Skip to content

fix: claim-notice permissions, README fallback, stale mirror files#267

Merged
kantorcodes merged 1 commit into
mainfrom
fix/claim-notice-permissions-and-stale-mirror
Jul 4, 2026
Merged

fix: claim-notice permissions, README fallback, stale mirror files#267
kantorcodes merged 1 commit into
mainfrom
fix/claim-notice-permissions-and-stale-mirror

Conversation

@kantorcodes

Copy link
Copy Markdown
Member

Summary

Three bugs identified from merged PRs that didn't get claim-notice comments and stale trust metadata:

Bug 1: claim-notice.yml — pull_requestpull_request_target

PR #261 was merged but the claim-notice workflow failed with HTTP 403: Resource not accessible by integration. Fork PRs get a read-only GITHUB_TOKEN on pull_request events, even with permissions: pull-requests: write. Switching to pull_request_target runs with the base branch's token, granting write access. Safe because the workflow only runs scripts/post-claim-notice.py from the base branch (no PR code execution).

Bug 2: post-claim-notice.py — README fallback when plugin not in registry

PR #43 in awesome-ai-plugins was merged, the workflow ran with completed/success, but it printed Skipping: none of the PR repos are in the registry. Root cause: when a PR is merged, the claim-notice workflow fires immediately but the registry sync pipeline hasn't completed yet. Fix: fall back to checking the local README.md for the plugin repo URL.

Bug 3: generate_plugins_json.py — stale trust metadata files

PR #266 reported VidSeeds.ai stuck at security 66 because the mirrored bundle was stale. Root cause: OPTIONAL_PLUGIN_FILES was missing SKILL.md, .github/dependabot.yml, codex.mcp.json, and .mcp.json. These trust-relevant files exist upstream but were never mirrored, causing the scanner to see stale trust scores.

Test plan

  • Smoke test: build_comment_body('testuser') produces @testuser tag
  • Smoke test: normalize_repo_url handles .git suffix, trailing slashes, extra paths
  • Smoke test: OPTIONAL_PLUGIN_FILES has 17 entries including new files
  • Smoke test: existing files still present (SECURITY.md, README.md, .codexignore)
  • Merge and verify next merged PR gets claim-notice comment

Three bugs fixed:

1. claim-notice.yml: pull_request -> pull_request_target
   Fork PRs get read-only GITHUB_TOKEN on pull_request events.
   pull_request_target runs with base branch token, granting
   pull-requests: write permission. The workflow only runs
   scripts/post-claim-notice.py from the base branch (no PR code
   execution), so this is safe.

2. post-claim-notice.py: README fallback when plugin not in registry
   When a PR is merged, the claim-notice workflow fires immediately
   but the registry sync hasn't completed yet. Now falls back to
   checking the local README.md for plugin repo URLs.

3. generate_plugins_json.py: add SKILL.md, .github/dependabot.yml,
   codex.mcp.json, .mcp.json to OPTIONAL_PLUGIN_FILES
   These trust-relevant files were not mirrored from upstream repos,
   causing stale trust scores (e.g. VidSeeds.ai stuck at security 66
   despite upstream having SECURITY.md, SKILL.md, Dependabot config).
@gemini-code-assist

Copy link
Copy Markdown
Contributor

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@kantorcodes kantorcodes merged commit 146df7f into main Jul 4, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant