plugin-scanner 2.0.0__tar.gz → 2.0.1__tar.gz

plugin_scanner-2.0.1/.github/workflows/publish-action-repo.yml

@@ -0,0 +1,206 @@
+name: Publish GitHub Action Repository
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ai-plugin-scanner-action-repo-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  publish-action-repo:
+    name: Sync action repo + publish release notes
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    env:
+      ACTION_CANONICAL_REPOSITORY: ${{ vars.ACTION_CANONICAL_REPOSITORY != '' && vars.ACTION_CANONICAL_REPOSITORY || 'hashgraph-online/ai-plugin-scanner-action' }}
+      ACTION_COMPAT_REPOSITORY: ${{ vars.ACTION_COMPAT_REPOSITORY != '' && vars.ACTION_COMPAT_REPOSITORY || 'hashgraph-online/hol-codex-plugin-scanner-action' }}
+      SOURCE_REF: ${{ github.sha }}
+      SOURCE_REPOSITORY: ${{ github.repository }}
+      SOURCE_SERVER_URL: ${{ github.server_url }}
+    steps:
+      - name: Validate publication credentials
+        env:
+          ACTION_REPO_TOKEN: ${{ secrets.ACTION_REPO_TOKEN }}
+        run: |
+          if [ -z "$ACTION_REPO_TOKEN" ]; then
+            echo "ACTION_REPO_TOKEN must be configured to publish the Marketplace action repository." >&2
+            exit 1
+          fi
+
+      - name: Checkout source repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          fetch-depth: 0
+
+      - name: Compute next action release tag
+        id: version
+        env:
+          GH_TOKEN: ${{ secrets.ACTION_REPO_TOKEN }}
+        run: |
+          latest_release_tag() {
+            target_repo="$1"
+            if ! gh repo view "$target_repo" >/dev/null 2>&1; then
+              return
+            fi
+            gh release list --repo "$target_repo" --limit 1 --json tagName --jq '.[0].tagName // ""'
+          }
+
+          latest_remote_tag() {
+            target_repo="$1"
+            if ! gh repo view "$target_repo" >/dev/null 2>&1; then
+              return
+            fi
+            git ls-remote --tags --refs "https://x-access-token:${GH_TOKEN}@github.com/${target_repo}.git" "refs/tags/v*" \
+              | awk -F'/' '{print $3}' \
+              | sort -V \
+              | tail -n1
+          }
+
+          LAST_TAG=""
+          for candidate in \
+            "$(latest_release_tag "$ACTION_CANONICAL_REPOSITORY")" \
+            "$(latest_release_tag "$ACTION_COMPAT_REPOSITORY")" \
+            "$(latest_remote_tag "$ACTION_CANONICAL_REPOSITORY")" \
+            "$(latest_remote_tag "$ACTION_COMPAT_REPOSITORY")"; do
+            if [ -z "$candidate" ]; then
+              continue
+            fi
+            if [ -z "$LAST_TAG" ] || [ "$(printf '%s\n%s\n' "$LAST_TAG" "$candidate" | sort -V | tail -n1)" = "$candidate" ]; then
+              LAST_TAG="$candidate"
+            fi
+          done
+
+          if [ -z "$LAST_TAG" ]; then
+            TAG="v1.0.0"
+          else
+            IFS=. read -r MAJOR MINOR PATCH <<< "${LAST_TAG#v}"
+            if [ -z "$MAJOR" ] || [ -z "$MINOR" ] || [ -z "$PATCH" ]; then
+              echo "Unsupported release tag format: $LAST_TAG" >&2
+              exit 1
+            fi
+            TAG="v${MAJOR}.${MINOR}.$((PATCH + 1))"
+          fi
+
+          echo "tag=$TAG" >> "$GITHUB_OUTPUT"
+
+      - name: Compute scanner package version
+        id: scanner_version
+        env:
+          GITHUB_REF: ${{ github.ref }}
+          GITHUB_EVENT_NAME: ${{ github.event_name }}
+        run: |
+          BASE_VERSION=$(python3 -c "import tomllib; p=tomllib.load(open('pyproject.toml','rb')); print(p['project']['version'])")
+          VERSION="$BASE_VERSION"
+          if [[ "$GITHUB_REF" == refs/tags/v* ]]; then
+            VERSION="${GITHUB_REF#refs/tags/v}"
+          elif [[ "$GITHUB_EVENT_NAME" == "push" && "$GITHUB_REF" == "refs/heads/main" ]]; then
+            LAST_TAG=$(git tag --list 'v*' --sort=-version:refname | head -n1)
+            if [[ -n "$LAST_TAG" ]]; then
+              IFS=. read -r MAJOR MINOR PATCH <<< "${LAST_TAG#v}"
+              if [[ -z "$MAJOR" || -z "$MINOR" || -z "$PATCH" ]]; then
+                echo "Unsupported release tag format: $LAST_TAG" >&2
+                exit 1
+              fi
+              VERSION="${MAJOR}.${MINOR}.$((PATCH + 1))"
+            fi
+          fi
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+
+      - name: Sync canonical and compatibility action repositories
