feat(workflows): add reusable marketplace-publish workflow#10
Merged
Conversation
Single source of truth for the LVIS plugin marketplace publish pipeline. Replaces N=7 copies of `publish.yml` (lvis-plugin-template + 6 plugin repos) that drifted across repos and led to two consecutive regressions on lvis-plugin-local-indexer (worker dir drop on v0.1.20, python-requirements.lock drop on v0.1.21). Future changes — new security guards, marketplace API contract migrations, zip layout adjustments — land here once and propagate via the `uses: lvis-project/.github/.github/workflows/marketplace-publish.yml@vN` caller reference. Inputs: - `slug` (string, required): catalog id, must equal `plugin.json.id`. Cross-checked at runtime so a drift between the caller's `with: slug:` and the manifest fails fast (silent corruption guard). Secrets: - `MARKETPLACE_API_KEY` (required): bearer for POST /versions. - `MARKETPLACE_BASE_URL` (optional): defaults to https://marketplace.lvisai.xyz when unset. The pipeline body is lifted verbatim from lvis-plugin-template's publish.yml as of post-PR-31 (the `package.json:files[]` SoT pattern + all defense-in-depth guards: GHA expression-injection sink closure via `zip -@`, segment-aware traversal check, boundary-anchored sensitive-file regex, realpath-on-every-entry, `--symlinks` zip flag). Caller pattern — each plugin's publish.yml becomes ~12 lines: ```yaml on: push: tags: ['v*.*.*'] jobs: publish: uses: lvis-project/.github/.github/workflows/marketplace-publish.yml@v1 with: slug: meeting secrets: MARKETPLACE_API_KEY: ${{ secrets.MARKETPLACE_API_KEY }} MARKETPLACE_BASE_URL: ${{ secrets.MARKETPLACE_BASE_URL }} ``` Adoption plan: 1. Land this PR + tag the .github repo `v1`. 2. Canary: convert lvis-plugin-pageindex (most complex — Python lockfile + worker bundle) to a caller pointing at `@v1`. Bump patch + tag → real publish through reusable. 3. If green, sweep the other 5 plugins + lvis-plugin-template (template gets its own caller so future template forks inherit the thin shape). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
요약
LVIS 플러그인 마켓플레이스 publish 파이프라인의 단일 SoT. 현재 7개 레포 (template + 6 플러그인) 가 ~330줄짜리 `publish.yml` 을 각자 들고 있는 N=7 중복 → 1곳 단일 소스로 전환. 호출자는 ~12줄 thin caller 만 유지.
동기
`lvis-plugin-local-indexer` 의 두 차례 회귀 (worker dir drop on v0.1.20, lockfile drop on v0.1.21) 가 모두 "workflow 와 `package.json:files[]` 동시 갱신 누락" 패턴이었음. PR #31 + 6 plugin sweep 으로 SoT 패턴은 정렬됐지만, 다음 publish 파이프라인 변경 (보안 강화 / API 스키마 마이그레이션) 은 또 sweep 6번 필요. 이번 PR 이 그 sweep 자체를 1번으로 압축.
API
Inputs
Secrets
동작
본문은 lvis-plugin-template post-PR-31 의 publish.yml 을 그대로 lift:
Caller 패턴
```yaml
on:
push:
tags: ['v*..']
jobs:
publish:
uses: lvis-project/.github/.github/workflows/marketplace-publish.yml@v1
with:
slug: meeting
secrets:
MARKETPLACE_API_KEY: ${{ secrets.MARKETPLACE_API_KEY }}
MARKETPLACE_BASE_URL: ${{ secrets.MARKETPLACE_BASE_URL }}
```
도입 plan
Test plan
References lvis-plugin-template#30, lvis-plugin-template#31 (sweep 의 P2 단계)
🤖 Generated with Claude Code