Plugin Publishing Guide¶
This document explains how to submit a plugin to the official AutoShip plugin store.
1. Publishing Process Overview¶
- Develop the plugin using examples/custom-plugin as a template.
- Complete local testing and make sure it passes at least
ruff check,pytest, and AutoShip'splugin verify. - Generate a sha256 checksum for the plugin package, and optionally generate a PGP signature.
- Publish the package to PyPI (or another pip-installable location such as a GitHub Release).
- Submit a PR to this repository adding a new plugin entry to
registry/plugins.json. - After maintainers review and merge it, the plugin automatically appears in the Plugin Registry Web UI.
2. Metadata Format¶
Each plugin entry must be a JSON object with the following fields:
| Field | Type | Required | Description |
|---|---|---|---|
name |
string | Yes | Unique plugin identifier; only lowercase letters, digits, and hyphens are allowed. |
package |
string | Yes | pip install package name, e.g. autoship-commit-sign. |
module |
string | Yes | Python import path, e.g. autoship_commit_sign.plugin. |
version |
string | Yes | Semantic version number, e.g. 1.2.3. |
description |
string | Yes | One-sentence description. |
trust_level |
string | Yes | builtin / verified / community / untrusted. |
entry_point |
string | Yes | Plugin entry point, e.g. autoship_commit_sign.plugin:CommitSignPlugin. |
hooks |
string[] | Yes | Supported hooks, e.g. ["pre_commit", "post_commit"]. |
publisher |
object | Yes | { id, verified, url }; verified requires admin confirmation. |
maintainer |
string | Yes | Maintainer name and contact email. |
license |
string | Yes | SPDX license identifier. |
sha256 |
string | Recommended | sha256 checksum of the published package (wheel). Required for verified plugins. |
signature |
string | Recommended | base64-encoded signature of the sha256 using AutoShip's official private key. Required for verified plugins. |
permissions |
object | Yes | { filesystem, network, shell, git, env }, declaring the permissions the plugin requires. |
categories |
string[] | Yes | Category tags, e.g. ["security", "git"]. |
tags |
string[] | No | Search keywords. |
homepage |
string | Recommended | Plugin homepage URL. |
source_url |
string | Recommended | Source repository URL. |
downloads |
integer | No | Download count, maintained by the registry. |
rating |
object | No | { score, count }, maintained by the registry. |
audit_status |
string | Yes | pending / approved / rejected; new submissions are pending and updated by admins after review. |
Full example:
{
"name": "commit-sign",
"package": "autoship-commit-sign",
"module": "autoship_commit_sign.plugin",
"version": "1.0.0",
"description": "Automatically adds a signature to generated commits.",
"trust_level": "verified",
"entry_point": "autoship_commit_sign.plugin:CommitSignPlugin",
"hooks": ["pre_commit"],
"publisher": {
"id": "alice-chen",
"verified": true,
"url": "https://github.com/alice-chen"
},
"maintainer": "Alice Chen <alice@example.com>",
"license": "MIT",
"sha256": "a3f5c8e2b4d6f7a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5",
"signature": "base64-encoded-pgp-signature",
"permissions": {
"filesystem": "read-only",
"network": false,
"shell": false,
"git": true,
"env": []
},
"categories": ["security", "git"],
"tags": ["gpg", "sign", "commit"],
"downloads": 0,
"rating": { "score": 0.0, "count": 0 },
"homepage": "https://github.com/example/autoship-commit-sign",
"source_url": "https://github.com/example/autoship-commit-sign",
"audit_status": "approved"
}
3. Checksum & Signature Requirements¶
3.1 Computing sha256¶
Write the resulting 64-character hexadecimal string into the sha256 field of registry/plugins.json.
3.2 Generating a Signature (verified plugins)¶
Only plugins with trust_level: verified require a signature. Admins sign the sha256 string with AutoShip's official PGP private key:
echo -n "<sha256-hex>" | gpg --armor --detach-sign --output signature.asc
# Write the base64-encoded signature content into registry/plugins.json
base64 -w 0 signature.asc
If the plugin does not apply for the verified level, keep trust_level: community and leave sha256/signature empty.
4. Verified Publisher Certification Process¶
The verified trust level identifies publishers and plugins reviewed by the AutoShip team. The application process is as follows:
4.1 Publisher Eligibility¶
Applicants must meet the following requirements:
- Maintain the plugin under a real identity or an active organization account.
- The plugin source repository is public and has been continuously maintained for at least 3 months or has released 2 or more versions.
- No history of serious security incidents or malicious behavior.
4.2 Submitting a Certification Application¶
Create an issue on GitHub using the Verified Publisher Application template, providing:
- Publisher ID (GitHub username or organization name) and homepage URL.
- A list of plugins already published or planned for maintenance.
- Contact information (public email or organization email).
4.3 Review Criteria¶
Maintainers review against the following criteria:
| Dimension | Requirement |
|---|---|
| Identity authenticity | Publisher identity is verifiable; homepage or organization profile is complete. |
| Plugin quality | Code passes ruff check and pytest; documentation and examples are complete. |
| Security compliance | Permission declarations are consistent with actual behavior; no excessive network/shell requests. |
| Continuous maintenance | Active commits or version releases in the last 3 months. |
4.4 Certification Result¶
- If approved: The publisher's information is recorded in
registry/publishers.json, and their plugins may be marked withpublisher.verified = true. - If not approved: A reply is posted on the issue explaining the reason; you may reapply after supplementing the materials.
- Revocation: If the publisher subsequently has a security incident, stops maintaining for a long time, or provides false information, maintainers may revoke their
verifiedstatus.
5. PR Template¶
When submitting a plugin to registry/plugins.json, please fill in the following in the PR description:
## Plugin Submission
- **Plugin name**:
- **PyPI package name**:
- **Source URL**:
- **Requested trust level**: community / verified
- **sha256 of wheel**:
- **Signature** (if verified):
## Checklist
- [ ] The plugin source repository includes a `README.md`, an open-source license, and usage examples.
- [ ] The plugin passes at least `pytest` and `ruff check`.
- [ ] Installation has been verified with `autoship plugin verify <package>`.
- [ ] `permissions` have been filled in, and the permission scope does not exceed what the plugin actually needs.
- [ ] The sha256 checksum of the wheel has been provided (verified plugins also need a signature).
- [ ] I have read and agree to the [Privacy Policy](./privacy.md).
6. Review & Listing¶
- Automated checks: CI validates the JSON schema, sha256 format, and required fields.
- Security review: Maintainers examine high-sensitivity declarations such as
permissions,network, andshell. - Experience review: Confirm that documentation, error messages, and usage examples are complete.
- After merge: registry-web is deployed automatically, and users can find the plugin via
autoship plugin search <name>.
7. Updates & Delisting¶
- Version updates: Submit a new PR updating
version,sha256, andsignature. - Delisting a plugin: Change
audit_statustorejectedand explain the reason; plugins with serious security issues are removed from the registry.