Adds a stateless check that fails if any added external marketplace.json
entry (keyed by name+sha) is not already present on
claude-plugins-community main.
This repo runs no security scan — the scan is in claude-plugins-community.
Without this check, the only thing preventing a bypass is the PR body
convention of linking to a community PR, and a human remembering to look.
The check:
- Diffs marketplace.json base→head, extracts external entries (source is
an object, not a vendored string path), keyed by {name, sha}
- Fails if any added key is absent from community main
- Catches new entries AND sha bumps (new sha → new scan required)
- Skips cosmetic edits (description/category) and removals
- Gives a precise diagnosis on failure: SHA mismatch vs entry absent
- Rejects new entries with no sha pin (scan anchor is meaningless)
Fetch uses gh api with the workflow token, not raw.githubusercontent
(which flakes with curl exit 56). Works same-org whether community is
public or private.
