chore: trigger fresh CI run via empty commit

fix: correct changes description in artifacthub-pkg.yml
Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-20 01:19:35 +00:00 · 2026-05-20 01:07:43 +00:00 · 2026-05-20 01:07:26 +00:00 · 2026-05-20 00:22:30 +00:00 · 2026-05-19 23:41:58 +00:00 · 2026-05-14 22:29:19 +00:00
4 changed files with 47 additions and 7 deletions
@@ -0,0 +1,20 @@
+name: Promotion Gate
+
+# Calls the shared promotion gate workflow.
+# dev PRs: no gate (engineer self-merges).
+# uat PRs: QA approval required.
+# main PRs: UAT approval required (uat→main promotions).
+
+on:
+  pull_request_review:
+    types: [submitted, dismissed]
+  pull_request:
+    branches: [uat, main]
+    types: [opened, reopened, synchronize]
+
+jobs:
+  promotion-gate:
+    uses: privilegedescalation/.github/.github/workflows/dual-approval-check.yaml@main
+    secrets: inherit
+    with:
+      pr_number: ${{ github.event.pull_request.number }}
@@ -1,4 +1,4 @@
-version: "0.1.2"
+version: "0.1.3"
 name: headlamp-argocd
 displayName: ArgoCD Headlamp Plugin
 createdAt: "2026-04-21T00:00:00Z"
@@ -26,10 +26,10 @@ maintainers:
 provider:
  name: privilegedescalation
 annotations:
-  headlamp/plugin/archive-url: "https://github.com/privilegedescalation/headlamp-argocd-plugin/releases/download/v0.1.2/privilegedescalation-headlamp-argocd-plugin-0.1.2.tar.gz"
-  headlamp/plugin/archive-checksum: sha256:e71f84913eed1fd7e2d074912e3bfa668c4b1fefcbb069731a4e4277a998ca28
+  headlamp/plugin/archive-url: "https://github.com/privilegedescalation/headlamp-argocd-plugin/releases/download/v0.1.3/privilegedescalation-headlamp-argocd-plugin-0.1.3.tar.gz"
+  headlamp/plugin/archive-checksum: sha256:cf96084b79a76b341b5f08d4e17ccf77b5de20f4178061ddc5b5e8dfa81d2743
  headlamp/plugin/version-compat: ">=0.26"
  headlamp/plugin/distro-compat: "in-cluster"
 changes:
-  - kind: added
-    description: "Initial v0.1.0 release"
+  - kind: fixed
+    description: "Fix archive URL to point to GitHub v0.1.3 release and bump version"
@@ -1,6 +1,6 @@
 # Artifact Hub repository metadata
 # https://artifacthub.io/docs/topics/repositories/#repository-metadata-file
-repositoryID: ""
+repositoryID: "3648e8a8-54f7-474c-9977-00ec3b4ea1e1"
 owners:
  - name: privilegedescalation
-    email: chris@farhood.org
+    email: chris@farhood.org
@@ -0,0 +1,20 @@
+{
+  // Allowlist for inherited dev-dependency CVEs from @kinvolk/headlamp-plugin
+  // CTO decision (PRI-854): these high-severity vulns are dev/build-time only,
+  // trace to @kinvolk/headlamp-plugin transitive deps (Picomatch, Vite, lodash),
+  // and do NOT ship in production plugin artifacts.
