Merge dev into uat (PR #39 ) — QA-approved promotion

Resolves add/add conflict in audit-ci.jsonc: both branches independently added the CTO-approved allowlist (PRI-854); identical content, kept the POSIX-compliant trailing newline from uat/main. Also adds trailing newline to dual-approval.yaml (missed in dev commit 990c796). Changes promoted from dev: - .github/workflows/dual-approval.yaml: Promotion Gate workflow (uat+main trigger) - audit-ci.jsonc: CTO-approved allowlist for 3 inherited dev-only CVEs Co-Authored-By: Paperclip <noreply@paperclip.ing>
Add audit-ci.jsonc allowlist and fix trailing newline
2026-05-14 04:32:16 +00:00 · 2026-05-14 04:28:08 +00:00 · 2026-05-14 04:09:48 +00:00 · 2026-05-12 22:22:44 +00:00 · 2026-05-05 18:40:42 +00:00 · 2026-05-05 12:58:43 +00:00
6 changed files with 51 additions and 5 deletions
@@ -0,0 +1,20 @@
+name: Promotion Gate
+
+# Calls the shared promotion gate workflow.
+# dev PRs: no gate (engineer self-merges).
+# uat PRs: QA approval required.
+# main PRs: UAT approval required (uat→main promotions).
+
+on:
+  pull_request_review:
+    types: [submitted, dismissed]
+  pull_request:
+    branches: [uat, main]
+    types: [opened, reopened, synchronize]
+
+jobs:
+  promotion-gate:
+    uses: privilegedescalation/.github/.github/workflows/dual-approval-check.yaml@main
+    secrets: inherit
+    with:
+      pr_number: ${{ github.event.pull_request.number }}
@@ -1,4 +1,4 @@
-version: "0.1.0"
+version: "0.1.2"
 name: headlamp-argocd
 displayName: ArgoCD Headlamp Plugin
 createdAt: "2026-04-21T00:00:00Z"
@@ -26,8 +26,8 @@ maintainers:
 provider:
  name: privilegedescalation
 annotations:
-  headlamp/plugin/archive-url: "https://github.com/privilegedescalation/headlamp-argocd-plugin/releases/download/v0.1.0/headlamp-argocd-0.1.0.tar.gz"
-  headlamp/plugin/archive-checksum: "sha256:1f4df43f79b795bdf4f70e1e3aa5bacadf689ea5584fdadf92fb677faab21c2c"
+  headlamp/plugin/archive-url: "https://github.com/privilegedescalation/headlamp-argocd-plugin/releases/download/v0.1.2/privilegedescalation-headlamp-argocd-plugin-0.1.2.tar.gz"
+  headlamp/plugin/archive-checksum: sha256:e71f84913eed1fd7e2d074912e3bfa668c4b1fefcbb069731a4e4277a998ca28
  headlamp/plugin/version-compat: ">=0.26"
  headlamp/plugin/distro-compat: "in-cluster"
 changes:
@@ -0,0 +1,20 @@
+{
+  // Allowlist for inherited dev-dependency CVEs from @kinvolk/headlamp-plugin
+  // CTO decision (PRI-854): these high-severity vulns are dev/build-time only,
+  // trace to @kinvolk/headlamp-plugin transitive deps (Picomatch, Vite, lodash),
+  // and do NOT ship in production plugin artifacts.
+  "allowlist": [
+    {
+      "id": "GHSA-hhpm-516h-p3p6",
+      "reason": "Picomatch ReDoS: devDependency only, does not ship in production plugin bundle"
+    },
+    {
+      "id": "GHSA-36xf-7xpp-53w5",
+      "reason": "Vite arbitrary file read: devDependency only, does not ship in production plugin bundle"
+    },
+    {
+      "id": "GHSA-jf8v-p3pp-93qh",
+      "reason": "lodash code injection via _.template: devDependency only, does not ship in production plugin bundle"
+    }
+  ]
+}
@@ -1,6 +1,6 @@
 {
  "name": "@privilegedescalation/headlamp-argocd-plugin",
-  "version": "0.1.0",
+  "version": "0.1.2",
  "description": "Headlamp plugin for ArgoCD visibility — monitors ArgoCD Applications, Rollouts, and health status",
  "repository": {
    "type": "git",
@@ -33,7 +33,8 @@
    "overrides": {
      "tar": "^7.5.11",
      "undici": "^7.24.3",
-      "flatted": "^3.4.2"
+      "flatted": "^3.4.2",
+      "elliptic": ">=6.6.1"
    }
  },
  "devDependencies": {
@@ -8,6 +8,7 @@ overrides:
  tar: ^7.5.11
  undici: ^7.24.3
  flatted: ^3.4.2
+  elliptic: '>=6.6.1'

 importers:

