Skip to content

ci: add plugin manifest linting#345

Merged
ndycode merged 7 commits intondycode:mainfrom
internet-dot:ci/codex-plugin-scanner
Apr 4, 2026
Merged

ci: add plugin manifest linting#345
ndycode merged 7 commits intondycode:mainfrom
internet-dot:ci/codex-plugin-scanner

Conversation

@internet-dot
Copy link
Copy Markdown
Contributor

@internet-dot internet-dot commented Apr 3, 2026
edited by greptile-apps bot
Loading

codex-multi-auth is listed in awesome-codex-plugins and already has solid CI around docs and PR hygiene. This PR adds a plugin manifest quality gate so .codex-plugin/plugin.json drift gets caught before merge.

What changed:

  • add .github/workflows/codex-plugin-scanner.yml using the pinned hashgraph-online/hol-codex-plugin-scanner-action
  • gate the manifest with min_score: 70
  • run the main scan on both ubuntu-latest and windows-latest
  • add workflow_dispatch for manual reruns
  • add fixture-based regression coverage for known-good and known-bad plugin layouts
  • sync .codex-plugin/plugin.json version to 1.2.2 so the new gate starts green

Local validation:

  • codex-plugin-scanner scan --min-score 70 <repo> => pass (72)
  • codex-plugin-scanner scan --min-score 70 .github/plugin-scanner-fixtures/good => pass (94)
  • codex-plugin-scanner scan --min-score 70 .github/plugin-scanner-fixtures/bad => fail (50)

note: greptile review for oc-chatgpt-multi-auth. cite files like lib/foo.ts:123. confirm regression tests + windows concurrency/token redaction coverage.

Greptile Summary

adds a codex plugin quality gate to ci, scanning .codex-plugin/plugin.json against a min_score: 70 threshold on both ubuntu and windows. all three issues from the previous review round are resolved: both github actions are now sha-pinned, the manifest version is synced to 1.2.2, and the plugin_dir comment clarifies the action's root-relative resolution behaviour. regression fixtures exercise the scanner against a known-good layout (expected score ~94) and a minimal bad layout (expected score ~50), with the outcome assertion correctly using continue-on-error plus a bash gate.

  • both actions/checkout and hol-codex-plugin-scanner-action are pinned to full commit shas — supply-chain drift is eliminated
  • manifest version 1.2.2 matches the rest of the codebase — gate starts green on day one
  • fail-fast: false on both matrix strategies ensures all os/fixture combinations are always reported
  • the Assert fixture outcome step injects ${{ steps.scan.outcome }} and ${{ matrix.expect_outcome }} inline into bash — values are workflow-controlled today so no real risk, but the pattern is worth cleaning up with an env: block before it gets extended to user-supplied inputs
  • windows fixture paths use forward slashes (.github/plugin-scanner-fixtures/good) which is generally safe in github actions but worth monitoring if the scanner action performs raw win32 filesystem ops without path normalization

Confidence Score: 5/5

pr is safe to merge — all three prior p1 findings are resolved, one p2 style note remains

the unpinned action, version drift, and plugin_dir ambiguity were the three blocking concerns in the previous round; all three are addressed. the only remaining item is a p2 shell expression idiom that carries no actual injection risk with the current workflow-controlled values. no application code or tests were modified.

no files require blocking attention — .github/workflows/codex-plugin-scanner.yml line 70 has a minor idiom worth cleaning up but does not block merge

Important Files Changed

Filename Overview
.github/workflows/codex-plugin-scanner.yml adds sha-pinned plugin quality gate on ubuntu+windows with regression fixtures and outcome assertion; one minor shell expression idiom on line 70
.codex-plugin/plugin.json version bumped from 1.2.1 to 1.2.2, resolving the manifest/package.json drift found in the prior review
.github/plugin-scanner-fixtures/good/.codex-plugin/plugin.json well-formed fixture with all required scanner fields (version, author, license, homepage, repository, keywords, skills); expected to score ~94
.github/plugin-scanner-fixtures/bad/.codex-plugin/plugin.json intentionally minimal fixture missing version/author/license/skills; expected to score ~50 and trigger the failure assertion

Sequence Diagram

sequenceDiagram
    participant GH as GitHub Push/PR
    participant scan as scan (ubuntu+windows)
    participant reg as scan-regression (ubuntu+windows)
    participant action as hol-codex-plugin-scanner-action
    participant assert as Assert fixture outcome

