- Remove rbac.authorization.k8s.io rule (create/delete on rolebindings
was privilege escalation; no RBAC self-management needed)
- Remove self-applying kubectl apply step from e2e workflow
(runner cannot grant its own permissions; RBAC must be pre-applied
via Flux from infra repo)
Reviewed-by: Hugh Hackman
Adds 'kubectl apply -f deployment/e2e-ci-runner-rbac.yaml' step
to the E2E workflow before the deploy script runs.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Adds `.github/workflows/e2e.yaml` to run Playwright E2E smoke tests
against a deployed Headlamp instance in `privilegedescalation-dev`.
Follows the headlamp-polaris-plugin pattern:
- Builds the plugin, deploys via scripts/deploy-e2e-headlamp.sh
- Runs tests with `npm run e2e` (intel-gpu uses npm, not pnpm)
- Uploads Playwright report and test results on failure
- Cleans up via scripts/teardown-e2e-headlamp.sh (if: always())
- Concurrency group prevents concurrent runs sharing E2E resources
- Uses runs-on: runners-privilegedescalation (self-hosted ARC)
Depends on Gandalf's E2E test implementation in PR #25.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Calls the shared privilegedescalation/.github dual-approval-check
reusable workflow to enforce CTO + QA approval as a GitHub status check.
Once privilegedescalation/.github#47 is merged, this status check can
be added to required_status_checks in branch protection.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The shared release workflow now requires RELEASE_APP_ID and
RELEASE_APP_PRIVATE_KEY secrets for PR creation, since the org
blocks GITHUB_TOKEN from creating PRs.
Depends on privilegedescalation/.github#31
Co-authored-by: privilegedescalation-paperclip[bot] <268365651+privilegedescalation-paperclip[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
The reusable release workflow declares pull-requests:write but the
caller didn't grant it, causing startup_failure on GitHub Actions.
Co-authored-by: Hugh Hackman [bot] <hugh-hackman[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Configures the reusable release workflow to fetch the latest release
tag from intel/intel-device-plugins-for-kubernetes and set appVersion in artifacthub-pkg.yml.
This keeps our Artifact Hub listing in sync with the upstream project.
Add missing config files (.eslintrc.js, .prettierrc.js, .pluginrc,
.mcp.json, renovate.json), documentation (CLAUDE.md, CONTRIBUTING.md,
README.md, SECURITY.md, LICENSE), CI/CD workflows (ci.yaml, release.yaml),
and Claude agent definitions. Rename package from headlamp-intel-gpu-plugin
to intel-gpu to match the short-name convention used by all other plugins.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Chris Farhood
privilegedescalation-engineer[bot]