From fe3e5168614a36e565b36cc2cdcd20269a77ced0 Mon Sep 17 00:00:00 2001 From: b4tchkn Date: Sat, 20 Jun 2026 19:12:06 +0900 Subject: [PATCH 1/5] ci: add plugin validate workflow Run `claude plugin validate --strict` on all plugins and the marketplace manifest on push/PR to main when plugin files change. --- .github/workflows/validate-plugins.yml | 37 ++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 .github/workflows/validate-plugins.yml diff --git a/.github/workflows/validate-plugins.yml b/.github/workflows/validate-plugins.yml new file mode 100644 index 0000000..0c66e21 --- /dev/null +++ b/.github/workflows/validate-plugins.yml @@ -0,0 +1,37 @@ +name: Validate Plugins + +on: + push: + branches: [main] + paths: + - "plugins/**" + - ".claude-plugin/**" + pull_request: + paths: + - "plugins/**" + - ".claude-plugin/**" + +jobs: + validate: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Install Claude Code + run: npm install -g @anthropic-ai/claude-code + + - name: Validate all plugins + run: | + failed=0 + for plugin in plugins/*/; do + echo "::group::Validating $plugin" + if ! claude plugin validate "$plugin" --strict; then + echo "::error::Validation failed for $plugin" + failed=1 + fi + echo "::endgroup::" + done + exit $failed + + - name: Validate marketplace manifest + run: claude plugin validate . --strict From 4ef1b0e4a13089c4d123cd3520cf31da7b80a345 Mon Sep 17 00:00:00 2001 From: b4tchkn Date: Sat, 20 Jun 2026 19:20:40 +0900 Subject: [PATCH 2/5] ci: pin actions/checkout to commit SHA Use commit SHA instead of tag ref to prevent supply chain attacks. --- .github/workflows/validate-plugins.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/validate-plugins.yml b/.github/workflows/validate-plugins.yml index 0c66e21..ee7b1ce 100644 --- a/.github/workflows/validate-plugins.yml +++ b/.github/workflows/validate-plugins.yml @@ -15,7 +15,7 @@ jobs: validate: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Install Claude Code run: npm install -g @anthropic-ai/claude-code From 54ee488ca013f7b2d912a003720fd7f1f5625377 Mon Sep 17 00:00:00 2001 From: b4tchkn Date: Sat, 20 Jun 2026 19:27:23 +0900 Subject: [PATCH 3/5] ci: fix actions/checkout version comment to v4.3.1 --- .github/workflows/validate-plugins.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/validate-plugins.yml b/.github/workflows/validate-plugins.yml index ee7b1ce..2831018 100644 --- a/.github/workflows/validate-plugins.yml +++ b/.github/workflows/validate-plugins.yml @@ -15,7 +15,7 @@ jobs: validate: runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Install Claude Code run: npm install -g @anthropic-ai/claude-code From 4b835ba1ae49939f228da337387f292c3116ddd9 Mon Sep 17 00:00:00 2001 From: b4tchkn Date: Sat, 20 Jun 2026 19:30:28 +0900 Subject: [PATCH 4/5] docs: add GitHub Actions SHA pinning convention to CLAUDE.md --- CLAUDE.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/CLAUDE.md b/CLAUDE.md index 326ffcd..12d367a 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -71,3 +71,17 @@ Common `allowed-tools` patterns: `Bash(git *)`, `Bash(gh *)`, `Bash(npx ccusage* - Each plugin has independent semver in `plugin.json` - Root marketplace version bumps minor on every plugin release - Tags: `{plugin}/v{version}` + +### GitHub Actions + +Pin all `uses:` references to a full commit SHA, not a tag. Add the exact patch version as a comment. + +```yaml +# Good +- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + +# Bad +- uses: actions/checkout@v4 +``` + +To find the SHA for a tag: `gh api repos/{owner}/{repo}/git/ref/tags/{tag} --jq '.object.sha'` From aad74f0ad877d4819ca65d79343d881b31c49986 Mon Sep 17 00:00:00 2001 From: b4tchkn Date: Sat, 20 Jun 2026 19:37:05 +0900 Subject: [PATCH 5/5] ci: pin external dependencies to exact versions - @anthropic-ai/claude-code@2.1.183 in validate workflow - Add External Dependencies convention to CLAUDE.md --- .github/workflows/validate-plugins.yml | 2 +- CLAUDE.md | 18 +++++++----------- 2 files changed, 8 insertions(+), 12 deletions(-) diff --git a/.github/workflows/validate-plugins.yml b/.github/workflows/validate-plugins.yml index 2831018..a08f1d1 100644 --- a/.github/workflows/validate-plugins.yml +++ b/.github/workflows/validate-plugins.yml @@ -18,7 +18,7 @@ jobs: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Install Claude Code - run: npm install -g @anthropic-ai/claude-code + run: npm install -g @anthropic-ai/claude-code@2.1.183 - name: Validate all plugins run: | diff --git a/CLAUDE.md b/CLAUDE.md index 12d367a..5018738 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -72,16 +72,12 @@ Common `allowed-tools` patterns: `Bash(git *)`, `Bash(gh *)`, `Bash(npx ccusage* - Root marketplace version bumps minor on every plugin release - Tags: `{plugin}/v{version}` -### GitHub Actions +### External Dependencies -Pin all `uses:` references to a full commit SHA, not a tag. Add the exact patch version as a comment. +Always pin external dependencies to an exact, reproducible version — no floating references anywhere in the project. -```yaml -# Good -- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - -# Bad -- uses: actions/checkout@v4 -``` - -To find the SHA for a tag: `gh api repos/{owner}/{repo}/git/ref/tags/{tag} --jq '.object.sha'` +- **GitHub Actions**: pin `uses:` to a full commit SHA; add the exact patch version as a comment + - `actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1` + - To find SHA: `gh api repos/{owner}/{repo}/git/ref/tags/{tag} --jq '.object.sha'` +- **npm**: use exact version (`@2.1.183`), never a range or bare package name +- **Any other package manager or tool** (pip, cargo, brew, etc.): same rule — exact version only