[Template Sync] fix: include dotfiles in artifact upload and detect untracked files%0A%0A- Add include-hidden-files: true to claude artifact upload so .mcp.json%0A is included (upload-artifact skips dotfiles by default)%0A- Replace git diff check with git status --porcelain to also catch%0A untracked new files, fixing cursor PR not being created%0A%0ACo-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.github/workflows/require-version-label.yml

@@ -0,0 +1,65 @@
+name: Require Version Bump Label
+
+on:
+  pull_request:
+    types: [opened, labeled, unlabeled, synchronize]
+
+jobs:
+  check-plugin-changes:
+    name: Check for Plugin Changes
+    runs-on: ubuntu-latest
+    outputs:
+      has_plugin_changes: ${{ steps.check.outputs.has_changes }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Check if plugin files changed
+        id: check
+        run: |
+          # Get list of changed files
+          CHANGED_FILES=$(git diff --name-only origin/${{ github.base_ref }}...HEAD)
+
+          # Define plugin file patterns (adjust based on repo structure)
+          # For Claude: plugin/, For Cursor: hooks/, mcp.json, skills/, scripts/
+          PLUGIN_PATTERNS="plugin/|hooks/|mcp\.json|\.mcp\.json|skills/|scripts/|commands/|semgrep-version"
+
+          if echo "$CHANGED_FILES" | grep -qE "$PLUGIN_PATTERNS"; then
+            echo "has_changes=true" >> $GITHUB_OUTPUT
+            echo "Plugin files changed:"
+            echo "$CHANGED_FILES" | grep -E "$PLUGIN_PATTERNS" || true
+          else
+            echo "has_changes=false" >> $GITHUB_OUTPUT
+            echo "No plugin files changed"
+          fi
+
+  check-version-label:
+    name: Check Version Bump Label
+    needs: check-plugin-changes
+    if: needs.check-plugin-changes.outputs.has_plugin_changes == 'true'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check for version bump label
+        run: |
+          LABELS='${{ toJson(github.event.pull_request.labels.*.name) }}'
+
+          if echo "$LABELS" | grep -q '"bump:patch"'; then
+            echo "✓ Found label: bump:patch"
+            exit 0
+          elif echo "$LABELS" | grep -q '"bump:minor"'; then
+            echo "✓ Found label: bump:minor"
+            exit 0
+          elif echo "$LABELS" | grep -q '"bump:major"'; then
+            echo "✓ Found label: bump:major"
+            exit 0
+          else
+            echo "✗ Missing version bump label!"
+            echo ""
+            echo "This PR modifies plugin files and requires a version bump."
+            echo "Please add one of the following labels:"
+            echo "  - bump:patch  (bug fixes: 0.4.1 → 0.4.2)"
+            echo "  - bump:minor  (new features: 0.4.1 → 0.5.0)"
+            echo "  - bump:major  (breaking changes: 0.4.1 → 1.0.0)"
+            exit 1
+          fi

.github/workflows/version-bump.yml

@@ -0,0 +1,92 @@
+name: Version Bump on Label
+
+on:
+  pull_request:
+    types: [labeled]
+
+jobs:
+  bump-version:
+    name: Bump Version
+    if: startsWith(github.event.label.name, 'bump:')
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          ref: ${{ github.head_ref }}
+
+      - name: Determine bump type
+        id: bump_type
+        run: |
+          LABEL="${{ github.event.label.name }}"
+          BUMP_TYPE="${LABEL#bump:}"
+          echo "type=$BUMP_TYPE" >> $GITHUB_OUTPUT
+
+      - name: Find plugin.json
+        id: find_plugin
+        run: |
+          # Look for plugin.json in different locations
+          if [ -f "plugin/.claude-plugin/plugin.json" ]; then
+            echo "path=plugin/.claude-plugin/plugin.json" >> $GITHUB_OUTPUT
+          elif [ -f ".claude-plugin/plugin.json" ]; then
+            echo "path=.claude-plugin/plugin.json" >> $GITHUB_OUTPUT
+          elif [ -f ".cursor-plugin/plugin.json" ]; then
+            echo "path=.cursor-plugin/plugin.json" >> $GITHUB_OUTPUT
+          else
+            echo "Could not find plugin.json"
+            exit 1
+          fi
+
+      - name: Read current version
+        id: current_version
+        run: |
+          PLUGIN_JSON="${{ steps.find_plugin.outputs.path }}"
+          VERSION=$(grep -o '"version": *"[^"]*"' "$PLUGIN_JSON" | head -1 | grep -o '[0-9]*\.[0-9]*\.[0-9]*')
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "Current version: $VERSION"
+
+      - name: Calculate new version
+        id: new_version
+        run: |
+          VERSION="${{ steps.current_version.outputs.version }}"
+          BUMP_TYPE="${{ steps.bump_type.outputs.type }}"
+
+          IFS='.' read -r MAJOR MINOR PATCH <<< "$VERSION"
+
+          case "$BUMP_TYPE" in
+            major)
+              MAJOR=$((MAJOR + 1))
+              MINOR=0
+              PATCH=0
+              ;;
+            minor)
+              MINOR=$((MINOR + 1))
+              PATCH=0
+              ;;
+            patch)
+              PATCH=$((PATCH + 1))
+              ;;
+          esac
+
+          NEW_VERSION="$MAJOR.$MINOR.$PATCH"
+          echo "version=$NEW_VERSION" >> $GITHUB_OUTPUT
+          echo "Bumping version: $VERSION → $NEW_VERSION ($BUMP_TYPE)"
+
+      - name: Update version in plugin.json
+        run: |
+          PLUGIN_JSON="${{ steps.find_plugin.outputs.path }}"
+          OLD_VERSION="${{ steps.current_version.outputs.version }}"
+          NEW_VERSION="${{ steps.new_version.outputs.version }}"
+
+          sed -i "s/\"version\": *\"$OLD_VERSION\"/\"version\": \"$NEW_VERSION\"/" "$PLUGIN_JSON"
+
+          echo "Updated $PLUGIN_JSON:"
+          grep version "$PLUGIN_JSON"
+
+      - name: Commit version bump
+        run: |
+          git config --local user.email "github-actions[bot]@users.noreply.github.com"
+          git config --local user.name "github-actions[bot]"
+          git add .
+          git commit -m "chore: bump version to ${{ steps.new_version.outputs.version }}"
+          git push