    GH->>scan: trigger
    GH->>reg: trigger (parallel)

    scan->>action: plugin_dir=".", min_score=70
    action-->>scan: score ≥70 → pass

    reg->>action: fixture/good, min_score=70
    action-->>reg: score ~94 (continue-on-error)
    reg->>assert: outcome=success vs expect=success ✓

    reg->>action: fixture/bad, min_score=70
    action-->>reg: score ~50 (continue-on-error)
    reg->>assert: outcome=failure vs expect=failure ✓
Loading
Prompt To Fix All With AI 
This is a comment left during a code review.
Path: .github/workflows/codex-plugin-scanner.yml
Line: 70-72

Comment:
**shell expression inline expansion — prefer `env:` block**

`${{ steps.scan.outcome }}` and `${{ matrix.expect_outcome }}` are expanded by the github actions templating engine before bash sees the string. the values here are entirely workflow-controlled (`success`/`failure`, `good`/`bad`) so there is no real injection risk today. however, this is the same pattern that becomes a shell injection vulnerability the moment a user-supplied value (e.g. a branch name or pr title) is substituted in — and reviewers won't catch the drift if the habit is already established in this script. safer idiom:

```yaml
      - name: Assert fixture outcome
        shell: bash
        env:
          SCAN_OUTCOME: ${{ steps.scan.outcome }}
          EXPECT_OUTCOME: ${{ matrix.expect_outcome }}
          FIXTURE: ${{ matrix.fixture }}
        run: |
          if [ "$SCAN_OUTCOME" != "$EXPECT_OUTCOME" ]; then
            echo "Expected fixture '$FIXTURE' to '$EXPECT_OUTCOME', got '$SCAN_OUTCOME'."
            exit 1
          fi
```

no windows token-safety concern here since `shell: bash` forces git bash on the windows runner, but the env-var pattern is still the right call.

How can I resolve this? If you propose a fix, please make it concise.

Reviews (9): Last reviewed commit: "ci: tighten plugin scanner regression co..." | Re-trigger Greptile

@internet-dot internet-dot requested a review from ndycode as a code owner April 3, 2026 15:24
@chatgpt-codex-connector
Copy link
Copy Markdown

chatgpt-codex-connector bot commented Apr 3, 2026

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Apr 3, 2026
edited
Loading

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

a new github actions workflow .github/workflows/codex-plugin-scanner.yml was added. it triggers on push, pull_request, and workflow_dispatch for main, runs scanner action against the repo root with plugin_dir: "." and min_score: "70", and includes a regression job using fixture directories.

Changes

Cohort / File(s) Summary
workflow
\.github/workflows/codex-plugin-scanner.yml		 added "codex plugin quality gate" workflow with concurrency ${{ github.workflow }}-${{ github.ref }} (cancel-in-progress), two jobs: scan (matrix linux/windows, timeout 10m, contents: read) invoking hashgraph-online/hol-codex-plugin-scanner-action pinned to v1 with plugin_dir: ".", min_score: "70"; and scan-regression (fixtures matrix, continues on error, validates expected outcome).
plugin manifest bump
.codex-plugin/plugin.json		 incremented plugin manifest version from 1.2.1 to 1.2.2.
fixtures — good
.github/plugin-scanner-fixtures/good/.codex-plugin/plugin.json, .github/plugin-scanner-fixtures/good/.codexignore, .github/plugin-scanner-fixtures/good/LICENSE, .github/plugin-scanner-fixtures/good/README.md, .github/plugin-scanner-fixtures/good/SECURITY.md, .github/plugin-scanner-fixtures/good/skills/example/SKILL.md		 added a "good" fixture plugin with manifest, license, readme, security policy, example skill, and a .codexignore placeholder to serve as a passing regression case.
fixtures — bad
.github/plugin-scanner-fixtures/bad/.codex-plugin/plugin.json, .github/plugin-scanner-fixtures/bad/README.md		 added a "bad" fixture plugin manifest and readme to exercise a failing scanner case for regression testing.

