DOJ-3829: Migrate 6 generic skills from dojo-academy (PR-B of DOJ-370… #10
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # IDT plugin lint — pre-flight checks before Greptile review. | |
| # | |
| # Three checks, each as a distinct step so failures are localized: | |
| # 1. JSON schema files parse as valid JSON. | |
| # 2. YAML frontmatter on commands / skills / agents parses and declares the | |
| # minimum required field (`description`). | |
| # 3. Agent references inside skills/commands using `${CLAUDE_PLUGIN_ROOT}/ | |
| # agents/<name>.md` resolve to a file that actually ships in this repo. | |
| # | |
| # Designed to catch the bug class Greptile flagged across the DOJ-3708 chain | |
| # (DOJ-3771/3772/3773): typo'd agent names, missing frontmatter fields, | |
| # malformed schema syntax. Heuristic by design — Step 3 deliberately scopes | |
| # to IDT-internal references (`${CLAUDE_PLUGIN_ROOT}/agents/...`) and ignores | |
| # bare `agents/<name>.md` mentions, since those are consumer-shipped overlays | |
| # (e.g. the translation pipeline references `agents/translator.md` from the | |
| # consumer repo, not from IDT). | |
| # | |
| # Companion to DOJ-3774. Closes the highest-ROI follow-up identified by the | |
| # DOJ-3708 migration chain. | |
| # | |
| # Security note: this workflow does not consume any untrusted input from the | |
| # GitHub event payload (issue/PR/commit metadata). The check scripts at | |
| # scripts/ci/ operate on repo files only; no `${{ github.event.* }}` is | |
| # interpolated into shell. | |
| name: lint | |
| on: | |
| pull_request: | |
| push: | |
| branches: [main] | |
| # Lock blast radius: this workflow only reads files. No write scope on | |
| # the repo, no token write to packages/issues/pages/etc. If the workflow | |
| # is ever compromised, the attacker cannot push back to the repo. | |
| permissions: | |
| contents: read | |
| jobs: | |
| lint-plugin: | |
| runs-on: ubuntu-latest | |
| steps: | |
| # Actions pinned to full commit SHAs (not mutable version tags) for | |
| # supply-chain integrity. Update SHAs in lockstep when bumping. | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Setup Python | |
| uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 | |
| with: | |
| python-version: "3.12" | |
| - name: Install dependencies | |
| run: pip install --quiet pyyaml==6.0.2 | |
| - name: JSON schema syntax validation | |
| run: python3 scripts/ci/check_json_schemas.py | |
| - name: YAML frontmatter linting | |
| run: python3 scripts/ci/check_frontmatter.py | |
| - name: Agent reference resolution | |
| run: python3 scripts/ci/check_agent_references.py |