find plugins -path '*/.claude-plugin/plugin.json' | sort)
if [ "$fail" -ne 0 ]; then
echo "::error::plugin validation failed — see grouped logs above"
exit 1
fi
+35
View File
@@ -0,0 +1,35 @@
name: secret-scan
on:
pull_request:
push:
branches: [main]
permissions:
contents: read
jobs:
gitleaks:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- name: gitleaks
run: |
set -euo pipefail
curl -sSL -o gitleaks.tgz \
https://github.com/gitleaks/gitleaks/releases/download/v8.28.0/gitleaks_8.28.0_linux_x64.tar.gz
echo "a65b5253807a68ac0cafa4414031fd740aeb55f54fb7e55f386acb52e6a840eb gitleaks.tgz" | sha256sum -c -
tar -xzf gitleaks.tgz gitleaks
./gitleaks git --redact --exit-code 1 .
- name: internal-reference scrub
run: |
set -euo pipefail
if grep -rInE '\.ant\.dev|antspace\.dev|anthropic-internal|\bgo/[a-z][a-z0-9_-]+\b' \
--include='*.md' --include='*.yaml' --include='*.yml' --include='*.json' \
--include='*.py' --include='*.sh' \
--exclude-dir=.github . ; then
echo "::error::internal Anthropic references found above"
exit 1
fi
+26
View File
@@ -0,0 +1,26 @@
name: version-bump
# Backstop for contributors without the local pre-commit hook: every PR that
# modifies a plugin must bump that plugin's .claude-plugin/plugin.json version,
# otherwise already-installed users won't receive the change.
on:
pull_request:
permissions:
contents: read
jobs:
version-bump:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Check plugin version bumps
env:
BASE_REF: ${{ github.base_ref }}
run: |
set -euo pipefail
git fetch --no-tags --depth=1 origin "$BASE_REF"
python3 scripts/version_bump.py --check --base "origin/$BASE_REF"