chore(renovate): pin action to v40.3.0, fix inputs per spec

chore(renovate): add self-hosted Renovate GitHub Action workflow
2026-05-06 11:04:48 +00:00 · 2026-05-06 10:51:31 +00:00
5 changed files with 21 additions and 47 deletions
@@ -1,20 +0,0 @@
-name: Promotion Gate
-
-# Calls the shared promotion gate workflow.
-# dev PRs: no gate (engineer self-merges).
-# uat PRs: QA approval required.
-# main PRs: UAT approval required (uat→main promotions).
-
-on:
-  pull_request_review:
-    types: [submitted, dismissed]
-  pull_request:
-    branches: [uat, main]
-    types: [opened, reopened, synchronize]
-
-jobs:
-  promotion-gate:
-    uses: privilegedescalation/.github/.github/workflows/dual-approval-check.yaml@main
-    secrets: inherit
-    with:
-      pr_number: ${{ github.event.pull_request.number }}
@@ -0,0 +1,14 @@
+name: Renovate
+on:
+  schedule:
+    - cron: '0 3 * * *'
+  workflow_dispatch:
+jobs:
+  renovate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: renovatebot/github-action@v40.3.0
+        with:
+          configurationFile: renovate.json
+          renovate-json5: true
@@ -1,4 +1,4 @@
-version: "0.1.3"
+version: "0.1.2"
 name: headlamp-argocd
 displayName: ArgoCD Headlamp Plugin
 createdAt: "2026-04-21T00:00:00Z"
@@ -26,10 +26,10 @@ maintainers:
 provider:
  name: privilegedescalation
 annotations:
-  headlamp/plugin/archive-url: "https://github.com/privilegedescalation/headlamp-argocd-plugin/releases/download/v0.1.3/privilegedescalation-headlamp-argocd-plugin-0.1.3.tar.gz"
-  headlamp/plugin/archive-checksum: sha256:cf96084b79a76b341b5f08d4e17ccf77b5de20f4178061ddc5b5e8dfa81d2743
+  headlamp/plugin/archive-url: "https://github.com/privilegedescalation/headlamp-argocd-plugin/releases/download/v0.1.2/privilegedescalation-headlamp-argocd-plugin-0.1.2.tar.gz"
+  headlamp/plugin/archive-checksum: sha256:e71f84913eed1fd7e2d074912e3bfa668c4b1fefcbb069731a4e4277a998ca28
  headlamp/plugin/version-compat: ">=0.26"
  headlamp/plugin/distro-compat: "in-cluster"
 changes:
-  - kind: fixed
-    description: "Fix archive URL to point to GitHub v0.1.3 release and bump version"
+  - kind: added
+    description: "Initial v0.1.0 release"
@@ -1,6 +1,6 @@
 # Artifact Hub repository metadata
 # https://artifacthub.io/docs/topics/repositories/#repository-metadata-file
-repositoryID: "3648e8a8-54f7-474c-9977-00ec3b4ea1e1"
+repositoryID: ""
 owners:
  - name: privilegedescalation
-    email: chris@farhood.org
+    email: chris@farhood.org
@@ -1,20 +0,0 @@
-{
-  // Allowlist for inherited dev-dependency CVEs from @kinvolk/headlamp-plugin
-  // CTO decision (PRI-854): these high-severity vulns are dev/build-time only,
-  // trace to @kinvolk/headlamp-plugin transitive deps (Picomatch, Vite, lodash),
-  // and do NOT ship in production plugin artifacts.
-  "allowlist": [
-    {
-      "id": "GHSA-hhpm-516h-p3p6",
-      "reason": "Picomatch ReDoS: devDependency only, does not ship in production plugin bundle"
-    },
-    {
-      "id": "GHSA-36xf-7xpp-53w5",
-      "reason": "Vite arbitrary file read: devDependency only, does not ship in production plugin bundle"
-    },
-    {
-      "id": "GHSA-jf8v-p3pp-93qh",
-      "reason": "lodash code injection via _.template: devDependency only, does not ship in production plugin bundle"
-    }
-  ]
-}
Author	SHA1	Message	Date
Chris Farhood	97e1c609e0	chore(renovate): pin action to v40.3.0, fix inputs per spec	2026-05-06 11:04:48 +00:00
privilegedescalation-engineer[bot]	e9366ad6b8	chore(renovate): add self-hosted Renovate GitHub Action workflow	2026-05-06 10:51:31 +00:00