chore: ci check for hooks plugin version

[chase-crumbaugh]

---

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
gram-docs-redirect	Ready	Preview, Comment	Mar 5, 2026 7:44pm

[changeset-bot]

⚠️ No Changeset found

Latest commit: 0ff436c

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[devin-ai-integration]

Devin Review found 3 potential issues.

View 3 additional findings in Devin Review.

[devin-ai-integration]

🟡 Version format validation runs after comparison, allowing malformed versions to pass if they differ

The "Validate version format" step (line 46) runs after the "Compare versions" step (line 32). If the version format is invalid but differs from the base version, the comparison step will print ✅ Version has been updated and succeed, then the format validation will fail. However, if the comparison step fails first (same version), the format validation never runs, so a malformed version that happens to match the base is never flagged for format issues. More importantly, the format validation should run first so that the comparison step only ever deals with well-formed semver strings — this would also prevent the script injection in BUG-0001/BUG-0002 since a malicious payload would fail the regex check before reaching the comparison step.

Prompt for agents

In .github/workflows/plugin-version-check.yml, move the "Validate version format" step (lines 46-54) to run before the "Compare versions" step (lines 32-44). This ensures that malformed version strings are rejected before any comparison logic executes. The step order should be: (1) Get PR version, (2) Get base version, (3) Validate version format, (4) Compare versions.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

Devin Review found 2 new potential issues.

View 6 additional findings in Devin Review.

[devin-ai-integration]

🟡 Version comparison allows downgrades — only checks inequality, not that version increased

The comparison step at line 37 checks $PR_VERSION == $BASE_VERSION and fails only when they are equal. This means any version change passes, including a downgrade (e.g., 0.0.2 → 0.0.1). For a version check intended to enforce version bumps, the workflow should verify the PR version is strictly greater than the base version.

Prompt for agents

In .github/workflows/plugin-version-check.yml, replace the simple string inequality check at lines 37-44 with a proper semver comparison that verifies the PR version is strictly greater than the base version. You can use a helper function that splits both versions on dots and compares major, minor, and patch components numerically. For example:

  IFS='.' read -r pr_major pr_minor pr_patch <<< "$PR_VERSION"
  IFS='.' read -r base_major base_minor base_patch <<< "$BASE_VERSION"
  
  if [ "$pr_major" -gt "$base_major" ] || \
     ([ "$pr_major" -eq "$base_major" ] && [ "$pr_minor" -gt "$base_minor" ]) || \
     ([ "$pr_major" -eq "$base_major" ] && [ "$pr_minor" -eq "$base_minor" ] && [ "$pr_patch" -gt "$base_patch" ]); then
    echo "Version bumped"
  else
    echo "Version not bumped" && exit 1
  fi

Also consider moving the format validation step (lines 46-55) before the comparison step so that you validate the format of both versions before comparing them numerically.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

Devin Review found 2 potential issues.

View 2 additional findings in Devin Review.

[devin-ai-integration]

🟡 Version check only tests inequality, allowing version downgrades

The "Compare versions" step at line 37 checks $PR_VERSION == $BASE_VERSION (string equality), which means any version that is different from the base will pass — including downgrades (e.g., 0.0.2 → 0.0.1). The intent of this workflow is to ensure a version bump, but a version decrement would also pass. The check should verify the PR version is strictly greater than the base version using semver comparison.

Suggested change

	if [ "$PR_VERSION" == "$BASE_VERSION" ]; then
	echo "❌ Error: plugin.json version has not been updated"
	echo "Current version: $BASE_VERSION"
	echo "Please bump the version in hooks/plugin-claude/.claude-plugin/plugin.json"
	exit 1
	else
	echo "✅ Version has been updated: $BASE_VERSION -> $PR_VERSION"
	fi
	# Split versions into components
	IFS='.' read -r PR_MAJOR PR_MINOR PR_PATCH <<< "$PR_VERSION"
	IFS='.' read -r BASE_MAJOR BASE_MINOR BASE_PATCH <<< "$BASE_VERSION"
	# Compare as integers (major, minor, patch)
	PR_NUM=$((PR_MAJOR * 1000000 + PR_MINOR * 1000 + PR_PATCH))
	BASE_NUM=$((BASE_MAJOR * 1000000 + BASE_MINOR * 1000 + BASE_PATCH))
	if [ "$PR_NUM" -le "$BASE_NUM" ]; then
	echo "❌ Error: plugin.json version has not been bumped"
	echo "Base version: $BASE_VERSION, PR version: $PR_VERSION"
	echo "Please bump the version in hooks/plugin-claude/.claude-plugin/plugin.json"
	exit 1
	else
	echo "✅ Version has been bumped: $BASE_VERSION -> $PR_VERSION"
	fi

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

🟡 Version format validation runs after comparison, allowing misleading success message

The "Validate version format" step (line 46) runs after the "Compare versions" step (line 32). If the PR version is a non-semver string (e.g., "abc" or "null"), the comparison step will print "✅ Version has been updated" before the format validation fails in the next step. More importantly, if jq -r '.version' returns null (e.g., the version field is missing from plugin.json), it will be compared as the string "null", and the comparison would pass if the base version isn't also "null". The format validation step should run before the comparison step to ensure both versions are valid semver before comparing them.

Prompt for agents

In .github/workflows/plugin-version-check.yml, reorder the steps so that "Validate version format" (currently lines 46-55) runs before "Compare versions" (currently lines 32-44). This ensures that the version string is confirmed to be valid semver before comparison, preventing misleading success messages when the version is malformed or missing.

---

Was this helpful? React with 👍 or 👎 to provide feedback.