+        env:
+          ACTION_REPO_TOKEN: ${{ secrets.ACTION_REPO_TOKEN }}
+          GH_TOKEN: ${{ secrets.ACTION_REPO_TOKEN }}
+          TAG: ${{ steps.version.outputs.tag }}
+          SCANNER_VERSION: ${{ steps.scanner_version.outputs.version }}
+        run: |
+          any_repo_changed="false"
+
+          publish_action_release() {
+            target_repo="$1"
+            repo_dir="$2"
+
+            git -C "$repo_dir" tag -fa v1 -m "Update floating major tag to ${TAG}"
+            if git -C "$repo_dir" ls-remote --tags origin "refs/tags/${TAG}" | grep -q .; then
+              echo "Refusing to publish action bundle with colliding existing tag ${TAG} in ${target_repo}." >&2
+              exit 1
+            fi
+            git -C "$repo_dir" tag "${TAG}"
+            git -C "$repo_dir" push origin "refs/tags/${TAG}"
+            git -C "$repo_dir" push origin refs/tags/v1 --force
+
+            if ! gh release view "${TAG}" --repo "$target_repo" >/dev/null 2>&1; then
+              gh release create "${TAG}" \
+                --repo "$target_repo" \
+                --title "${TAG}" \
+                --generate-notes \
+                --notes "Published automatically from ${SOURCE_SERVER_URL}/${SOURCE_REPOSITORY}/tree/${SOURCE_REF}"
+            fi
+          }
+
+          sync_action_repo() {
+            target_repo="$1"
+            readme_source="$2"
+            repo_description="$3"
+            repo_dir="$GITHUB_WORKSPACE/action-repos/${target_repo##*/}"
+            repo_changed="false"
+
+            if gh repo view "$target_repo" >/dev/null 2>&1; then
+              gh repo edit "$target_repo" --description "$repo_description"
+              gh repo clone "$target_repo" "$repo_dir" -- --depth 1
+            else
+              gh repo create "$target_repo" --public --description "$repo_description" --clone
+              mv "${target_repo##*/}" "$repo_dir"
+            fi
+
+            git -C "$repo_dir" remote set-url origin "https://x-access-token:${ACTION_REPO_TOKEN}@github.com/${target_repo}.git"
+
+            cp "${GITHUB_WORKSPACE}/action/action.yml" "${repo_dir}/action.yml"
+            cp "$readme_source" "${repo_dir}/README.md"
+            printf '%s\n' "$SCANNER_VERSION" > "${repo_dir}/scanner-version.txt"
+            cp "${GITHUB_WORKSPACE}/action/cisco-version.txt" "${repo_dir}/cisco-version.txt"
+            cp "${GITHUB_WORKSPACE}/action/pypi-attestations-version.txt" "${repo_dir}/pypi-attestations-version.txt"
+            cp "${GITHUB_WORKSPACE}/LICENSE" "${repo_dir}/LICENSE"
+            cp "${GITHUB_WORKSPACE}/SECURITY.md" "${repo_dir}/SECURITY.md"
+            cp "${GITHUB_WORKSPACE}/CONTRIBUTING.md" "${repo_dir}/CONTRIBUTING.md"
+
+            if [ -n "$(git -C "$repo_dir" status --short -- action.yml README.md scanner-version.txt cisco-version.txt pypi-attestations-version.txt LICENSE SECURITY.md CONTRIBUTING.md)" ]; then
+              repo_changed="true"
+              git -C "$repo_dir" config user.name "github-actions[bot]"
+              git -C "$repo_dir" config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+              git -C "$repo_dir" add action.yml README.md scanner-version.txt cisco-version.txt pypi-attestations-version.txt LICENSE SECURITY.md CONTRIBUTING.md
+              git -C "$repo_dir" commit -m "chore: publish action bundle ${TAG}"
+              git -C "$repo_dir" push origin HEAD:main
+              any_repo_changed="true"
+            fi
+
+            printf '%s\t%s\n' "$target_repo" "$repo_dir" >> "$GITHUB_WORKSPACE/action-repos/publish-targets.tsv"
+          }
+
+          mkdir -p "$GITHUB_WORKSPACE/action-repos"
+          : > "$GITHUB_WORKSPACE/action-repos/publish-targets.tsv"
+
+          sync_action_repo \
+            "$ACTION_CANONICAL_REPOSITORY" \
+            "${GITHUB_WORKSPACE}/action/README.md" \
+            "HOL AI Plugin Scanner GitHub Action"
+
+          sync_action_repo \
+            "$ACTION_COMPAT_REPOSITORY" \
+            "${GITHUB_WORKSPACE}/action/README.legacy.md" \
+            "Compatibility alias for HOL AI Plugin Scanner GitHub Action"
+
+          if [ "$any_repo_changed" != "true" ]; then
+            exit 0
+          fi
+
+          while IFS=$'\t' read -r target_repo repo_dir; do
+            publish_action_release "$target_repo" "$repo_dir"
+          done < "$GITHUB_WORKSPACE/action-repos/publish-targets.tsv"

