From 04813b7442c777edca18ede6f7ce5b76efe174a3 Mon Sep 17 00:00:00 2001 From: "internet-dot[bot]" Date: Fri, 3 Apr 2026 15:24:50 +0000 Subject: [PATCH 1/7] ci: add codex-plugin-scanner quality gate --- .github/workflows/codex-plugin-scanner.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 .github/workflows/codex-plugin-scanner.yml diff --git a/.github/workflows/codex-plugin-scanner.yml b/.github/workflows/codex-plugin-scanner.yml new file mode 100644 index 00000000..0382b3ff --- /dev/null +++ b/.github/workflows/codex-plugin-scanner.yml @@ -0,0 +1,17 @@ +name: Codex Plugin Quality Gate + +on: + push: + branches: [main] + pull_request: + branches: [main] + +jobs: + scan: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Codex plugin scanner + uses: hashgraph-online/hol-codex-plugin-scanner-action@v1 + with: + plugin_dir: "." From 356dc7efda1df9f6afbdb47964f1faf3c8191591 Mon Sep 17 00:00:00 2001 From: "internet-dot[bot]" Date: Fri, 3 Apr 2026 17:58:12 +0000 Subject: [PATCH 2/7] ci: pin actions to SHAs, add permissions, timeout, concurrency --- .github/workflows/codex-plugin-scanner.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codex-plugin-scanner.yml b/.github/workflows/codex-plugin-scanner.yml index 0382b3ff..0618c08c 100644 --- a/.github/workflows/codex-plugin-scanner.yml +++ b/.github/workflows/codex-plugin-scanner.yml @@ -6,12 +6,19 @@ on: pull_request: branches: [main] +concurrency: + group: codex-plugin-scanner-${{ github.ref }} + cancel-in-progress: true + jobs: scan: runs-on: ubuntu-latest + timeout-minutes: 10 + permissions: + contents: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Codex plugin scanner - uses: hashgraph-online/hol-codex-plugin-scanner-action@v1 + uses: hashgraph-online/hol-codex-plugin-scanner-action@b45d6b583afe05819b24edc8e6418c9ad2e1f1d0 # v1 with: plugin_dir: "." From d7d292fa6c8411d18d9a04c5702b22870cbfb535 Mon Sep 17 00:00:00 2001 From: ndycode <405533+ndycode@users.noreply.github.com> Date: Sat, 4 Apr 2026 11:19:22 +0800 Subject: [PATCH 3/7] ci:enforce-plugin-scanner-minimum-score --- .github/workflows/codex-plugin-scanner.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/codex-plugin-scanner.yml b/.github/workflows/codex-plugin-scanner.yml index 0618c08c..02f2bb88 100644 --- a/.github/workflows/codex-plugin-scanner.yml +++ b/.github/workflows/codex-plugin-scanner.yml @@ -22,3 +22,4 @@ jobs: uses: hashgraph-online/hol-codex-plugin-scanner-action@b45d6b583afe05819b24edc8e6418c9ad2e1f1d0 # v1 with: plugin_dir: "." + min_score: "70" From 9eb8e41e5c0763235ebfb0311bbf60ec96a42477 Mon Sep 17 00:00:00 2001 From: ndycode <405533+ndycode@users.noreply.github.com> Date: Sat, 4 Apr 2026 11:25:41 +0800 Subject: [PATCH 4/7] ci:clarify-scanner-root-and-namespace-concurrency --- .github/workflows/codex-plugin-scanner.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codex-plugin-scanner.yml b/.github/workflows/codex-plugin-scanner.yml index 02f2bb88..3de05fba 100644 --- a/.github/workflows/codex-plugin-scanner.yml +++ b/.github/workflows/codex-plugin-scanner.yml @@ -7,7 +7,7 @@ on: branches: [main] concurrency: - group: codex-plugin-scanner-${{ github.ref }} + group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: @@ -21,5 +21,6 @@ jobs: - name: Codex plugin scanner uses: hashgraph-online/hol-codex-plugin-scanner-action@b45d6b583afe05819b24edc8e6418c9ad2e1f1d0 # v1 with: + # The pinned action resolves .codex-plugin/plugin.json from the repo root. plugin_dir: "." min_score: "70" From 88d73c8af238cf22bbb68cd2586afece49a70d6f Mon Sep 17 00:00:00 2001 From: ndycode <405533+ndycode@users.noreply.github.com> Date: Sat, 4 Apr 2026 11:39:35 +0800 Subject: [PATCH 5/7] ci:add-manual-plugin-scanner-trigger --- .github/workflows/codex-plugin-scanner.