Adds an explicit `permissions: contents: read` block to update-plugins.yml.
Cross-repo work (cloning ether/ep_* repos, pushing updates, merging
Dependabot PRs) is authenticated via secrets.PLUGINS_PAT, so the default
GITHUB_TOKEN only needs read access for actions/checkout.
Addresses CodeQL code-scanning alert #115 ("Workflow does not contain
permissions"). Matches the pattern already used by the other workflows
under .github/workflows/.
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The daily update-plugins workflow already syncs boilerplate (workflows,
dependabot.yml, etc.) into every ether/ep_* repo via checkPlugin, but it
never closes the loop on the Dependabot PRs that config produces. With
plugin repos having no per-repo auto-merge wiring, those PRs sit green
indefinitely (e.g. ether/ep_loading_message#77).
Add a final step that, after the per-plugin updates run, walks every
ep_* repo and squash-merges any open Dependabot PR whose mergeStateStatus
is CLEAN — i.e. no conflicts, branch up to date, all required checks
green. Anything else (DIRTY, BLOCKED, BEHIND, UNSTABLE, …) is left alone
for a human.
No semver gating: trust each plugin's own CI to fail on a breaking
major bump rather than pre-filtering by version delta.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Continue processing remaining plugins when one fails instead of
crashing. Add summary at the end showing succeeded/failed/skipped
counts and plugin names.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Runs checkPlugin with autopush on all ether/ep_* repos daily at
06:00 UTC. Updates workflows, dependencies, linting, and version
bumps across all plugins.
Requires PLUGINS_PAT org secret with push access to all ep_* repos.
Can also be triggered manually via workflow_dispatch.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