{plugin_scanner-2.0.0 → plugin_scanner-2.0.1}/.github/workflows/publish.yml

@@ -193,7 +193,7 @@ jobs:
         run: |
           VERSION="${{ needs.build.outputs.version }}"
           BUNDLE_ROOT="dist/github-action-bundle"
-          BUNDLE_PATH="dist/hol-codex-plugin-scanner-action-v${VERSION}.zip"
+          BUNDLE_PATH="dist/ai-plugin-scanner-action-v${VERSION}.zip"
 
           mkdir -p "${BUNDLE_ROOT}"
           cp action/action.yml "${BUNDLE_ROOT}/action.yml"

{plugin_scanner-2.0.0 → plugin_scanner-2.0.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plugin-scanner
-Version: 2.0.0
+Version: 2.0.1
 Summary: Security, operational-security, and publishability scanner for Codex, Claude, Gemini, and OpenCode plugin ecosystems.
 Project-URL: Homepage, https://github.com/hashgraph-online/ai-plugin-scanner
 Project-URL: Repository, https://github.com/hashgraph-online/ai-plugin-scanner
@@ -60,8 +60,8 @@ pipx run plugin-scanner verify .
 
 ```yaml
 # GitHub Actions PR gate
-- name: Codex plugin quality gate
-  uses: hashgraph-online/hol-codex-plugin-scanner-action@v1
+- name: AI plugin quality gate
+  uses: hashgraph-online/ai-plugin-scanner-action@v1
   with:
     plugin_dir: "."
     fail_on_severity: high
@@ -248,7 +248,7 @@ For repo-scoped marketplaces, `scan`, `lint`, `verify`, and `doctor` can target
 ## Config + Baseline Example
 
