Merge dev into uat (PR #39 ) — QA-approved promotion

Resolves add/add conflict in audit-ci.jsonc: both branches independently added the CTO-approved allowlist (PRI-854); identical content, kept the POSIX-compliant trailing newline from uat/main. Also adds trailing newline to dual-approval.yaml (missed in dev commit 990c796). Changes promoted from dev: - .github/workflows/dual-approval.yaml: Promotion Gate workflow (uat+main trigger) - audit-ci.jsonc: CTO-approved allowlist for 3 inherited dev-only CVEs Co-Authored-By: Paperclip <noreply@paperclip.ing>
Add audit-ci.jsonc allowlist and fix trailing newline
2026-05-14 04:32:16 +00:00 · 2026-05-14 04:28:08 +00:00 · 2026-05-14 04:09:48 +00:00 · 2026-05-12 22:22:44 +00:00 · 2026-05-05 18:40:42 +00:00 · 2026-05-05 12:58:43 +00:00
3 changed files with 42 additions and 2 deletions
@@ -0,0 +1,20 @@
+name: Promotion Gate
+
+# Calls the shared promotion gate workflow.
+# dev PRs: no gate (engineer self-merges).
+# uat PRs: QA approval required.
+# main PRs: UAT approval required (uat→main promotions).
+
+on:
+  pull_request_review:
+    types: [submitted, dismissed]
+  pull_request:
+    branches: [uat, main]
+    types: [opened, reopened, synchronize]
+
+jobs:
+  promotion-gate:
+    uses: privilegedescalation/.github/.github/workflows/dual-approval-check.yaml@main
+    secrets: inherit
+    with:
+      pr_number: ${{ github.event.pull_request.number }}
@@ -0,0 +1,20 @@
+{
+  // Allowlist for inherited dev-dependency CVEs from @kinvolk/headlamp-plugin
+  // CTO decision (PRI-854): these high-severity vulns are dev/build-time only,
+  // trace to @kinvolk/headlamp-plugin transitive deps (Picomatch, Vite, lodash),
+  // and do NOT ship in production plugin artifacts.
+  "allowlist": [
+    {
+      "id": "GHSA-hhpm-516h-p3p6",
+      "reason": "Picomatch ReDoS: devDependency only, does not ship in production plugin bundle"
+    },
+    {
+      "id": "GHSA-36xf-7xpp-53w5",
+      "reason": "Vite arbitrary file read: devDependency only, does not ship in production plugin bundle"
+    },
+    {
+      "id": "GHSA-jf8v-p3pp-93qh",
+      "reason": "lodash code injection via _.template: devDependency only, does not ship in production plugin bundle"
+    }
+  ]
+}
@@ -6233,7 +6233,7 @@ snapshots:
      material-react-table: 2.13.3(0078ddeddc9e779fa84c03996c1db10e)
      monaco-editor: 0.52.2
      msw: 2.4.9(typescript@5.6.2)
-      msw-storybook-addon: 2.0.3(msw@2.4.9(typescript@5.6.2))
+      msw-storybook-addon: 2.0.3(msw@2.4.9(typescript@5.6.3))
      notistack: 3.0.2(csstype@3.2.3)(react-dom@18.3.1(react@18.3.1))(react@18.3.1)
      path-browserify: 1.0.1
      prettier: 2.8.8
@@ -10238,7 +10238,7 @@ snapshots:

  ms@2.1.3: {}

-  msw-storybook-addon@2.0.3(msw@2.4.9(typescript@5.6.2)):
+  msw-storybook-addon@2.0.3(msw@2.4.9(typescript@5.6.3)):
    dependencies:
      is-node-process: 1.2.0
      msw: 2.4.9(typescript@5.6.2)
Author	SHA1	Message	Date
Chris Farhood	d8d995308b	Merge dev into uat (PR #39 ) — QA-approved promotion Resolves add/add conflict in audit-ci.jsonc: both branches independently added the CTO-approved allowlist (PRI-854); identical content, kept the POSIX-compliant trailing newline from uat/main. Also adds trailing newline to dual-approval.yaml (missed in dev commit `990c796`). Changes promoted from dev: - .github/workflows/dual-approval.yaml: Promotion Gate workflow (uat+main trigger) - audit-ci.jsonc: CTO-approved allowlist for 3 inherited dev-only CVEs Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-14 04:32:16 +00:00
Chris Farhood	990c796d04	Add audit-ci.jsonc allowlist and fix trailing newline audit-ci.jsonc: matches CTO-approved allowlist from PRI-854 (same three dev-only CVEs from @kinvolk/headlamp-plugin transitive deps). Required by shared plugin-ci.yaml (updated 2026-05-06). dual-approval.yaml: add trailing newline per POSIX standard.	2026-05-14 04:28:08 +00:00
Chris Farhood	d9aaf5a146	Fix promotion gate: add uat branch trigger, rename to Promotion Gate Follows canonical pattern from headlamp-sealed-secrets-plugin. The pull_request trigger now fires on [uat, main] so the promotion gate check auto-runs on PR open/sync for dev→uat PRs, not just on review events.	2026-05-14 04:09:48 +00:00
privilegedescalation-engineer[bot]	59f1519f66	chore(ci): add audit-ci allowlist for inherited @kinvolk/headlamp-plugin CVEs (PRI-855) QA reviewed and approved. Adds audit-ci.jsonc with 3 CVE allowlist entries for dev-only dependencies.	2026-05-12 22:22:44 +00:00
privilegedescalation-ceo[bot]	dedf6538c7	Merge pull request #26 from privilegedescalation/fix/elliptic-vulnerability-override fix: override elliptic to patched version for GHSA-848j-6mx2-7j84	2026-05-05 18:40:42 +00:00
Chris Farhood	0af4939d8e	chore: update pnpm lockfile for elliptic override Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-05 12:58:43 +00:00
Chris Farhood	c24e96da97	fix: override elliptic to patched version for GHSA-848j-6mx2-7j84	2026-05-05 12:51:05 +00:00
privilegedescalation-ceo[bot]	4b26b97caf	Merge pull request #15 from privilegedescalation/gandalf/fix-duplicate-deps-pnpm-overrides fix: remove duplicate tar and undici from devDependencies (PRI-557)	2026-05-05 10:30:42 +00:00
privilegedescalation-ceo[bot]	f8c8b82e87	Merge pull request #17 from privilegedescalation/hugh/add-dual-approval-gate add dual approval gate workflow	2026-05-05 10:30:31 +00:00
Chris Farhood	e4d7a56547	add dual approval gate workflow headlamp-argocd-plugin was missing the dual-approval (CTO + QA) gate required by SDLC. Added identical workflow to all other plugin repos. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-05 04:54:58 +00:00
Chris Farhood	f0de1fa33a	fix: remove duplicate tar and undici from devDependencies Both packages are already pinned via pnpm.overrides and should not appear in devDependencies. Removes duplicates introduced during lockfile conflict resolution. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-04 20:10:40 +00:00