README.md

@@ -0,0 +1,12 @@
+# Semgrep MCP Marketplace
+
+ This repo is where the Semgrep Cursor Plugin lives.
+
+ To use the Semgrep plugin:
+ 1. Install the plugin from the Cursor Plugin Marketplace
+
+ 1. Run the `/semgrep-plugin:setup_semgrep_plugin` command.
+
+ ## Contributing
+
+ This plugin is managed by the [mcp-marketplace-template](https://github.com/semgrep/mcp-marketplace-template) repository. Changes should be made there and synced via automated PRs.

hooks/hooks.json

@@ -0,0 +1,15 @@
+{
+  "version": 1,
+  "hooks": {
+    "afterFileEdit": [
+      {
+        "command": "semgrep mcp -k record-file-edit -a cursor"
+      }
+    ],
+    "stop": [
+      {
+        "command": "semgrep mcp -k stop-cli-scan -a cursor"
+      }
+    ]
+  }
+}

mcp.json

@@ -0,0 +1,10 @@
+{
+  "mcpServers": {
+    "semgrep": {
+      "command": "semgrep",
+      "args": [
+        "mcp"
+      ]
+    }
+  }
+}

scripts/check_version.sh

@@ -0,0 +1,53 @@
+#!/bin/bash
+
+# Check if the installed Semgrep version meets the minimum requirement
+# This script is shared between Claude and Cursor plugins
+
+set -e
+
+# Determine the script's directory and find the semgrep-version file
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+# Look for semgrep-version in different locations depending on context
+if [ -f "${SCRIPT_DIR}/../../semgrep-version" ]; then
+    # Running from template repo
+    MIN_VERSION_FILE="${SCRIPT_DIR}/../../semgrep-version"
+elif [ -n "${CLAUDE_PLUGIN_ROOT}" ] && [ -f "${CLAUDE_PLUGIN_ROOT}/semgrep-version" ]; then
+    # Running from Claude plugin
+    MIN_VERSION_FILE="${CLAUDE_PLUGIN_ROOT}/semgrep-version"
+elif [ -n "${CURSOR_PLUGIN_ROOT}" ] && [ -f "${CURSOR_PLUGIN_ROOT}/semgrep-version" ]; then
+    # Running from Cursor plugin
+    MIN_VERSION_FILE="${CURSOR_PLUGIN_ROOT}/semgrep-version"
+else
+    echo "Error: Could not find semgrep-version file"
+    exit 1
+fi
+
+MIN_VERSION=$(cat "$MIN_VERSION_FILE")
+
+# Get installed Semgrep version
+if ! command -v semgrep &> /dev/null; then
+    echo "Error: Semgrep is not installed"
+    exit 1
+fi
+
+INSTALLED_VERSION=$(semgrep --version 2>/dev/null | head -n1 | grep -oE '[0-9]+\.[0-9]+\.[0-9]+' | head -n1)
+
+if [ -z "$INSTALLED_VERSION" ]; then
+    echo "Error: Could not determine installed Semgrep version"
+    exit 1
+fi
+
+# Compare versions using sort -V
+version_gte() {
+    [ "$1" = "$(echo -e "$1\n$2" | sort -V | tail -n1)" ]
+}
+
+if version_gte "$INSTALLED_VERSION" "$MIN_VERSION"; then
+    echo "Success: Semgrep $INSTALLED_VERSION >= $MIN_VERSION (minimum required)"
+    exit 0
+else
+    echo "Error: Semgrep $INSTALLED_VERSION < $MIN_VERSION (minimum required)"
+    echo "Please update Semgrep: brew upgrade semgrep"
+    exit 1
+fi

semgrep-version

@@ -0,0 +1 @@
+1.146.0

skills/setup_semgrep_plugin.md

@@ -0,0 +1,48 @@
+# Setup Semgrep Plugin
+
+Follow these steps to set up the Semgrep plugin:
+
+## 1. Install Semgrep
+
+Check if Semgrep is installed, and install it if not:
+
+```bash
+which semgrep || brew install semgrep
+```
+
+## 2. Authenticate with Semgrep
+
+Log in to Semgrep (this will open a browser window):
+
+```bash
+semgrep login --force
+```
+
+## 3. Install Semgrep Pro Engine
+
+Install the Pro engine for enhanced scanning capabilities:
+
+```bash
+semgrep install-semgrep-pro || true
+```
+
+## 4. Verify Installation
+
+Confirm everything is working:
+
+```bash
+semgrep --pro --version
+```
+
+## 5. Check Version Compatibility
+
+Verify your Semgrep version meets the minimum requirement:
+
+```bash
+${CLAUDE_PLUGIN_ROOT}/scripts/check_version.sh
+```
+
+If the version check fails, please update Semgrep:
+```bash
+brew upgrade semgrep
+```