Fix GitHub Actions security alerts by adding explicit workflow permissions#23
Merged
Merged
Conversation
haofeif
added a commit
that referenced
this pull request
Apr 18, 2026
* Add plugin primitive base classes and events * Refine plugin primitive follow-up comments and tests * Add plugin registry and package exports * Tighten plugin registry log assertions * Wire plugin registry into API lifespan * Strengthen plugin lifespan integration tests * Emit plugin events from service layer * Harden plugin dispatch adapter * drop orchestration_type as a persistent data type * address nit comments * change event naming scheme to be imperative with 'Post' prefix * Feat/discord plugin (#23) * Add Discord plugin scaffold * Tidy Discord plugin scaffold artifacts * Add Discord plugin lifecycle config * Broaden development report ignore pattern * Complete Discord plugin webhook forwarding * gitignore * remove mention of design in readme * improve example plugin documentation * refactor: remove redundant guard in send_terminal_input endpoint send_input already checks for None sender_id/orchestration_type/registry before dispatching the plugin event, so the caller-side branch just duplicated that logic. Pass the arguments through unconditionally to match the pattern used by the other plugin-aware endpoints. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * docs: add cao-plugin skill with hard requirements and hook event reference Codifies the plugin authoring contract (CaoPlugin subclass, @hook decorator, cao.plugins entry point, build/install) and catalogs the currently supported lifecycle and messaging events so future plugin work has a single reference. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * docs: add plugins guide and note example scope Adds docs/plugins.md covering plugin installation, available events, troubleshooting, and future improvements. Points plugin authors to the cao-plugin skill for the full authoring guide. Also annotates the cao-discord example README to clarify it is a reference implementation, not an actively maintained plugin. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * docs(plugins): add plugin onboarding docs and close review gaps Address PR #172 review feedback: add examples/plugins/README.md index, add ## Plugins section to root README, add quick-start walkthrough to docs/plugins.md, and clean up duplicate install command in the Discord example README. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * docs(plugins): delegate Quick Start setup steps to root README Replace inline install/launch commands with links to README § Installation and § Quick Start so plugin docs don't drift from the canonical setup path (and so prerequisites like tmux/Python versions stay discoverable). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: haofeif <56006724+haofeif@users.noreply.github.com>
erikmackinnon
pushed a commit
to erikmackinnon/cli-agent-orchestrator
that referenced
this pull request
Apr 20, 2026
* Add plugin primitive base classes and events * Refine plugin primitive follow-up comments and tests * Add plugin registry and package exports * Tighten plugin registry log assertions * Wire plugin registry into API lifespan * Strengthen plugin lifespan integration tests * Emit plugin events from service layer * Harden plugin dispatch adapter * drop orchestration_type as a persistent data type * address nit comments * change event naming scheme to be imperative with 'Post' prefix * Feat/discord plugin (awslabs#23) * Add Discord plugin scaffold * Tidy Discord plugin scaffold artifacts * Add Discord plugin lifecycle config * Broaden development report ignore pattern * Complete Discord plugin webhook forwarding * gitignore * remove mention of design in readme * improve example plugin documentation * refactor: remove redundant guard in send_terminal_input endpoint send_input already checks for None sender_id/orchestration_type/registry before dispatching the plugin event, so the caller-side branch just duplicated that logic. Pass the arguments through unconditionally to match the pattern used by the other plugin-aware endpoints. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * docs: add cao-plugin skill with hard requirements and hook event reference Codifies the plugin authoring contract (CaoPlugin subclass, @hook decorator, cao.plugins entry point, build/install) and catalogs the currently supported lifecycle and messaging events so future plugin work has a single reference. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * docs: add plugins guide and note example scope Adds docs/plugins.md covering plugin installation, available events, troubleshooting, and future improvements. Points plugin authors to the cao-plugin skill for the full authoring guide. Also annotates the cao-discord example README to clarify it is a reference implementation, not an actively maintained plugin. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * docs(plugins): add plugin onboarding docs and close review gaps Address PR awslabs#172 review feedback: add examples/plugins/README.md index, add ## Plugins section to root README, add quick-start walkthrough to docs/plugins.md, and clean up duplicate install command in the Discord example README. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * docs(plugins): delegate Quick Start setup steps to root README Replace inline install/launch commands with links to README § Installation and § Quick Start so plugin docs don't drift from the canonical setup path (and so prerequisites like tmux/Python versions stay discoverable). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: haofeif <56006724+haofeif@users.noreply.github.com> (cherry picked from commit d472f64)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Fixes 3 Medium severity CodeQL security alerts (CWE-275) by adding explicit permissions to the test workflow.
Changes
permissions: contents: readblock to.github/workflows/test-q-cli-provider.ymlSecurity Impact
Testing
Closes alerts 2, 3, 4