Sequence Diagram(s)

mermaid
sequenceDiagram
participant github as github (events)
participant runner as runner (actions job)
participant checkout as checkout step
participant scanner as hol-codex-plugin-scanner-action@v1
participant validator as regression validation step

github->>runner: trigger workflow (push/pr/dispatch)
runner->>checkout: actions/checkout
runner->>scanner: run scanner with plugin_dir=".", min_score="70"
scanner-->>runner: scan outcome (success/failure, score)
runner->>validator: compare scan outcome vs fixture expected
validator-->>runner: set job success/fail

estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

additional notes

  • missing regression tests: no test files added under test/...:1. add tests like test/workflows/codex-plugin-scanner.test:1 to assert CI behavior and failure modes.
  • windows edge cases: workflow uses a matrix but verify windows steps and path handling. audit lib/.github/workflows/codex-plugin-scanner.yml:1 for cross-platform commands and add platform tests under test/platforms/*:1.
  • concurrency risks: workflow sets cancel-in-progress: true; ensure the scanner action is stateless and idempotent and that no shared artifacts/state are written — review lib/.github/workflows/codex-plugin-scanner.yml:1 and relevant action behavior.
🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed title follows conventional commits format with type (ci), summary in lowercase imperative, and is well under 72 chars. clearly identifies the main change: adding plugin manifest linting via ci workflow.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check ✅ Passed PR description covers scope, changes, validation steps, and local test results; aligns with repo template structure despite incomplete formal checklist sections.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
✨ Simplify code
  • Create PR with simplified code

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

greptile-apps[bot]
greptile-apps bot reviewed Apr 3, 2026
View reviewed changes
coderabbitai[bot]
coderabbitai bot requested changes Apr 3, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/codex-plugin-scanner.yml:
- Around line 1-17: Add a regression test job that validates the workflow's
enforcement by running the same scanner action against known-good and known-bad
fixture directories and asserting expected outcomes; create a new job (e.g.,
scan-regression) that reuses the "Codex plugin scanner" step but sets plugin_dir
to a "fixtures/good" and "fixtures/bad" path in separate steps or matrix, and
for the bad fixture assert the step fails (or check exit code/output) while for
the good fixture assert success, so future edits to the "scan" job cannot
silently weaken checks.
- Around line 3-7: Add a top-level concurrency stanza to the GitHub Actions
workflow to prevent duplicate runs for the same ref/PR (use a key like
github.workflow + github.ref and cancel-in-progress: true), and update the job
configuration that currently targets only ubuntu (look for runs-on or matrix.os
in the job definition) to include a windows runner (e.g., add "windows-latest"
to the matrix or an explicit job run) so Windows path/sep edge cases are
covered; ensure the concurrency block is placed alongside the on: stanza and the
job matrix/runs-on change is applied to the CI job responsible for the
codex-plugin scan.
- Around line 9-12: Add explicit least-privilege permissions and a job timeout
to the "scan" job: in the job definition for scan, add a minimal permissions
block (e.g., only permissions: contents: read and id-token: write or whatever
minimal scopes your scanner requires) and set timeout-minutes to a sensible
value (e.g., 10-30) to prevent hung runs; update the "scan" job YAML to include
these keys adjacent to runs-on/steps so the workflow uses limited token scope
and a hard timeout.
- Around line 13-15: The workflow currently uses mutable version tags (e.g.,
actions/checkout@v4 and hashgraph-online/hol-codex-plugin-scanner-action@v1);
update each uses: entry to reference the immutable commit SHA for those actions
(replace `@vX` with @<full-commit-sha>), and apply the same change across all
workflows (ci.yml, pr-ci.yml, codeql.yml) to remove mutable tags; also add an
explicit permissions block with least-privilege scopes, add concurrency settings
(concurrency: { group: github.workflow + github.ref, cancel-in-progress: true })
to prevent duplicate runs, and include a windows runner job or matrix entry
(ubuntu + windows) so the scanner runs on windows to catch path/case issues
before merging.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 51325641-d7a9-4dd8-9cfb-bc3a3fda5e6e

📥 Commits

Reviewing files that changed from the base of the PR and between 95a153e and 04813b7.