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/codex-plugin-scanner.yml b/.github/workflows/codex-plugin-scanner.yml index 3de05fba..f43a3ef4 100644 --- a/.github/workflows/codex-plugin-scanner.yml +++ b/.github/workflows/codex-plugin-scanner.yml @@ -5,6 +5,7 @@ on: branches: [main] pull_request: branches: [main] + workflow_dispatch: concurrency: group: ${{ github.workflow }}-${{ github.ref }} From 2324daf163b69e45c87d71777300a7b5e931918a Mon Sep 17 00:00:00 2001 From: ndycode <405533+ndycode@users.noreply.github.com> Date: Sat, 4 Apr 2026 12:14:34 +0800 Subject: [PATCH 6/7] ci: harden plugin scanner coverage --- .codex-plugin/plugin.json | 2 +- .../bad/.codex-plugin/plugin.json | 5 +++ .github/plugin-scanner-fixtures/bad/README.md | 3 ++ .../good/.codex-plugin/plugin.json | 11 ++++++ .../plugin-scanner-fixtures/good/.codexignore | 1 + .github/plugin-scanner-fixtures/good/LICENSE | 3 ++ .../plugin-scanner-fixtures/good/README.md | 3 ++ .../plugin-scanner-fixtures/good/SECURITY.md | 3 ++ .../good/skills/example/SKILL.md | 8 ++++ .github/workflows/codex-plugin-scanner.yml | 38 ++++++++++++++++++- 10 files changed, 75 insertions(+), 2 deletions(-) create mode 100644 .github/plugin-scanner-fixtures/bad/.codex-plugin/plugin.json create mode 100644 .github/plugin-scanner-fixtures/bad/README.md create mode 100644 .github/plugin-scanner-fixtures/good/.codex-plugin/plugin.json create mode 100644 .github/plugin-scanner-fixtures/good/.codexignore create mode 100644 .github/plugin-scanner-fixtures/good/LICENSE create mode 100644 .github/plugin-scanner-fixtures/good/README.md create mode 100644 .github/plugin-scanner-fixtures/good/SECURITY.md create mode 100644 .github/plugin-scanner-fixtures/good/skills/example/SKILL.md diff --git a/.codex-plugin/plugin.json b/.codex-plugin/plugin.json index a3f05ff0..a06a473a 100644 --- a/.codex-plugin/plugin.json +++ b/.codex-plugin/plugin.json @@ -1,6 +1,6 @@ { "name": "codex-multi-auth", - "version": "1.2.1", + "version": "1.2.2", "description": "Install and operate codex-multi-auth for the official @openai/codex CLI with multi-account OAuth rotation, switching, health checks, and recovery tools.", "skills": "./skills/" } diff --git a/.github/plugin-scanner-fixtures/bad/.codex-plugin/plugin.json b/.github/plugin-scanner-fixtures/bad/.codex-plugin/plugin.json new file mode 100644 index 00000000..7069bbcf --- /dev/null +++ b/.github/plugin-scanner-fixtures/bad/.codex-plugin/plugin.json @@ -0,0 +1,5 @@ +{ + "name": "fixture-bad-plugin", + "version": "1.0.0", + "description": "Fixture plugin used to validate failing scanner behavior.", +} diff --git a/.github/plugin-scanner-fixtures/bad/README.md b/.github/plugin-scanner-fixtures/bad/README.md new file mode 100644 index 00000000..d0c8f765 --- /dev/null +++ b/.github/plugin-scanner-fixtures/bad/README.md @@ -0,0 +1,3 @@ +# Fixture Bad Plugin + +This fixture is expected to fail the plugin scanner quality gate. diff --git a/.github/plugin-scanner-fixtures/good/.codex-plugin/plugin.json b/.github/plugin-scanner-fixtures/good/.codex-plugin/plugin.json new file mode 100644 index 00000000..23acf6b7 --- /dev/null +++ b/.github/plugin-scanner-fixtures/good/.codex-plugin/plugin.json @@ -0,0 +1,11 @@ +{ + "name": "fixture-good-plugin", + "version": "1.0.0", + "description": "Fixture plugin used to validate the Codex plugin scanner workflow.", + "author": "ndycode", + "homepage": "https://example.com/fixture-good-plugin", + "repository": "https://example.com/fixture-good-plugin.git", + "license": "MIT", + "keywords": ["fixture", "codex", "plugin"], + "skills": "./skills/" +} diff --git a/.github/plugin-scanner-fixtures/good/.codexignore b/.github/plugin-scanner-fixtures/good/.codexignore new file mode 100644 index 00000000..282781a5 --- /dev/null +++ b/.github/plugin-scanner-fixtures/good/.codexignore @@ -0,0 +1 @@ +# Fixture file for scanner regression coverage. diff --git a/.github/plugin-scanner-fixtures/good/LICENSE b/.github/plugin-scanner-fixtures/good/LICENSE new file mode 100644 index 00000000..e2f53bec --- /dev/null +++ b/.github/plugin-scanner-fixtures/good/LICENSE @@ -0,0 +1,3 @@ +MIT License + +Copyright (c) 2026 ndycode diff --git a/.github/plugin-scanner-fixtures/good/README.md b/.github/plugin-scanner-fixtures/good/README.md new file mode 100644 index 00000000..4fc091a4 --- /dev/null +++ b/.github/plugin-scanner-fixtures/good/README.md @@ -0,0 +1,3 @@ +# Fixture Good Plugin + +This fixture is expected to pass the plugin scanner quality gate. diff --git a/.github/plugin-scanner-fixtures/good/SECURITY.md b/.github/plugin-scanner-fixtures/good/SECURITY.md new file