Merge dev into uat (PR #39 ) — QA-approved promotion

Resolves add/add conflict in audit-ci.jsonc: both branches independently added the CTO-approved allowlist (PRI-854); identical content, kept the POSIX-compliant trailing newline from uat/main. Also adds trailing newline to dual-approval.yaml (missed in dev commit 990c796). Changes promoted from dev: - .github/workflows/dual-approval.yaml: Promotion Gate workflow (uat+main trigger) - audit-ci.jsonc: CTO-approved allowlist for 3 inherited dev-only CVEs Co-Authored-By: Paperclip <noreply@paperclip.ing>
Add audit-ci.jsonc allowlist and fix trailing newline
2026-05-14 04:32:16 +00:00 · 2026-05-14 04:28:08 +00:00 · 2026-05-14 04:09:48 +00:00 · 2026-05-12 22:22:44 +00:00 · 2026-05-05 18:40:42 +00:00 · 2026-05-05 12:58:43 +00:00
4 changed files with 43 additions and 1 deletions
@@ -0,0 +1,20 @@
 name: Promotion Gate
 # Calls the shared promotion gate workflow.
 # dev PRs: no gate (engineer self-merges).
 # uat PRs: QA approval required.
 # main PRs: UAT approval required (uat→main promotions).
 on:
  pull_request_review:
    types: [submitted, dismissed]
  pull_request:
    branches: [uat, main]
    types: [opened, reopened, synchronize]
 jobs:
  promotion-gate:
    uses: privilegedescalation/.github/.github/workflows/dual-approval-check.yaml@main
    secrets: inherit
    with:
      pr_number: ${{ github.event.pull_request.number }}
@@ -0,0 +1,20 @@
 {
  // Allowlist for inherited dev-dependency CVEs from @kinvolk/headlamp-plugin
  // CTO decision (PRI-854): these high-severity vulns are dev/build-time only,
  // trace to @kinvolk/headlamp-plugin transitive deps (Picomatch, Vite, lodash),
  // and do NOT ship in production plugin artifacts.
  "allowlist": [
    {
      "id": "GHSA-hhpm-516h-p3p6",
      "reason": "Picomatch ReDoS: devDependency only, does not ship in production plugin bundle"
    },
    {
      "id": "GHSA-36xf-7xpp-53w5",
      "reason": "Vite arbitrary file read: devDependency only, does not ship in production plugin bundle"
    },
    {
      "id": "GHSA-jf8v-p3pp-93qh",
      "reason": "lodash code injection via _.template: devDependency only, does not ship in production plugin bundle"
    }
  ]
 }
@@ -33,7 +33,8 @@
    "overrides": {
      "tar": "^7.5.11",
      "undici": "^7.24.3",
-      "flatted": "^3.4.2"
+      "flatted": "^3.4.2",
      "elliptic": ">=6.6.1"
    }
  },
  "devDependencies": {
@@ -8,6 +8,7 @@ overrides:
  tar: ^7.5.11
  undici: ^7.24.3
  flatted: ^3.4.2
  elliptic: '>=6.6.1'
 importers:
Author	SHA1	Message	Date
Chris Farhood	d8d995308b	Merge dev into uat (PR #39 ) — QA-approved promotion Resolves add/add conflict in audit-ci.jsonc: both branches independently added the CTO-approved allowlist (PRI-854); identical content, kept the POSIX-compliant trailing newline from uat/main. Also adds trailing newline to dual-approval.yaml (missed in dev commit `990c796`). Changes promoted from dev: - .github/workflows/dual-approval.yaml: Promotion Gate workflow (uat+main trigger) - audit-ci.jsonc: CTO-approved allowlist for 3 inherited dev-only CVEs Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-14 04:32:16 +00:00
Chris Farhood	990c796d04	Add audit-ci.jsonc allowlist and fix trailing newline audit-ci.jsonc: matches CTO-approved allowlist from PRI-854 (same three dev-only CVEs from @kinvolk/headlamp-plugin transitive deps). Required by shared plugin-ci.yaml (updated 2026-05-06). dual-approval.yaml: add trailing newline per POSIX standard.	2026-05-14 04:28:08 +00:00
Chris Farhood	d9aaf5a146	Fix promotion gate: add uat branch trigger, rename to Promotion Gate Follows canonical pattern from headlamp-sealed-secrets-plugin. The pull_request trigger now fires on [uat, main] so the promotion gate check auto-runs on PR open/sync for dev→uat PRs, not just on review events.	2026-05-14 04:09:48 +00:00
privilegedescalation-engineer[bot]	59f1519f66	chore(ci): add audit-ci allowlist for inherited @kinvolk/headlamp-plugin CVEs (PRI-855) QA reviewed and approved. Adds audit-ci.jsonc with 3 CVE allowlist entries for dev-only dependencies.	2026-05-12 22:22:44 +00:00
privilegedescalation-ceo[bot]	dedf6538c7	Merge pull request #26 from privilegedescalation/fix/elliptic-vulnerability-override fix: override elliptic to patched version for GHSA-848j-6mx2-7j84	2026-05-05 18:40:42 +00:00
Chris Farhood	0af4939d8e	chore: update pnpm lockfile for elliptic override Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-05 12:58:43 +00:00
Chris Farhood	c24e96da97	fix: override elliptic to patched version for GHSA-848j-6mx2-7j84	2026-05-05 12:51:05 +00:00
privilegedescalation-ceo[bot]	4b26b97caf	Merge pull request #15 from privilegedescalation/gandalf/fix-duplicate-deps-pnpm-overrides fix: remove duplicate tar and undici from devDependencies (PRI-557)	2026-05-05 10:30:42 +00:00
privilegedescalation-ceo[bot]	f8c8b82e87	Merge pull request #17 from privilegedescalation/hugh/add-dual-approval-gate add dual approval gate workflow	2026-05-05 10:30:31 +00:00
Chris Farhood	e4d7a56547	add dual approval gate workflow headlamp-argocd-plugin was missing the dual-approval (CTO + QA) gate required by SDLC. Added identical workflow to all other plugin repos. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-05 04:54:58 +00:00
Chris Farhood	f0de1fa33a	fix: remove duplicate tar and undici from devDependencies Both packages are already pinned via pnpm.overrides and should not appear in devDependencies. Removes duplicates introduced during lockfile conflict resolution. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-04 20:10:40 +00:00