Add Codex CLI plugin manifest

[internet-dot]

I opened this because trigger.dev – build and deploy fully‑managed AI agents and workflows.

What stood out from the repo:

• Trigger.dev – build and deploy fully‑managed AI agents and workflows
• Build and deploy fully‑managed AI agents and workflows
• Website | Docs | Issues | Example projects | Feature requests | Public roadmap | Self-hosting

This PR adds the basic Codex plugin metadata, an .mcp.json starting point, and the scanner workflow.
If you want different command wiring or manifest metadata, I can adjust the branch.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 20a8865

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 1f3a0a36-789f-4596-80f4-fc5fa7449aee

📥 Commits

Reviewing files that changed from the base of the PR and between 4f2ff3d and 20a8865.

📒 Files selected for processing (2)

• .codex-plugin/plugin.json
• .github/workflows/codex-plugin-scanner.yml

---

Walkthrough

This pull request adds two new configuration files to establish a Codex plugin setup for the project. A plugin manifest file is added to declare metadata, version information, and MCP server configuration. Concurrently, a GitHub Actions workflow is introduced to automatically scan the plugin against quality standards on push and pull request events to the main branch, failing when critical-severity issues are detected.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Hi @internet-dot, thanks for your interest in contributing!

This project requires that pull request authors are vouched, and you are not in the list of vouched users.

This PR will be closed automatically. See https://github.com/triggerdotdev/trigger.dev/blob/main/CONTRIBUTING.md for more details.

[devin-ai-integration]

Devin Review found 2 potential issues.

[devin-ai-integration]

🔴 plugin.json references non-existent .mcp.json file

The mcpServers field in .codex-plugin/plugin.json:15 points to ./.mcp.json, but this file does not exist anywhere in the repository root. The only MCP-related JSON file is .cursor/mcp.json (which lives in a different directory and has a different structure with an empty mcpServers object). This means the Codex plugin will fail to resolve its MCP server configuration, making the plugin non-functional.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

🚩 Third-party GitHub Action from lesser-known organization

The workflow at .github/workflows/codex-plugin-scanner.yml:22 uses hashgraph-online/hol-codex-plugin-scanner-action@e83708a91ae4812872aa2905b99ad559a55c74ab. While it is correctly pinned to a commit SHA (good security practice, consistent with the actions/checkout pin on line 20), hashgraph-online is not a well-known or widely-adopted GitHub Actions publisher. The action runs with contents: read permissions which limits blast radius, but the action could still exfiltrate repository source code. Worth verifying this is an intentional and trusted dependency.

---

Was this helpful? React with 👍 or 👎 to provide feedback.