 ```toml
-# .codex-plugin-scanner.toml
+# .plugin-scanner.toml
 [scanner]
 profile = "public-marketplace"
 baseline_file = "baseline.txt"
@@ -338,7 +338,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
-      - uses: hashgraph-online/hol-codex-plugin-scanner-action@v1
+      - uses: hashgraph-online/ai-plugin-scanner-action@v1
         with:
           plugin_dir: "."
           mode: scan
@@ -357,9 +357,9 @@ Local pre-commit style hook:
 repos:
   - repo: local
     hooks:
-      - id: codex-plugin-scanner
-        name: Codex Plugin Scanner
-        entry: codex-plugin-scanner
+      - id: plugin-scanner
+        name: Plugin Scanner
+        entry: plugin-scanner
         language: system
         types: [directory]
         pass_filenames: false
@@ -386,17 +386,19 @@ The source repository can publish the GitHub Action automatically into a dedicat
 Configure:
 
 - repository secret `ACTION_REPO_TOKEN`
-  It should be a token that can create or update repositories and releases in the target repository.
-- optional repository variable `ACTION_REPOSITORY`
+  It should be a token that can create or update repositories and releases in the canonical and compatibility action repositories.
+- optional repository variable `ACTION_CANONICAL_REPOSITORY`
+  Defaults to `hashgraph-online/ai-plugin-scanner-action`.
+- optional repository variable `ACTION_COMPAT_REPOSITORY`
   Defaults to `hashgraph-online/hol-codex-plugin-scanner-action`.
 
-When a tagged release is published, [publish-action-repo.yml](./.github/workflows/publish-action-repo.yml) will:
+When changes land on `main`, [publish-action-repo.yml](./.github/workflows/publish-action-repo.yml) will:
 
-- create the dedicated action repository if it does not already exist
-- sync the root-ready `action.yml`, `README.md`, `LICENSE`, and `SECURITY.md`
+- create the canonical Marketplace repository if it does not already exist
+- sync the root-ready `action.yml`, repo-specific `README.md`, `LICENSE`, and `SECURITY.md` into both the canonical repo and the legacy compatibility repo
 - push the immutable release tag such as `v2.0.0`
 - move the floating `v1` tag
-- create or update the corresponding release in the action repository
+- create or update the corresponding release in each action repository
 
 GitHub Marketplace still requires the one-time listing publication step in the dedicated action repository UI, but after that this repository can keep the action repository current automatically.
 
@@ -404,7 +406,7 @@ GitHub Marketplace still requires the one-time listing publication step in the d
 
 The action can also handle submission intake. A plugin repository can wire the scanner into CI so a passing scan opens or reuses a submission issue in [awesome-codex-plugins](https://github.com/hashgraph-online/awesome-codex-plugins).
 
-It also emits Codex-friendly machine outputs:
+It also emits automation-friendly machine outputs:
 
 - `score`, `grade`, `grade_label`, `max_severity`, and `findings_total` as GitHub Action outputs
 - a concise markdown summary in the job summary by default
@@ -432,7 +434,7 @@ jobs:
 
       - name: Scan and submit if eligible
         id: scan
-        uses: hashgraph-online/hol-codex-plugin-scanner-action@v1
+        uses: hashgraph-online/ai-plugin-scanner-action@v1
         with:
           plugin_dir: "."
           min_score: 80
@@ -448,9 +450,9 @@ jobs:
 
 `submission_token` is required when `submission_enabled: true`. This flow is idempotent. If the plugin repository was already submitted, the action reuses the existing open issue instead of opening duplicates by matching an exact hidden plugin URL marker in the existing issue body.
 