📒 Files selected for processing (1)
  • .github/workflows/codex-plugin-scanner.yml
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: Greptile Review

coderabbitai[bot]
coderabbitai bot requested changes Apr 3, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

♻️ Duplicate comments (2)
.github/workflows/codex-plugin-scanner.yml (2)

15-15: 🧹 Nitpick | 🔵 Trivial

windows edge-case coverage is still missing.

this still runs only on ubuntu-latest; path-separator and case-sensitivity behavior on windows is untested. add a windows matrix leg if the scanner or plugin packaging touches filesystem semantics. reference: .github/workflows/codex-plugin-scanner.yml:15.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/codex-plugin-scanner.yml at line 15, The workflow
currently only runs on "ubuntu-latest", so add a Windows job to cover
path-separator/case-sensitivity edge cases by turning the job into a matrix or
adding a parallel job that uses "windows-latest"; update the job that currently
sets "runs-on: ubuntu-latest" (the scanner/packaging job) to either use a
matrix.runs-on: [ubuntu-latest, windows-latest] or add an explicit windows leg,
and ensure any OS-specific steps (checkout, build, packaging) run for both
runners so filesystem semantics are exercised.

13-24: 🧹 Nitpick | 🔵 Trivial

workflow contract regression checks are still missing.

there is no fixture-based good/bad manifest regression job to prove this gate fails/passes as intended after future edits. add a small matrix job for known-good and known-bad fixtures. reference: .github/workflows/codex-plugin-scanner.yml:13-24.

i can draft that scan-regression job and fixture layout if you want.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/codex-plugin-scanner.yml around lines 13 - 24, Add a new
GitHub Actions job named "scan-regression" alongside the existing "scan" job
that runs a small matrix over fixtures ("good" and "bad") to validate the
scanner gate; reuse the same checkout step and the
hashgraph-online/hol-codex-plugin-scanner-action invocation but set plugin_dir
to point at the fixture subfolders (e.g., plugin_dir: "fixtures/${{ matrix.case
}}"), configure matrix: [case: good,bad] and set expected outcome: allow the
good case to pass and assert the bad case fails (use continue-on-error: true and
a follow-up step to fail the job when matrix.case == 'bad' and the scanner
succeeded, or invert logic to require non-zero exit for bad), and include
timeout/permissions matching the existing "scan" job so future edits are
validated by fixture-based regression tests.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/codex-plugin-scanner.yml:
- Line 24: The workflow currently sets plugin_dir: "." which scans the entire
repo and pulls in unrelated files; change the plugin_dir value to
".codex-plugin/" in the codex-plugin-scanner workflow so the scanner targets the
plugin manifest location (.codex-plugin/plugin.json) and avoids repo-wide
noise—update the plugin_dir key in the job definition to ".codex-plugin/" (look
for plugin_dir in the workflow file).

---

Duplicate comments:
In @.github/workflows/codex-plugin-scanner.yml:
- Line 15: The workflow currently only runs on "ubuntu-latest", so add a Windows
job to cover path-separator/case-sensitivity edge cases by turning the job into
a matrix or adding a parallel job that uses "windows-latest"; update the job
that currently sets "runs-on: ubuntu-latest" (the scanner/packaging job) to
either use a matrix.runs-on: [ubuntu-latest, windows-latest] or add an explicit
windows leg, and ensure any OS-specific steps (checkout, build, packaging) run
for both runners so filesystem semantics are exercised.
- Around line 13-24: Add a new GitHub Actions job named "scan-regression"
alongside the existing "scan" job that runs a small matrix over fixtures ("good"
and "bad") to validate the scanner gate; reuse the same checkout step and the
hashgraph-online/hol-codex-plugin-scanner-action invocation but set plugin_dir
to point at the fixture subfolders (e.g., plugin_dir: "fixtures/${{ matrix.case
}}"), configure matrix: [case: good,bad] and set expected outcome: allow the
good case to pass and assert the bad case fails (use continue-on-error: true and
a follow-up step to fail the job when matrix.case == 'bad' and the scanner
succeeded, or invert logic to require non-zero exit for bad), and include
timeout/permissions matching the existing "scan" job so future edits are
validated by fixture-based regression tests.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: ada45643-cb92-4c17-bf03-36962f4eb7cc

📥 Commits

Reviewing files that changed from the base of the PR and between 04813b7 and 356dc7e.

📒 Files selected for processing (1)
  • .github/workflows/codex-plugin-scanner.yml
📜 Review details
🔇 Additional comments (1)
.github/workflows/codex-plugin-scanner.yml (1)

16-22: good hardening updates landed here.

timeout, least-privilege permissions, and sha-pinned actions are all in place and match the security/reliability objectives. reference: .github/workflows/codex-plugin-scanner.yml:16-22.

