Skip to content

Add release workflow to bump Claude plugin version#50

Merged
donald-pinckney merged 2 commits into
mainfrom
add-release-workflow
Jul 5, 2026
Merged

Add release workflow to bump Claude plugin version#50
donald-pinckney merged 2 commits into
mainfrom
add-release-workflow

Conversation

@donald-pinckney

Copy link
Copy Markdown
Collaborator

Summary

Adds a manually-dispatched GitHub Actions workflow that releases the Claude plugin by bumping its version number.

What it does

  • Triggered via workflow_dispatch with a bump input (patch/minor/major, defaults to patch).
  • Increments the version in .claude-plugin/plugin.json using jq. Skill versions are intentionally left untouched. (.claude-plugin/marketplace.json has no version field, so nothing to change there.)
  • Commits the bump directly to main as Bump version from X to Y and pushes a v<version> tag.

Auth / setup required

Pushes over SSH using a deploy key so it can bypass the main ruleset (the built-in github-actions[bot] can't be added to a ruleset bypass list). Before first use:

  1. Generate a deploy key and add the public key under Settings → Deploy keys with write access.
  2. Add the private key as the RELEASE_SSH_KEY repo secret.
  3. Add the deploy key to the main ruleset's bypass list.

🤖 Generated with Claude Code

Manually-dispatched workflow that increments the version in
.claude-plugin/plugin.json (patch/minor/major), commits the bump
directly to main, and pushes a v<version> tag. Pushes over SSH using
a deploy key so it can bypass the main ruleset.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@donald-pinckney donald-pinckney requested a review from a team as a code owner July 5, 2026 09:17
Comment on lines +30 to +57
run: |
set -euo pipefail
PLUGIN_FILE=".claude-plugin/plugin.json"

OLD_VERSION=$(jq -r '.version' "$PLUGIN_FILE")
if [ -z "$OLD_VERSION" ] || [ "$OLD_VERSION" = "null" ]; then
echo "Could not read version from $PLUGIN_FILE" >&2
exit 1
fi

IFS='.' read -r MAJOR MINOR PATCH <<< "$OLD_VERSION"

case "${{ inputs.bump }}" in
major) MAJOR=$((MAJOR + 1)); MINOR=0; PATCH=0 ;;
minor) MINOR=$((MINOR + 1)); PATCH=0 ;;
patch) PATCH=$((PATCH + 1)) ;;
esac

NEW_VERSION="${MAJOR}.${MINOR}.${PATCH}"

tmp=$(mktemp)
jq --arg v "$NEW_VERSION" '.version = $v' "$PLUGIN_FILE" > "$tmp"
mv "$tmp" "$PLUGIN_FILE"

echo "old_version=$OLD_VERSION" >> "$GITHUB_OUTPUT"
echo "new_version=$NEW_VERSION" >> "$GITHUB_OUTPUT"
echo "Bumped $OLD_VERSION -> $NEW_VERSION"

@github-actions github-actions Bot Jul 5, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Opengrepsecurity.gha.run-shell-injection-inputs (WARNING)

A composite-action / reusable-workflow / workflow_dispatch inputs.* value is interpolated directly into this run/script block. Inputs are supplied by the caller, who may pass attacker-controlled data into them — e.g. a caller invoking this with version: ${{ github.event.pull_request.head.ref }} (a fork branch name). Because the input value is substituted before the shell runs, the callee cannot trust it. Defensive fix: copy the input into a step-level env: entry (e.g. VERSION: ${{ inputs.version }}) and reference the quoted environment variable in the script instead (echo "$VERSION"). This is advisory (WARNING): not every input carries untrusted data, but routing inputs through env: makes the component safe regardless of how callers use it. If an input appears only as a condition selecting between hard-coded string literals (e.g. ${{ inputs.flag && 'a' || 'b' }}), the emitted value is constant and that specific use is not exploitable — but hoist the condition into bash (set a boolean env: var and branch with if) so the run line carries no ${{ }} and the safety stays local and stable. Directly-untrusted github.* contexts are covered separately by security.gha.run-shell-injection.

Fixed in 502b127

Copy inputs.bump into a step-level env var and reference "$BUMP" in the
run block instead of interpolating ${{ inputs.bump }} directly, per
opengrep security.gha.run-shell-injection-inputs.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@donald-pinckney donald-pinckney merged commit 6ef0ec5 into main Jul 5, 2026
3 checks passed
@donald-pinckney donald-pinckney deleted the add-release-workflow branch July 5, 2026 09:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant