feat: add tutorial skill to carta-investors plugin #33
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Provenance Check | |
| on: | |
| pull_request: | |
| paths: | |
| - 'plugins/**' | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| jobs: | |
| provenance: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/create-github-app-token@v1 | |
| id: app-token | |
| with: | |
| app-id: ${{ secrets.CARTA_CI_APP_ID }} | |
| private-key: ${{ secrets.CARTA_CI_APP_PRIVATE_KEY }} | |
| repositories: claude-marketplace | |
| - name: Identify changed plugins | |
| id: changes | |
| run: | | |
| PLUGINS=$(gh pr diff "$PR_NUMBER" --name-only \ | |
| | grep '^plugins/' \ | |
| | cut -d'/' -f2 \ | |
| | sort -u \ | |
| | tr '\n' ',') | |
| echo "changed_plugins=${PLUGINS%,}" >> "$GITHUB_OUTPUT" | |
| env: | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| GH_TOKEN: ${{ github.token }} | |
| - uses: actions/setup-python@v5 | |
| if: steps.changes.outputs.changed_plugins != '' | |
| with: | |
| python-version: '3.12' | |
| - name: Verify provenance | |
| if: steps.changes.outputs.changed_plugins != '' | |
| run: python .github/scripts/verify-provenance.py "$CHANGED_PLUGINS" | |
| env: | |
| GH_TOKEN: ${{ steps.app-token.outputs.token }} | |
| PROVENANCE_REPO: ${{ vars.PROVENANCE_REPO }} | |
| CHANGED_PLUGINS: ${{ steps.changes.outputs.changed_plugins }} | |
| - name: Post failure comment | |
| if: failure() | |
| env: | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| gh pr comment "$PR_NUMBER" --body "## Provenance Check Failed | |
| One or more plugins in this PR could not be verified against the internal marketplace. | |
| **What this means:** Plugins must first be merged to the internal marketplace repo and pass security scanning before they can be published here. | |
| **How to fix:** | |
| 1. Ensure your plugin is merged to \`main\` in the internal marketplace repo | |
| 2. Wait for the security scan workflow to pass and generate the manifest | |
| 3. Ensure the plugin content here is an exact copy (no modifications) | |
| See the workflow logs above for specific details on which checks failed." |