Compare commits
13 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 Null Pointer Nancy
|
009986067d | ||
 Gandalf the Greybeard
|
5aa76c9eb8 | ||
 Regression Regina [agent]
|
e12914b295 | ||
 Chris Farhood
|
4bac80683e | ||
|
Chris Farhood
|
b9ceb3e0c8 | ||
 Countess von Containerheim
|
a934265454 | ||
|
Countess von Containerheim
|
9e65ceaecc | ||
|
Countess von Containerheim
|
e51d36699c | ||
|
Chris Farhood
|
f64e574249 | ||
|
Null Pointer Nancy
|
d6cd0ec9d4 | ||
|
Null Pointer Nancy
|
738e5e2299 | ||
|
Chris Farhood
|
681d5474fc | ||
|
Chris Farhood
|
a2e7d8a5b2 |
@@ -1,6 +1,5 @@
|
|||||||
name: Promotion Gate
|
name: Promotion Gate
|
||||||
|
|
||||||
# Calls the shared promotion gate workflow.
|
|
||||||
# dev PRs: no gate (engineer self-merges).
|
# dev PRs: no gate (engineer self-merges).
|
||||||
# uat PRs: QA approval required.
|
# uat PRs: QA approval required.
|
||||||
# main PRs: UAT approval required (uat→main promotions).
|
# main PRs: UAT approval required (uat→main promotions).
|
||||||
@@ -14,7 +13,104 @@ on:
|
|||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
promotion-gate:
|
promotion-gate:
|
||||||
uses: privilegedescalation/.github/.github/workflows/dual-approval-check.yaml@main
|
name: Promotion Gate
|
||||||
secrets: inherit
|
runs-on: ubuntu-latest
|
||||||
with:
|
container: ubuntu:latest
|
||||||
pr_number: ${{ github.event.pull_request.number }}
|
timeout-minutes: 5
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- name: Install dependencies
|
||||||
|
run: apt-get update -qq && apt-get install -y --no-install-recommends ca-certificates curl jq
|
||||||
|
|
||||||
|
- name: Check promotion approval
|
||||||
|
env:
|
||||||
|
GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
|
||||||
|
PR_NUMBER: ${{ github.event.pull_request.number }}
|
||||||
|
REPO: ${{ github.repository }}
|
||||||
|
BASE_REF: ${{ github.base_ref }}
|
||||||
|
run: |
|
||||||
|
if [ -z "${PR_NUMBER}" ] || [ "${PR_NUMBER}" = "null" ]; then
|
||||||
|
echo "::notice::No PR number in context. Skipping promotion gate."
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Checking promotion gate for PR #${PR_NUMBER} targeting ${BASE_REF} in ${REPO}"
|
||||||
|
|
||||||
|
if [ -z "${BASE_REF}" ] && [ -n "${PR_NUMBER}" ] && [ "${PR_NUMBER}" != "null" ]; then
|
||||||
|
BASE_REF=$(curl -sf \
|
||||||
|
-H "Authorization: token ${GITEA_TOKEN}" \
|
||||||
|
-H "Accept: application/json" \
|
||||||
|
"https://git.farh.net/api/v1/repos/${REPO}/pulls/${PR_NUMBER}" | jq -r '.base.ref')
|
||||||
|
echo "BASE_REF was empty; resolved from PR #${PR_NUMBER} API: ${BASE_REF}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Determine required reviewer based on target branch
|
||||||
|
case "${BASE_REF}" in
|
||||||
|
dev)
|
||||||
|
echo "Target is dev — no review required. Engineers self-merge."
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
uat)
|
||||||
|
REQUIRED_REVIEWER="pe_regina"
|
||||||
|
GATE_NAME="QA"
|
||||||
|
;;
|
||||||
|
main)
|
||||||
|
REQUIRED_REVIEWER="pe_regina"
|
||||||
|
GATE_NAME="QA"
|
||||||
|
# For plugin repos (Pipeline A), UAT approval is needed for uat→main
|
||||||
|
# Check if the source branch is uat
|
||||||
|
SOURCE_REF=$(curl -sf \
|
||||||
|
-H "Authorization: token ${GITEA_TOKEN}" \
|
||||||
|
-H "Accept: application/json" \
|
||||||
|
"https://git.farh.net/api/v1/repos/${REPO}/pulls/${PR_NUMBER}" | jq -r '.head.ref')
|
||||||
|
|
||||||
|
if [ "${SOURCE_REF}" = "uat" ]; then
|
||||||
|
REQUIRED_REVIEWER="pe_patty"
|
||||||
|
GATE_NAME="UAT"
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo "::notice::Target branch '${BASE_REF}' has no promotion gate configured."