@internet-dot internet-dot reopened this Apr 3, 2026
@internet-dot internet-dot changed the title ci: add codex-plugin-scanner quality gate ci: add plugin manifest linting Apr 3, 2026
@internet-dot internet-dot reopened this Apr 3, 2026
greptile-apps[bot]
greptile-apps bot reviewed Apr 3, 2026
View reviewed changes
coderabbitai[bot]
coderabbitai bot reviewed Apr 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

♻️ Duplicate comments (2)
.github/workflows/codex-plugin-scanner.yml (2)

9-11: 🧹 Nitpick | 🔵 Trivial

concurrency group should include workflow name to prevent cross-workflow interference.

the current group codex-plugin-scanner-${{ github.ref }} works but isn't defensive. if you later add another workflow with a similar group prefix, they could cancel each other. standard pattern is ${{ github.workflow }}-${{ github.ref }} to namespace by workflow.

🔧 defensive concurrency pattern 
 concurrency:
-  group: codex-plugin-scanner-${{ github.ref }}
+  group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/codex-plugin-scanner.yml around lines 9 - 11, The
concurrency group is currently hardcoded as "codex-plugin-scanner-${{ github.ref
}}" which can collide with other workflows; update the concurrency group to
include the workflow name (use the built-in github.workflow value) so it becomes
"${{ github.workflow }}-${{ github.ref }}" to namespace by workflow and avoid
cross-workflow cancellation (modify the concurrency.group value in the
concurrency block).

21-25: ⚠️ Potential issue | 🟠 Major

plugin_dir: "." misses the actual manifest location.

the plugin manifest lives at .codex-plugin/plugin.json:1, but the scanner is configured to scan from repo root. this means the quality gate won't find the plugin at all—it will either skip validation or scan unrelated config files. the previous review marked this fixed in d7d292f but the current code still has the wrong path.

fix: point scanner to the manifest directory 
         with:
-          plugin_dir: "."
+          plugin_dir: ".codex-plugin"
           min_score: "70"

the manifest structure is valid (codex-multi-auth:1.2.1), so once the path is corrected, the scanner will work as intended.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/codex-plugin-scanner.yml around lines 21 - 25, The
workflow step named "Codex plugin scanner" is pointing plugin_dir to the repo
root; update the action input plugin_dir to the actual manifest directory
".codex-plugin" so the scanner reads .codex-plugin/plugin.json; locate the step
using the action identifier hashgraph-online/hol-codex-plugin-scanner-action and
change plugin_dir from "." to ".codex-plugin" (leave min_score as-is) so the
quality gate runs against the correct manifest.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In @.github/workflows/codex-plugin-scanner.yml:
- Around line 9-11: The concurrency group is currently hardcoded as
"codex-plugin-scanner-${{ github.ref }}" which can collide with other workflows;
update the concurrency group to include the workflow name (use the built-in
github.workflow value) so it becomes "${{ github.workflow }}-${{ github.ref }}"
to namespace by workflow and avoid cross-workflow cancellation (modify the
concurrency.group value in the concurrency block).
- Around line 21-25: The workflow step named "Codex plugin scanner" is pointing
plugin_dir to the repo root; update the action input plugin_dir to the actual
manifest directory ".codex-plugin" so the scanner reads
.codex-plugin/plugin.json; locate the step using the action identifier
hashgraph-online/hol-codex-plugin-scanner-action and change plugin_dir from "."
to ".codex-plugin" (leave min_score as-is) so the quality gate runs against the
correct manifest.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: b21cdc1c-e0af-4358-93d1-ba108a36a454

📥 Commits

Reviewing files that changed from the base of the PR and between 356dc7e and d7d292f.

📒 Files selected for processing (1)
  • .github/workflows/codex-plugin-scanner.yml
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: Greptile Review
🔇 Additional comments (4)
.github/workflows/codex-plugin-scanner.yml (4)

1-2: lgtm—clear workflow name.

the name accurately describes what this workflow does (quality gate for codex plugin manifest).

3-7: trigger configuration is correct.

push + pull_request to main is the right pattern for a quality gate check.

13-19: job config is solid—timeout and permissions are correct.

the 10-minute timeout and contents: read permission follow best practices. past reviews suggested adding windows-latest to catch path/case edge cases, but for a json manifest scanner this is probably overkill—plugin.json parsing isn't platform-sensitive like compiled code or filesystem operations.