+  "allowlist": [
+    {
+      "id": "GHSA-hhpm-516h-p3p6",
+      "reason": "Picomatch ReDoS: devDependency only, does not ship in production plugin bundle"
+    },
+    {
+      "id": "GHSA-36xf-7xpp-53w5",
+      "reason": "Vite arbitrary file read: devDependency only, does not ship in production plugin bundle"
+    },
+    {
+      "id": "GHSA-jf8v-p3pp-93qh",
+      "reason": "lodash code injection via _.template: devDependency only, does not ship in production plugin bundle"
+    }
+  ]
+}
Author	SHA1	Message	Date
Chris Farhood	f64e574249	chore: trigger fresh CI run via empty commit Promotion Gate / promotion-gate (pull_request) Failing after 0s Details CI / ci (push) Failing after 2s Details CI / ci (pull_request) Failing after 3s Details Promotion Gate / promotion-gate (pull_request_review) Failing after 0s Details	2026-05-20 01:19:35 +00:00
Null Pointer Nancy	d6cd0ec9d4	fix: correct changes description in artifacthub-pkg.yml Promotion Gate / promotion-gate (pull_request) Failing after 0s Details CI / ci (push) Failing after 3s Details CI / ci (pull_request) Failing after 4s Details Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-20 01:07:43 +00:00
Null Pointer Nancy	738e5e2299	fix: populate repositoryID in artifacthub-repo.yml Promotion Gate / promotion-gate (pull_request) Failing after 0s Details CI / ci (push) Failing after 3s Details CI / ci (pull_request) Failing after 3s Details Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-20 01:07:26 +00:00
Chris Farhood	681d5474fc	Restore GitHub archive URLs in artifacthub-pkg.yml Promotion Gate / promotion-gate (pull_request) Failing after 0s Details CI / ci (push) Failing after 3s Details CI / ci (pull_request) Failing after 3s Details Per company policy, ArtifactHub archive URLs must point to GitHub. Reverted URLs that were incorrectly changed to Gitea. - homeURL → github.com - links[Source] → github.com - archive-url → github.com/releases/download/v0.1.3/ Version (0.1.3) and checksum unchanged. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-20 00:22:30 +00:00
Chris Farhood	a2e7d8a5b2	fix: point archive URLs from GitHub to Gitea; bump version to v0.1.3 CI / ci (pull_request) Failing after 3s Details CI / ci (push) Failing after 4s Details Promotion Gate / promotion-gate (pull_request) Failing after 0s Details - Update archive-url and checksum to v0.1.3 Gitea release - Change homeURL and links from github.com to git.farh.net - Bump version field from 0.1.2 to 0.1.3 Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-19 23:41:58 +00:00
Countess von Containerheim	7d9d1674c1	Merge pull request 'Promote headlamp-argocd-plugin uat→main' (#40 ) from uat into main CI / ci (push) Successful in 37s Details	2026-05-14 22:29:19 +00:00
Chris Farhood	d8d995308b	Merge dev into uat (PR #39 ) — QA-approved promotion Resolves add/add conflict in audit-ci.jsonc: both branches independently added the CTO-approved allowlist (PRI-854); identical content, kept the POSIX-compliant trailing newline from uat/main. Also adds trailing newline to dual-approval.yaml (missed in dev commit `990c796`). Changes promoted from dev: - .github/workflows/dual-approval.yaml: Promotion Gate workflow (uat+main trigger) - audit-ci.jsonc: CTO-approved allowlist for 3 inherited dev-only CVEs Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-14 04:32:16 +00:00
Chris Farhood	990c796d04	Add audit-ci.jsonc allowlist and fix trailing newline audit-ci.jsonc: matches CTO-approved allowlist from PRI-854 (same three dev-only CVEs from @kinvolk/headlamp-plugin transitive deps). Required by shared plugin-ci.yaml (updated 2026-05-06). dual-approval.yaml: add trailing newline per POSIX standard.	2026-05-14 04:28:08 +00:00
Chris Farhood	d9aaf5a146	Fix promotion gate: add uat branch trigger, rename to Promotion Gate Follows canonical pattern from headlamp-sealed-secrets-plugin. The pull_request trigger now fires on [uat, main] so the promotion gate check auto-runs on PR open/sync for dev→uat PRs, not just on review events.	2026-05-14 04:09:48 +00:00
privilegedescalation-engineer[bot]	59f1519f66	chore(ci): add audit-ci allowlist for inherited @kinvolk/headlamp-plugin CVEs (PRI-855) QA reviewed and approved. Adds audit-ci.jsonc with 3 CVE allowlist entries for dev-only dependencies.	2026-05-12 22:22:44 +00:00
privilegedescalation-ceo[bot]	4b26b97caf	Merge pull request #15 from privilegedescalation/gandalf/fix-duplicate-deps-pnpm-overrides fix: remove duplicate tar and undici from devDependencies (PRI-557)	2026-05-05 10:30:42 +00:00
privilegedescalation-ceo[bot]	f8c8b82e87	Merge pull request #17 from privilegedescalation/hugh/add-dual-approval-gate add dual approval gate workflow	2026-05-05 10:30:31 +00:00
Chris Farhood	e4d7a56547	add dual approval gate workflow headlamp-argocd-plugin was missing the dual-approval (CTO + QA) gate required by SDLC. Added identical workflow to all other plugin repos. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-05 04:54:58 +00:00
Chris Farhood	f0de1fa33a	fix: remove duplicate tar and undici from devDependencies Both packages are already pinned via pnpm.overrides and should not appear in devDependencies. Removes duplicates introduced during lockfile conflict resolution. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-04 20:10:40 +00:00