-### Registry Payload For Codex Ecosystem Automation
+### Registry Payload For Plugin Ecosystem Automation
 
-If you want to feed the same scan into a registry, badge pipeline, or another Codex automation step, request a registry payload file directly from the action:
+If you want to feed the same scan into a registry, badge pipeline, or another plugin ecosystem automation step, request a registry payload file directly from the action:
 
 ```yaml
 permissions:
@@ -464,12 +466,12 @@ jobs:
 
       - name: Scan plugin
         id: scan
-        uses: hashgraph-online/hol-codex-plugin-scanner-action@v1
+        uses: hashgraph-online/ai-plugin-scanner-action@v1
         with:
           plugin_dir: "."
           format: sarif
-          output: codex-plugin-scanner.sarif
-          registry_payload_output: codex-plugin-registry-payload.json
+          output: ai-plugin-scanner.sarif
+          registry_payload_output: ai-plugin-registry-payload.json
 
       - name: Show trust signals
         run: |
@@ -480,7 +482,7 @@ jobs:
       - name: Upload registry payload
         uses: actions/upload-artifact@v6
         with:
-          name: codex-plugin-registry-payload
+          name: ai-plugin-registry-payload
           path: ${{ steps.scan.outputs.registry_payload_path }}
 ```
 

{plugin_scanner-2.0.0 → plugin_scanner-2.0.1}/README.md

@@ -25,8 +25,8 @@ pipx run plugin-scanner verify .
 
 ```yaml
 # GitHub Actions PR gate
-- name: Codex plugin quality gate
-  uses: hashgraph-online/hol-codex-plugin-scanner-action@v1
+- name: AI plugin quality gate
+  uses: hashgraph-online/ai-plugin-scanner-action@v1
   with:
     plugin_dir: "."
     fail_on_severity: high
@@ -213,7 +213,7 @@ For repo-scoped marketplaces, `scan`, `lint`, `verify`, and `doctor` can target
 ## Config + Baseline Example
 
 ```toml
-# .codex-plugin-scanner.toml
+# .plugin-scanner.toml
 [scanner]
 profile = "public-marketplace"
 baseline_file = "baseline.txt"
@@ -303,7 +303,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
-      - uses: hashgraph-online/hol-codex-plugin-scanner-action@v1
+      - uses: hashgraph-online/ai-plugin-scanner-action@v1
         with:
           plugin_dir: "."
           mode: scan
@@ -322,9 +322,9 @@ Local pre-commit style hook:
 repos:
   - repo: local
     hooks:
-      - id: codex-plugin-scanner
-        name: Codex Plugin Scanner
-        entry: codex-plugin-scanner
+      - id: plugin-scanner
+        name: Plugin Scanner
+        entry: plugin-scanner
         language: system
         types: [directory]
         pass_filenames: false
@@ -351,17 +351,19 @@ The source repository can publish the GitHub Action automatically into a dedicat
 Configure:
 
 - repository secret `ACTION_REPO_TOKEN`
-  It should be a token that can create or update repositories and releases in the target repository.
-- optional repository variable `ACTION_REPOSITORY`
+  It should be a token that can create or update repositories and releases in the canonical and compatibility action repositories.
+- optional repository variable `ACTION_CANONICAL_REPOSITORY`
+  Defaults to `hashgraph-online/ai-plugin-scanner-action`.
+- optional repository variable `ACTION_COMPAT_REPOSITORY`
   Defaults to `hashgraph-online/hol-codex-plugin-scanner-action`.
 
-When a tagged release is published, [publish-action-repo.yml](./.github/workflows/publish-action-repo.yml) will:
+When changes land on `main`, [publish-action-repo.yml](./.github/workflows/publish-action-repo.yml) will:
 
-- create the dedicated action repository if it does not already exist
-- sync the root-ready `action.yml`, `README.md`, `LICENSE`, and `SECURITY.md`
+- create the canonical Marketplace repository if it does not already exist
+- sync the root-ready `action.yml`, repo-specific `README.md`, `LICENSE`, and `SECURITY.md` into both the canonical repo and the legacy compatibility repo
 - push the immutable release tag such as `v2.0.0`
 - move the floating `v1` tag
-- create or update the corresponding release in the action repository
+- create or update the corresponding release in each action repository
 
 GitHub Marketplace still requires the one-time listing publication step in the dedicated action repository UI, but after that this repository can keep the action repository current automatically.
 
@@ -369,7 +371,7 @@ GitHub Marketplace still requires the one-time listing publication step in the d
 
 The action can also handle submission intake. A plugin repository can wire the scanner into CI so a passing scan opens or reuses a submission issue in [awesome-codex-plugins](https://github.com/hashgraph-online/awesome-codex-plugins).
 