20-20: checkout action properly pinned to commit sha.

using immutable sha 34e114876b0b11c390a56381ad16ebd13914f8d5 instead of mutable tag prevents supply-chain takeover risk.

@ndycode
Copy link
Copy Markdown
Owner

ndycode commented Apr 4, 2026

Verified the pinned scanner action locally before changing plugin_dir.

  • plugin_dir: "." is intentional for hashgraph-online/hol-codex-plugin-scanner-action@b45d6b583afe05819b24edc8e6418c9ad2e1f1d0
  • codex-plugin-scanner verify <repo-root> passes and validates .codex-plugin/plugin.json
  • codex-plugin-scanner lint <repo-root> scores 72
  • codex-plugin-scanner lint .codex-plugin reports PLUGIN_JSON_MISSING, so switching to .codex-plugin would break this action version

This PR keeps the correct repo-root scan target and adds min_score: "70" so missing-field / invalid-manifest regressions fail the gate.

coderabbitai[bot]
coderabbitai bot requested changes Apr 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

♻️ Duplicate comments (1)
.github/workflows/codex-plugin-scanner.yml (1)

15-15: 🧹 Nitpick | 🔵 Trivial

windows path edge cases are still untested.

scanner runs only on ubuntu. if this repo/tooling ever introduces path-separator or case-sensitivity assumptions, this workflow will not catch them.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/codex-plugin-scanner.yml at line 15, The workflow
currently hard-codes runs-on: ubuntu-latest so Windows path and case-sensitivity
edge cases won't be exercised; change the job to use a matrix
(strategy.matrix.os) and set runs-on: ${{ matrix.os }} with at least
ubuntu-latest and windows-latest entries (and optionally macos-latest) so the
scanner runs on Windows too, and update any OS-specific step commands (e.g.,
shell settings or path separators) referenced in the job to be matrix-safe (use
Node/PowerShell cross-platform actions or conditional steps if needed).
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/codex-plugin-scanner.yml:
- Around line 3-7: The workflow lacks a manual trigger so you cannot run
regression scans without committing; add a manual trigger by including
workflow_dispatch under the top-level on: (alongside push and pull_request) in
the .github/workflows/codex-plugin-scanner.yml file so maintainers can run the
scanner workflow manually for plugin manifest/regression checks.

---

Duplicate comments:
In @.github/workflows/codex-plugin-scanner.yml:
- Line 15: The workflow currently hard-codes runs-on: ubuntu-latest so Windows
path and case-sensitivity edge cases won't be exercised; change the job to use a
matrix (strategy.matrix.os) and set runs-on: ${{ matrix.os }} with at least
ubuntu-latest and windows-latest entries (and optionally macos-latest) so the
scanner runs on Windows too, and update any OS-specific step commands (e.g.,
shell settings or path separators) referenced in the job to be matrix-safe (use
Node/PowerShell cross-platform actions or conditional steps if needed).
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 0685b6f9-9ce6-43f6-96d2-7d908949eb42

📥 Commits

Reviewing files that changed from the base of the PR and between d7d292f and 9eb8e41.

📒 Files selected for processing (1)
  • .github/workflows/codex-plugin-scanner.yml
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: Greptile Review
🔇 Additional comments (1)
.github/workflows/codex-plugin-scanner.yml (1)

24-25: plugin_dir: "." is correct per action defaults and examples.

the pinned action's action.yml declares plugin_dir default as "." and describes it as "path to the plugin directory to scan (default: repository root)". the readme consistently shows plugin_dir: "." and plugin_dir: "./my-plugin" in examples, confirming repo-root scanning is the intended pattern. the inline workflow comment is accurate—the action knows to find .codex-plugin/plugin.json within the provided plugin_dir.

greptile-apps[bot]
greptile-apps bot reviewed Apr 4, 2026
View reviewed changes
coderabbitai[bot]
coderabbitai bot requested changes Apr 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/plugin-scanner-fixtures/bad/.codex-plugin/plugin.json:
- Around line 4-5: Remove the trailing comma after the "description" property in
the JSON manifest so the file parses as valid JSON; specifically edit the
plugin.json entry containing the "description" key to ensure the last property
before the closing brace has no comma (the trailing comma causes the parse error
at the closing brace).

