diff --git a/.github/workflows/validate-plugins.yml b/.github/workflows/validate-plugins.yml new file mode 100644 index 0000000..a08f1d1 --- /dev/null +++ b/.github/workflows/validate-plugins.yml @@ -0,0 +1,37 @@ +name: Validate Plugins + +on: + push: + branches: [main] + paths: + - "plugins/**" + - ".claude-plugin/**" + pull_request: + paths: + - "plugins/**" + - ".claude-plugin/**" + +jobs: + validate: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + + - name: Install Claude Code + run: npm install -g @anthropic-ai/claude-code@2.1.183 + + - name: Validate all plugins + run: | + failed=0 + for plugin in plugins/*/; do + echo "::group::Validating $plugin" + if ! claude plugin validate "$plugin" --strict; then + echo "::error::Validation failed for $plugin" + failed=1 + fi + echo "::endgroup::" + done + exit $failed + + - name: Validate marketplace manifest + run: claude plugin validate . --strict diff --git a/CLAUDE.md b/CLAUDE.md index 326ffcd..5018738 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -71,3 +71,13 @@ Common `allowed-tools` patterns: `Bash(git *)`, `Bash(gh *)`, `Bash(npx ccusage* - Each plugin has independent semver in `plugin.json` - Root marketplace version bumps minor on every plugin release - Tags: `{plugin}/v{version}` + +### External Dependencies + +Always pin external dependencies to an exact, reproducible version — no floating references anywhere in the project. + +- **GitHub Actions**: pin `uses:` to a full commit SHA; add the exact patch version as a comment + - `actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1` + - To find SHA: `gh api repos/{owner}/{repo}/git/ref/tags/{tag} --jq '.object.sha'` +- **npm**: use exact version (`@2.1.183`), never a range or bare package name +- **Any other package manager or tool** (pip, cargo, brew, etc.): same rule — exact version only