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
echo "Required reviewer: ${REQUIRED_REVIEWER} (${GATE_NAME})"
|
||||||
|
|
||||||
|
# For uat→main promotions, pe_patty may not be able to review (bot account).
|
||||||
|
# Accept pe_nancy (CTO) as a valid alternative reviewer.
|
||||||
|
ALT_REVIEWER=""
|
||||||
|
if [ "${REQUIRED_REVIEWER}" = "pe_patty" ]; then
|
||||||
|
ALT_REVIEWER="pe_nancy"
|
||||||
|
fi
|
||||||
|
|
||||||
|
REVIEWS=$(curl -sf \
|
||||||
|
-H "Authorization: token ${GITEA_TOKEN}" \
|
||||||
|
-H "Accept: application/json" \
|
||||||
|
"https://git.farh.net/api/v1/repos/${REPO}/pulls/${PR_NUMBER}/reviews")
|
||||||
|
|
||||||
|
if [ -z "${REVIEWS}" ] || [ "${REVIEWS}" = "null" ]; then
|
||||||
|
echo "::warning::Could not fetch reviews for PR #${PR_NUMBER}."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
REVIEWER_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${REQUIRED_REVIEWER}" \
|
||||||
|
'[.[] | select(.user.login == $user)] | last | if .state then .state == "APPROVED" else false end')
|
||||||
|
|
||||||
|
echo "${GATE_NAME} (${REQUIRED_REVIEWER}) approved: ${REVIEWER_APPROVED}"
|
||||||
|
|
||||||
|
# Fallback: check if CTO approved as alternative for uat→main
|
||||||
|
if [ "${REVIEWER_APPROVED}" != "true" ] && [ -n "${ALT_REVIEWER}" ]; then
|
||||||
|
REVIEWER_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${ALT_REVIEWER}" \
|
||||||
|
'[.[] | select(.user.login == $user)] | last | if .state then .state == "APPROVED" else false end')
|
||||||
|
if [ "${REVIEWER_APPROVED}" = "true" ]; then
|
||||||
|
echo "CTO (${ALT_REVIEWER}) approved as fallback for UAT gate."
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "${REVIEWER_APPROVED}" = "true" ]; then
|
||||||
|
echo "Promotion gate passed: ${GATE_NAME} has approved."
|
||||||
|
else
|
||||||
|
echo "Promotion gate failed: waiting for ${GATE_NAME} approval from ${REQUIRED_REVIEWER}."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|||||||
+5
-5
@@ -1,4 +1,4 @@
|
|||||||
version: "0.1.2"
|
version: "0.1.3"
|
||||||
name: headlamp-argocd
|
name: headlamp-argocd
|
||||||
displayName: ArgoCD Headlamp Plugin
|
displayName: ArgoCD Headlamp Plugin
|
||||||
createdAt: "2026-04-21T00:00:00Z"
|
createdAt: "2026-04-21T00:00:00Z"
|
||||||
@@ -26,10 +26,10 @@ maintainers:
|
|||||||
provider:
|
provider:
|
||||||
name: privilegedescalation
|
name: privilegedescalation
|
||||||
annotations:
|
annotations:
|
||||||
headlamp/plugin/archive-url: "https://github.com/privilegedescalation/headlamp-argocd-plugin/releases/download/v0.1.2/privilegedescalation-headlamp-argocd-plugin-0.1.2.tar.gz"
|
headlamp/plugin/archive-url: "https://github.com/privilegedescalation/headlamp-argocd-plugin/releases/download/v0.1.3/privilegedescalation-headlamp-argocd-plugin-0.1.3.tar.gz"
|
||||||
headlamp/plugin/archive-checksum: sha256:e71f84913eed1fd7e2d074912e3bfa668c4b1fefcbb069731a4e4277a998ca28
|
headlamp/plugin/archive-checksum: sha256:cf96084b79a76b341b5f08d4e17ccf77b5de20f4178061ddc5b5e8dfa81d2743
|
||||||
headlamp/plugin/version-compat: ">=0.26"
|
headlamp/plugin/version-compat: ">=0.26"
|
||||||
headlamp/plugin/distro-compat: "in-cluster"
|
headlamp/plugin/distro-compat: "in-cluster"
|
||||||
changes:
|
changes:
|
||||||
- kind: added
|
- kind: fixed
|
||||||
description: "Initial v0.1.0 release"
|
description: "Fix archive URL to point to GitHub v0.1.3 release and bump version"
|
||||||
@@ -1,6 +1,6 @@
|
|||||||
# Artifact Hub repository metadata
|
# Artifact Hub repository metadata
|
||||||
# https://artifacthub.io/docs/topics/repositories/#repository-metadata-file
|
# https://artifacthub.io/docs/topics/repositories/#repository-metadata-file
|
||||||
repositoryID: ""
|
repositoryID: "3648e8a8-54f7-474c-9977-00ec3b4ea1e1"
|
||||||
owners:
|
owners:
|
||||||
- name: privilegedescalation
|
- name: privilegedescalation
|
||||||
email: chris@farhood.org
|
email: chris@farhood.org
|
||||||
Reference in New Issue
Block a user