In @.github/workflows/codex-plugin-scanner.yml:
- Around line 33-47: The regression workflow job scan-regression only runs on
ubuntu-latest which leaves Windows untested; update the scan-regression matrix
to include os: [ubuntu-latest, windows-latest] (or add a separate matrix axis
with key os) so the regression runs on both platforms, and ensure the job's
shell setting is compatible on Windows by setting shell: bash (or conditionally
using shell: bash on windows-latest) so path-casing and separator issues on
Windows will be exercised; modify the matrix and shell configuration for the
scan-regression job accordingly.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 0bfe8f43-daaf-4491-9638-fd6d1a0acf58

📥 Commits

Reviewing files that changed from the base of the PR and between 9eb8e41 and 2324daf.

📒 Files selected for processing (10)
  • .codex-plugin/plugin.json
  • .github/plugin-scanner-fixtures/bad/.codex-plugin/plugin.json
  • .github/plugin-scanner-fixtures/bad/README.md
  • .github/plugin-scanner-fixtures/good/.codex-plugin/plugin.json
  • .github/plugin-scanner-fixtures/good/.codexignore
  • .github/plugin-scanner-fixtures/good/LICENSE
  • .github/plugin-scanner-fixtures/good/README.md
  • .github/plugin-scanner-fixtures/good/SECURITY.md
  • .github/plugin-scanner-fixtures/good/skills/example/SKILL.md
  • .github/workflows/codex-plugin-scanner.yml
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: Greptile Review
🧰 Additional context used
🪛 Biome (2.4.10)
.github/plugin-scanner-fixtures/bad/.codex-plugin/plugin.json

[error] 5-5: Expected a property but instead found '}'.

(parse)

🔇 Additional comments (11)
.github/plugin-scanner-fixtures/good/LICENSE (1)

1-3: looks good for fixture coverage.

license stub is sufficient for this regression fixture. no windows edge case or concurrency risk in this static file.

.github/plugin-scanner-fixtures/good/SECURITY.md (1)

1-3: fixture security policy is fine.

this is enough for scanner regression intent. no windows edge case or concurrency risk in this static file.

.github/plugin-scanner-fixtures/bad/README.md (1)

1-3: negative-fixture readme is clear.

intent is explicit and supports regression readability.

.codex-plugin/plugin.json (1)

3-3: good version alignment update.

line 3 syncs the manifest version with the release line and should prevent avoidable scanner-gate failures.

.github/plugin-scanner-fixtures/good/skills/example/SKILL.md (1)

1-8: skill fixture content is well-formed.

front matter and markdown body are consistent with regression-fixture goals.

.github/plugin-scanner-fixtures/good/.codexignore (1)

1-1: this fixture ignore file is acceptable.

no functional, windows, or concurrency concerns here.

.github/plugin-scanner-fixtures/good/README.md (1)

1-3: good-fixture documentation is clear.

this supports regression intent and expected scanner outcome.

.github/plugin-scanner-fixtures/good/.codex-plugin/plugin.json (1)

1-11: lgtm, fixture manifest is well-formed.

valid plugin metadata with all expected fields. the skills path at .github/plugin-scanner-fixtures/good/.codex-plugin/plugin.json:10 correctly references the fixture's skills directory per the summary.

.github/workflows/codex-plugin-scanner.yml (3)

14-31: scan job looks solid after prior feedback.

.github/workflows/codex-plugin-scanner.yml:15-31 has all the hardening from prior reviews: sha-pinned actions, scoped permissions: contents: read, timeout-minutes: 10, cross-platform matrix. the inline comment at line 29 clarifies the plugin_dir: "." choice per the pinned action's behavior.

57-63: assertion step is correct.

.github/workflows/codex-plugin-scanner.yml:59-63 compares scanner outcome to expected result. the interpolated values come from trusted workflow context and matrix definition, so no injection concern here.

1-12: triggers and concurrency configured correctly.

.github/workflows/codex-plugin-scanner.yml:3-8 covers push, pr, and manual dispatch. .github/workflows/codex-plugin-scanner.yml:10-12 dedupes concurrent runs per branch with cancel-in-progress: true.

@ndycode ndycode merged commit cbce5f5 into ndycode:main Apr 4, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

@coderabbitai coderabbitai[bot] coderabbitai[bot] requested changes

@ndycode ndycode Awaiting requested review from ndycode ndycode is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@internet-dot @ndycode