mode 100644 index 00000000..5773cb4a --- /dev/null +++ b/.github/plugin-scanner-fixtures/good/SECURITY.md @@ -0,0 +1,3 @@ +# Security Policy + +Report security issues to fixture@example.com. diff --git a/.github/plugin-scanner-fixtures/good/skills/example/SKILL.md b/.github/plugin-scanner-fixtures/good/skills/example/SKILL.md new file mode 100644 index 00000000..4504a261 --- /dev/null +++ b/.github/plugin-scanner-fixtures/good/skills/example/SKILL.md @@ -0,0 +1,8 @@ +--- +name: example +description: Example fixture skill for scanner regression coverage. +--- + +# Example + +This fixture skill exists to satisfy the plugin scanner regression test. diff --git a/.github/workflows/codex-plugin-scanner.yml b/.github/workflows/codex-plugin-scanner.yml index f43a3ef4..5ac89ed1 100644 --- a/.github/workflows/codex-plugin-scanner.yml +++ b/.github/workflows/codex-plugin-scanner.yml @@ -13,7 +13,11 @@ concurrency: jobs: scan: - runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + os: [ubuntu-latest, windows-latest] + runs-on: ${{ matrix.os }} timeout-minutes: 10 permissions: contents: read @@ -25,3 +29,35 @@ jobs: # The pinned action resolves .codex-plugin/plugin.json from the repo root. plugin_dir: "." min_score: "70" + + scan-regression: + runs-on: ubuntu-latest + timeout-minutes: 10 + permissions: + contents: read + strategy: + fail-fast: false + matrix: + include: + - fixture: good + plugin_dir: ".github/plugin-scanner-fixtures/good" + expect_outcome: success + - fixture: bad + plugin_dir: ".github/plugin-scanner-fixtures/bad" + expect_outcome: failure + steps: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - name: Codex plugin scanner regression + id: scan + continue-on-error: true + uses: hashgraph-online/hol-codex-plugin-scanner-action@b45d6b583afe05819b24edc8e6418c9ad2e1f1d0 # v1 + with: + plugin_dir: ${{ matrix.plugin_dir }} + min_score: "70" + - name: Assert fixture outcome + shell: bash + run: | + if [ "${{ steps.scan.outcome }}" != "${{ matrix.expect_outcome }}" ]; then + echo "Expected fixture '${{ matrix.fixture }}' to '${{ matrix.expect_outcome }}', got '${{ steps.scan.outcome }}'." + exit 1 + fi From 09230d1f007b6f5a6dbb54c4ba59329f28129b9c Mon Sep 17 00:00:00 2001 From: ndycode <405533+ndycode@users.noreply.github.com> Date: Sat, 4 Apr 2026 12:29:31 +0800 Subject: [PATCH 7/7] ci: tighten plugin scanner regression coverage --- .../bad/.codex-plugin/plugin.json | 5 ++--- .github/workflows/codex-plugin-scanner.yml | 22 ++++++++++++++----- 2 files changed, 18 insertions(+), 9 deletions(-) diff --git a/.github/plugin-scanner-fixtures/bad/.codex-plugin/plugin.json b/.github/plugin-scanner-fixtures/bad/.codex-plugin/plugin.json index 7069bbcf..af50df94 100644 --- a/.github/plugin-scanner-fixtures/bad/.codex-plugin/plugin.json +++ b/.github/plugin-scanner-fixtures/bad/.codex-plugin/plugin.json @@ -1,5 +1,4 @@ { - "name": "fixture-bad-plugin", - "version": "1.0.0", - "description": "Fixture plugin used to validate failing scanner behavior.", + "name": "Fixture Bad Plugin", + "description": "Fixture plugin used to validate failing scanner behavior." } diff --git a/.github/workflows/codex-plugin-scanner.yml b/.github/workflows/codex-plugin-scanner.yml index 5ac89ed1..52b96e25 100644 --- a/.github/workflows/codex-plugin-scanner.yml +++ b/.github/workflows/codex-plugin-scanner.yml @@ -31,20 +31,30 @@ jobs: min_score: "70" scan-regression: - runs-on: ubuntu-latest - timeout-minutes: 10 - permissions: - contents: read strategy: fail-fast: false matrix: include: - - fixture: good + - os: ubuntu-latest + fixture: good plugin_dir: ".github/plugin-scanner-fixtures/good" expect_outcome: success - - fixture: bad + - os: ubuntu-latest + fixture: bad plugin_dir: ".github/plugin-scanner-fixtures/bad" expect_outcome: failure + - os: windows-latest + fixture: good + plugin_dir: ".github/plugin-scanner-fixtures/good" + expect_outcome: success + - os: windows-latest + fixture: bad + plugin_dir: ".github/plugin-scanner-fixtures/bad" + expect_outcome: failure + runs-on: ${{ matrix.os }} + timeout-minutes: 10 + permissions: + contents: read steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Codex plugin scanner regression