Skip to content

feat: add CI validation for plugin manifests#2

Closed
glebedel wants to merge 1 commit intomainfrom
feat/validate-marketplace-schema
Closed

feat: add CI validation for plugin manifests#2
glebedel wants to merge 1 commit intomainfrom
feat/validate-marketplace-schema

Conversation

@glebedel
Copy link
Copy Markdown
Contributor

@glebedel glebedel commented Feb 23, 2026
edited by cubic-dev-ai bot
Loading

Summary

  • Adds a zero-dependency Node.js validation script (scripts/validate-marketplace.js)
  • Adds a GitHub Actions workflow (.github/workflows/validate.yml) that runs on every push and PR to main

What it validates

marketplace.json

  • Valid JSON
  • plugins is a non-empty array
  • Each plugin has name and description as non-empty strings
  • Each plugin source is either:
    • A string starting with "./" (relative path to local plugin dir)
    • An object { source: "github", repo: "owner/name", path?: "..." }
  • tags, if present, is an array of strings

plugin.json (optional, validated if present)

  • Valid JSON
  • Has name and description as non-empty strings

Motivation

This would have caught the bug fixed in #1 before it merged — "source": "." is now explicitly rejected with a clear message explaining the valid formats.

Test plan

  • node scripts/validate-marketplace.js passes locally on current manifests
  • Manually verified that the old "source": "." value is caught and reported
  • CI run passes on this PR

🤖 Generated with Claude Code

Summary by cubic

Adds CI validation for plugin manifests to prevent invalid entries from merging. A zero-dependency Node script checks marketplace.json and plugin.json on every push and PR.

  • New Features
    • Validator script for .claude-plugin/marketplace.json and plugin.json.
    • Rules: valid JSON; non-empty plugins; name and description required; source must be "./..." or { source: "github", repo: "owner/name", path? }; tags (if present) are strings.
    • GitHub Actions workflow runs the validator on push (all branches) and on PRs to main.

Written for commit f5b3332. Summary will update on new commits.

@glebedel @claude
feat: add CI workflow to validate plugin manifests on every push
f5b3332 
Adds a zero-dependency Node.js validator and GitHub Actions workflow that
runs on push to any branch and on PRs to main.

The validator checks:
- marketplace.json: valid JSON, non-empty plugins array, required fields
  (name, source, description), and that each source is either a "./"
  relative path or a { source: "github", repo: "owner/name" } object
- plugin.json: valid JSON and required name/description fields

This would have caught the "source: ." bug before it merged.
Actions pinned to full commit SHAs per security best practices.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Feb 23, 2026
View reviewed changes
Copy link
Copy Markdown

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 2 files

Prompt for AI agents (all issues) 

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="scripts/validate-marketplace.js">

<violation number="1" location="scripts/validate-marketplace.js:113">
P2: Guard `plugins` entries before accessing `plugin.*` to avoid a TypeError when an entry is `null` or a non-object, and emit a clear validation error instead of crashing.</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.

scripts/validate-marketplace.js

let allValid = true;
for (const [i, plugin] of data.plugins.entries()) {
const label = plugin.name ?? `[${i}]`;
Copy link
Copy Markdown

@cubic-dev-ai cubic-dev-ai bot Feb 23, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: Guard plugins entries before accessing plugin.* to avoid a TypeError when an entry is null or a non-object, and emit a clear validation error instead of crashing.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At scripts/validate-marketplace.js, line 113:

<comment>Guard `plugins` entries before accessing `plugin.*` to avoid a TypeError when an entry is `null` or a non-object, and emit a clear validation error instead of crashing.</comment>

<file context>
@@ -0,0 +1,183 @@
+
+  let allValid = true;
+  for (const [i, plugin] of data.plugins.entries()) {
+    const label = plugin.name ?? `[${i}]`;
+
+    if (typeof plugin.name !== "string" || !plugin.name) {
</file context>
Fix with Cubic

@glebedel glebedel mentioned this pull request Feb 23, 2026
Merged
3 tasks
@glebedel glebedel closed this Feb 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@glebedel