From e4d7a5654734895bd1f4ecd17b803931e8f37d7b Mon Sep 17 00:00:00 2001
From: Chris Farhood <chris@farhood.org>
Date: Tue, 5 May 2026 04:54:58 +0000
Subject: [PATCH] add dual approval gate workflow

headlamp-argocd-plugin was missing the dual-approval (CTO + QA) gate
required by SDLC. Added identical workflow to all other plugin repos.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 .github/workflows/dual-approval.yaml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 .github/workflows/dual-approval.yaml

diff --git a/.github/workflows/dual-approval.yaml b/.github/workflows/dual-approval.yaml
new file mode 100644
index 0000000..c4a96cf
--- /dev/null
+++ b/.github/workflows/dual-approval.yaml
@@ -0,0 +1,20 @@
+name: Dual Approval (CTO + QA)
+
+# Calls the shared dual-approval-check workflow.
+# Passes when both privilegedescalation-cto and privilegedescalation-qa
+# have approved the PR. Add "Dual Approval (CTO + QA)" to required_status_checks
+# in branch protection to enforce this gate.
+
+on:
+  pull_request_review:
+    types: [submitted, dismissed]
+  pull_request:
+    branches: [main]
+    types: [opened, reopened, synchronize]
+
+jobs:
+  dual-approval:
+    uses: privilegedescalation/.github/.github/workflows/dual-approval-check.yaml@main
+    secrets: inherit
+    with:
+      pr_number: ${{ github.event.pull_request.number }}