-It also emits Codex-friendly machine outputs:
+It also emits automation-friendly machine outputs:
 
 - `score`, `grade`, `grade_label`, `max_severity`, and `findings_total` as GitHub Action outputs
 - a concise markdown summary in the job summary by default
@@ -397,7 +399,7 @@ jobs:
 
       - name: Scan and submit if eligible
         id: scan
-        uses: hashgraph-online/hol-codex-plugin-scanner-action@v1
+        uses: hashgraph-online/ai-plugin-scanner-action@v1
         with:
           plugin_dir: "."
           min_score: 80
@@ -413,9 +415,9 @@ jobs:
 
 `submission_token` is required when `submission_enabled: true`. This flow is idempotent. If the plugin repository was already submitted, the action reuses the existing open issue instead of opening duplicates by matching an exact hidden plugin URL marker in the existing issue body.
 
-### Registry Payload For Codex Ecosystem Automation
+### Registry Payload For Plugin Ecosystem Automation
 
-If you want to feed the same scan into a registry, badge pipeline, or another Codex automation step, request a registry payload file directly from the action:
+If you want to feed the same scan into a registry, badge pipeline, or another plugin ecosystem automation step, request a registry payload file directly from the action:
 
 ```yaml
 permissions:
@@ -429,12 +431,12 @@ jobs:
 
       - name: Scan plugin
         id: scan
-        uses: hashgraph-online/hol-codex-plugin-scanner-action@v1
+        uses: hashgraph-online/ai-plugin-scanner-action@v1
         with:
           plugin_dir: "."
           format: sarif
-          output: codex-plugin-scanner.sarif
-          registry_payload_output: codex-plugin-registry-payload.json
+          output: ai-plugin-scanner.sarif
+          registry_payload_output: ai-plugin-registry-payload.json
 
       - name: Show trust signals
         run: |
@@ -445,7 +447,7 @@ jobs:
       - name: Upload registry payload
         uses: actions/upload-artifact@v6
         with:
-          name: codex-plugin-registry-payload
+          name: ai-plugin-registry-payload
           path: ${{ steps.scan.outputs.registry_payload_path }}
 ```
 

plugin_scanner-2.0.1/action/README.legacy.md

@@ -0,0 +1,25 @@
+# HOL AI Plugin Scanner GitHub Action
+
+[![Latest Release](https://img.shields.io/github/v/release/hashgraph-online/hol-codex-plugin-scanner-action?display_name=tag)](https://github.com/hashgraph-online/hol-codex-plugin-scanner-action/releases/latest)
+[![Compatibility Alias](https://img.shields.io/badge/legacy-slug-supported-6b7280)](https://github.com/hashgraph-online/hol-codex-plugin-scanner-action)
+[![Canonical Repository](https://img.shields.io/badge/canonical-ai--plugin--scanner--action-0A84FF)](https://github.com/hashgraph-online/ai-plugin-scanner-action)
+[![Source of Truth](https://img.shields.io/badge/source-ai--plugin--scanner-111827)](https://github.com/hashgraph-online/ai-plugin-scanner/tree/main/action)
+
+This repository remains supported as a compatibility alias for existing workflows that use:
+
+```yaml
+uses: hashgraph-online/hol-codex-plugin-scanner-action@v1
+```
+
+New integrations should move to the canonical action slug:
+
+```yaml
+uses: hashgraph-online/ai-plugin-scanner-action@v1
+```
+
+The action behavior, release train, and source of truth are shared with the canonical repository:
+
+- Canonical action repo: [hashgraph-online/ai-plugin-scanner-action](https://github.com/hashgraph-online/ai-plugin-scanner-action)
+- Source repo: [hashgraph-online/ai-plugin-scanner](https://github.com/hashgraph-online/ai-plugin-scanner)
+
+The compatibility alias continues to receive the same reviewed root bundle, release tags, and floating `v1` major tag so existing consumers do not break during the identity migration.