Tobin South f4390f3c96 ci: gate external plugin entries on community scan merge ...

Adds a stateless check that fails if any added external marketplace.json
entry (keyed by name+sha) is not already present on
claude-plugins-community main.

This repo runs no security scan — the scan is in claude-plugins-community.
Without this check, the only thing preventing a bypass is the PR body
convention of linking to a community PR, and a human remembering to look.

The check:
- Diffs marketplace.json base→head, extracts external entries (source is
  an object, not a vendored string path), keyed by {name, sha}
- Fails if any added key is absent from community main
- Catches new entries AND sha bumps (new sha → new scan required)
- Skips cosmetic edits (description/category) and removals
- Gives a precise diagnosis on failure: SHA mismatch vs entry absent
- Rejects new entries with no sha pin (scan anchor is meaningless)

Fetch uses gh api with the workflow token, not raw.githubusercontent
(which flakes with curl exit 56). Works same-org whether community is
public or private.

2026-03-09 11:43:03 +00:00

..

close-external-prs.yml

Update webhook closed PR message link to clau.de (#500)

2026-03-03 17:08:52 -08:00

validate-frontmatter.yml

Add CI workflow to validate YAML frontmatter in PRs

2026-02-04 16:21:18 -08:00

verify-community-merged.yml

ci: gate external plugin entries on community scan merge

2026-03-09 11:43:03 +00:00