ci: add plugin manifest linting (#345)

* ci: add codex-plugin-scanner quality gate

* ci: pin actions to SHAs, add permissions, timeout, concurrency

* ci:enforce-plugin-scanner-minimum-score

* ci:clarify-scanner-root-and-namespace-concurrency

* ci:add-manual-plugin-scanner-trigger

* ci: harden plugin scanner coverage

* ci: tighten plugin scanner regression coverage

---------

Co-authored-by: internet-dot[bot] <internet-dot@users.noreply.github.com>
Co-authored-by: ndycode <405533+ndycode@users.noreply.github.com>

Author: internet-dot

.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "codex-multi-auth",
-  "version": "1.2.1",
+  "version": "1.2.2",
   "description": "Install and operate codex-multi-auth for the official @openai/codex CLI with multi-account OAuth rotation, switching, health checks, and recovery tools.",
   "skills": "./skills/"
 }

.github/plugin-scanner-fixtures/bad/.codex-plugin/plugin.json

@@ -0,0 +1,4 @@
+{
+  "name": "Fixture Bad Plugin",
+  "description": "Fixture plugin used to validate failing scanner behavior."
+}

.github/plugin-scanner-fixtures/bad/README.md

@@ -0,0 +1,3 @@
+# Fixture Bad Plugin
+
+This fixture is expected to fail the plugin scanner quality gate.

.github/plugin-scanner-fixtures/good/.codex-plugin/plugin.json

@@ -0,0 +1,11 @@
+{
+  "name": "fixture-good-plugin",
+  "version": "1.0.0",
+  "description": "Fixture plugin used to validate the Codex plugin scanner workflow.",
+  "author": "ndycode",
+  "homepage": "https://example.com/fixture-good-plugin",
+  "repository": "https://example.com/fixture-good-plugin.git",
+  "license": "MIT",
+  "keywords": ["fixture", "codex", "plugin"],
+  "skills": "./skills/"
+}

.github/plugin-scanner-fixtures/good/.codexignore

@@ -0,0 +1 @@
+# Fixture file for scanner regression coverage.

.github/plugin-scanner-fixtures/good/LICENSE

@@ -0,0 +1,3 @@
+MIT License
+
+Copyright (c) 2026 ndycode

.github/plugin-scanner-fixtures/good/README.md

@@ -0,0 +1,3 @@
+# Fixture Good Plugin
+
+This fixture is expected to pass the plugin scanner quality gate.

.github/plugin-scanner-fixtures/good/SECURITY.md

@@ -0,0 +1,3 @@
+# Security Policy
+
+Report security issues to fixture@example.com.

.github/plugin-scanner-fixtures/good/skills/example/SKILL.md

@@ -0,0 +1,8 @@
+---
+name: example
+description: Example fixture skill for scanner regression coverage.
+---
+
+# Example
+
+This fixture skill exists to satisfy the plugin scanner regression test.

.github/workflows/codex-plugin-scanner.yml

@@ -0,0 +1,73 @@
+name: Codex Plugin Quality Gate
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  scan:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, windows-latest]
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 10
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - name: Codex plugin scanner
+        uses: hashgraph-online/hol-codex-plugin-scanner-action@b45d6b583afe05819b24edc8e6418c9ad2e1f1d0 # v1
+        with:
+          # The pinned action resolves .codex-plugin/plugin.json from the repo root.
+          plugin_dir: "."
+          min_score: "70"
+
+  scan-regression:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            fixture: good
+            plugin_dir: ".github/plugin-scanner-fixtures/good"
+            expect_outcome: success
+          - os: ubuntu-latest
+            fixture: bad
+            plugin_dir: ".github/plugin-scanner-fixtures/bad"
+            expect_outcome: failure
+          - os: windows-latest
+            fixture: good
+            plugin_dir: ".github/plugin-scanner-fixtures/good"
+            expect_outcome: success
+          - os: windows-latest
+            fixture: bad
+            plugin_dir: ".github/plugin-scanner-fixtures/bad"
+            expect_outcome: failure
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 10
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - name: Codex plugin scanner regression
+        id: scan
+        continue-on-error: true
+        uses: hashgraph-online/hol-codex-plugin-scanner-action@b45d6b583afe05819b24edc8e6418c9ad2e1f1d0 # v1
+        with:
+          plugin_dir: ${{ matrix.plugin_dir }}
+          min_score: "70"
+      - name: Assert fixture outcome
+        shell: bash
+        run: |
+          if [ "${{ steps.scan.outcome }}" != "${{ matrix.expect_outcome }}" ]; then
+            echo "Expected fixture '${{ matrix.fixture }}' to '${{ matrix.expect_outcome }}', got '${{ steps.scan.outcome }}'."
+            exit 1
+          fi