Adds a stateless check that fails if any added external marketplace.json
entry (keyed by name+sha) is not already present on
claude-plugins-community main.
This repo runs no security scan — the scan is in claude-plugins-community.
Without this check, the only thing preventing a bypass is the PR body
convention of linking to a community PR, and a human remembering to look.
The check:
- Diffs marketplace.json base→head, extracts external entries (source is
an object, not a vendored string path), keyed by {name, sha}
- Fails if any added key is absent from community main
- Catches new entries AND sha bumps (new sha → new scan required)
- Skips cosmetic edits (description/category) and removals
- Gives a precise diagnosis on failure: SHA mismatch vs entry absent
- Rejects new entries with no sha pin (scan anchor is meaningless)
Fetch uses gh api with the workflow token, not raw.githubusercontent
(which flakes with curl exit 56). Works same-org whether community is
public or private.
Adds a GitHub Actions workflow that validates frontmatter in agent,
skill, and command .md files changed by a PR. Checks:
- Agents: name and description are present and parseable
- Skills: description is present (required for Skill tool discovery)
- Commands: description is present and parseable
The workflow only runs when PRs touch files in agents/, skills/, or
commands/ directories, and only validates the changed files.
* Add write permissions for external PR workflow
* Use pulls.createReview instead of issues.createComment
* Revert to issues.createComment with proper permissions
