Summary

bump-plugin-version.yml has been failing on every merge to main since today's security + plugin-packaging work — 5 runs in a row, starting with #387's merge at 16:13Z. All failing with protected branch hook declined.

Root cause

The workflow runs on every push to main, auto-bumps the patch version (3.1.0 → 3.1.1), updates 5 files, then tries to git push directly to main. Branch protection (1 approval + CI required, enforce_admins=true) blocks direct pushes, so every run fails at the final step.

It also conflicts with the manual version-management pattern we're actually using: Ben bumped 3.0.0 → 3.0.14 by hand across PRs, and #409 bumped to 3.1.0 explicitly. If the auto-bump worked, it would silently push 3.1.1 on the next merge and drift the version away from our intentional releases.

Fix

Rename bump-plugin-version.yml → bump-plugin-version.yml.disabled. GitHub Actions skips anything that doesn't end in .yml or .yaml, so this is a reversible, zero-risk disable.

If we want to revive it later

The workflow would need to:

1. Open a PR instead of pushing directly (so it respects branch protection)
2. Only trigger on manual dispatch or on specific commits (so it doesn't fire on every merge)
3. Coordinate with manual version bumps (probably check if version was already bumped in the merged PR and skip if so)

That's a larger rewrite and not worth doing until we decide whether auto-patch-bumps actually fit our release rhythm.

Test plan

• CI passes
• After merge: next push to main does NOT trigger a Bump Version workflow run