@@ -0,0 +1,4 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": ["github>privilegedescalation/.github:renovate-config"]
+}
Author	SHA1	Message	Date
Chris Farhood	d8d995308b	Merge dev into uat (PR #39 ) — QA-approved promotion Resolves add/add conflict in audit-ci.jsonc: both branches independently added the CTO-approved allowlist (PRI-854); identical content, kept the POSIX-compliant trailing newline from uat/main. Also adds trailing newline to dual-approval.yaml (missed in dev commit `990c796`). Changes promoted from dev: - .github/workflows/dual-approval.yaml: Promotion Gate workflow (uat+main trigger) - audit-ci.jsonc: CTO-approved allowlist for 3 inherited dev-only CVEs Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-14 04:32:16 +00:00
Chris Farhood	990c796d04	Add audit-ci.jsonc allowlist and fix trailing newline audit-ci.jsonc: matches CTO-approved allowlist from PRI-854 (same three dev-only CVEs from @kinvolk/headlamp-plugin transitive deps). Required by shared plugin-ci.yaml (updated 2026-05-06). dual-approval.yaml: add trailing newline per POSIX standard.	2026-05-14 04:28:08 +00:00
Chris Farhood	d9aaf5a146	Fix promotion gate: add uat branch trigger, rename to Promotion Gate Follows canonical pattern from headlamp-sealed-secrets-plugin. The pull_request trigger now fires on [uat, main] so the promotion gate check auto-runs on PR open/sync for dev→uat PRs, not just on review events.	2026-05-14 04:09:48 +00:00
privilegedescalation-engineer[bot]	59f1519f66	chore(ci): add audit-ci allowlist for inherited @kinvolk/headlamp-plugin CVEs (PRI-855) QA reviewed and approved. Adds audit-ci.jsonc with 3 CVE allowlist entries for dev-only dependencies.	2026-05-12 22:22:44 +00:00
privilegedescalation-ceo[bot]	dedf6538c7	Merge pull request #26 from privilegedescalation/fix/elliptic-vulnerability-override fix: override elliptic to patched version for GHSA-848j-6mx2-7j84	2026-05-05 18:40:42 +00:00
Chris Farhood	0af4939d8e	chore: update pnpm lockfile for elliptic override Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-05 12:58:43 +00:00
Chris Farhood	c24e96da97	fix: override elliptic to patched version for GHSA-848j-6mx2-7j84	2026-05-05 12:51:05 +00:00
privilegedescalation-ceo[bot]	4b26b97caf	Merge pull request #15 from privilegedescalation/gandalf/fix-duplicate-deps-pnpm-overrides fix: remove duplicate tar and undici from devDependencies (PRI-557)	2026-05-05 10:30:42 +00:00
privilegedescalation-ceo[bot]	5b5ed9897b	Merge pull request #16 from privilegedescalation/gandalf/pri-589-cleanup fix: add markdownlint config to resolve CI failures (PRI-589)	2026-05-05 10:30:37 +00:00
privilegedescalation-ceo[bot]	f8c8b82e87	Merge pull request #17 from privilegedescalation/hugh/add-dual-approval-gate add dual approval gate workflow	2026-05-05 10:30:31 +00:00
privilegedescalation-ceo[bot]	6aefdb00a8	Merge pull request #10 from privilegedescalation/chore/add-renovate-config chore: add renovate.json extending org preset	2026-05-05 10:29:59 +00:00
privilegedescalation-ceo[bot]	5db792f0a7	Merge pull request #11 from privilegedescalation/release/v0.1.2 release: v0.1.2	2026-05-05 10:29:55 +00:00
privilegedescalation-ceo[bot]	413634a01e	Merge pull request #12 from privilegedescalation/dev docs: redirect headlamp install namespace to headlamp (PRI-439)	2026-05-05 10:29:51 +00:00
Chris Farhood	e4d7a56547	add dual approval gate workflow headlamp-argocd-plugin was missing the dual-approval (CTO + QA) gate required by SDLC. Added identical workflow to all other plugin repos. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-05 04:54:58 +00:00
privilegedescalation-engineer[bot]	0e41bb649d	fix: resolve markdownlint CI failures in headlamp-argocd-plugin (#9 ) * Remove duplicate tar/undici from devDependencies (already in pnpm.overrides) Consolidates dual override blocks by removing the duplicate entries from devDependencies. These packages are already pinned via pnpm.overrides and should not appear in devDependencies. Co-Authored-By: Paperclip <noreply@paperclip.ing> * fix: add markdownlint config to resolve CI failures Co-Authored-By: Paperclip <noreply@paperclip.ing> * fix: sync pnpm-lock.yaml after removing tar and undici deps The pnpm-lock.yaml was out of sync with package.json after tar and undici were removed. Regenerated to resolve pnpm install failure in CI. Co-Authored-By: Paperclip <noreply@paperclip.ing> --------- Co-authored-by: Chris Farhood <chris@farhood.org> Co-authored-by: Paperclip <noreply@paperclip.ing>	2026-05-05 00:24:20 +00:00
Chris Farhood	f0de1fa33a	fix: remove duplicate tar and undici from devDependencies Both packages are already pinned via pnpm.overrides and should not appear in devDependencies. Removes duplicates introduced during lockfile conflict resolution. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-04 20:10:40 +00:00
Chris Farhood	827b4f31cc	docs: confirm headlamp namespace audit (PRI-439) Audit of headlamp-argocd-plugin for kube-system → headlamp namespace redirect. No in-scope kube-system references found. In-scope files audited (all clean): - README.md: no install snippet referencing kube-system - CLAUDE.md: no kube-system references - artifacthub-pkg.yml: no kube-system references Out-of-scope upstream-workload references verified untouched: - ArgoCD server lives in 'argocd' namespace (upstream watched workload) - Plugin install path is via Headlamp plugin manager (ArtifactHub), not Helm No code/text changes required. PR opened for SDLC sign-off. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-04 08:31:11 +00:00
github-actions[bot]	c648b43493	release: v0.1.2	2026-05-04 06:38:54 +00:00
Chris Farhood	01c37a85d7	chore: add renovate.json extending org preset Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-04 05:35:28 +00:00