CI triggers on dev/uat/main. Promotion gate replaces dual-approval.
Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
Add pnpm.overrides.elliptic to prevent version regression on
the transitive elliptic vulnerability (CVE-2025-14505).
Vulnerability path:
@kinvolk/headlamp-plugin → vite-plugin-node-polyfills →
node-stdlib-browser → crypto-browserify → browserify-sign → elliptic
Note: pnpm audit will still report the vulnerability until
upstream publishes elliptic 6.6.2+. This override safeguards
against pulling a worse version.
Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
* fix(e2e): use headlamp-dev namespace in E2E workflow (PRI-550)
The infra RBAC in privilegedescalation/infra already covers headlamp-dev
with all needed E2E permissions. Changing the workflow to use headlamp-dev
unblocks E2E since the Arc Runners SA is already authorized there.
Depends on Gandalf's PR #58 for namespace corrections in scripts and RBAC
manifest.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* chore: re-trigger E2E with headlamp-dev namespace (PRI-550)
* chore: re-run CI/E2E checks (PRI-550)
Co-Authored-By: Paperclip <noreply@paperclip.ing>
---------
Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
Replace bare getByRole("heading", { name: /Intel GPU — .../i }) calls
with page.locator('main').getByRole('heading', { name: '...' }) so that
each locator matches exactly one element and Playwright strict mode is
satisfied.
The main element is the appropriate scoping container for plugin page
content. Exact name matching (without regex) is used to be precise about
which heading is being targeted.
Co-authored-by: Test User <test@example.com>
Co-authored-by: Paperclip <noreply@paperclip.ing>
* fix: override lodash >=4.18.0 to patch code injection vulnerability
GHSA-r5fr-rjxr-66jc is a code injection vulnerability in lodash
below 4.18.0. The vulnerable transitive dependency comes through
@kinvolk/headlamp-plugin.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* fix: update package-lock.json to satisfy lodash override
The package.json override requires lodash >=4.18.0, but the lockfile
had 4.17.23. Regenerated lockfile with npm install --include=dev.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix(e2e): scope heading locators to main content area
Cherry-picked from PR #50 to fix E2E test failures on lodash PR.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
---------
Co-authored-by: Gandalf the Greybeard <gandalf@privilegedescalation.dev>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Co-authored-by: Paperclip <noreply@paperclip.ing>
The /intel.gpu/i regex was too broad and could match multiple headings
on the overview page, causing strict mode violations in Playwright.
Use /Intel GPU — Overview/i to match only the actual page heading,
which contains 'Intel GPU' before 'Overview'.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Headlamp sidebar child links (GPU Nodes, GPU Pods, Metrics) do not render
after clicking the parent intel-gpu sidebar button — they only appear when
already on a child route. Replace the sidebar-link assertion approach with
direct URL navigation, matching the pattern used by the device-plugins test.
Closes#34
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The 'navigation between plugin views works' test was navigating directly
to /c/main/intel-gpu and then immediately trying to find sidebar child
links (GPU Nodes, GPU Pods, Metrics). Direct URL navigation does not
guarantee that the Headlamp sidebar parent entry is expanded, so the
child links may not be rendered yet.
Fix: start from the home page and click the 'intel-gpu' sidebar button
to explicitly expand the section before asserting on child link
visibility. This mirrors the real user flow (tests 1 and 2 already
use this approach) and eliminates the race between navigation and
sidebar render.
Fixes#34
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
PR #29 accidentally dropped the openapi-types peer dependency entry
from the lock file. This restores it by re-running npm install, which
resolves the CI failure: "Missing: openapi-types@12.1.3 from lock file".
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Adds @playwright/test ^1.58.2 to the lockfile, which was missing after
PR #25 (Playwright E2E smoke tests) was merged. This unblocks CI on main.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Fail fast with a clear error if HEADLAMP_URL is not set, rather than
defaulting to the production Headlamp instance.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Adds `.github/workflows/e2e.yaml` to run Playwright E2E smoke tests
against a deployed Headlamp instance in `privilegedescalation-dev`.
Follows the headlamp-polaris-plugin pattern:
- Builds the plugin, deploys via scripts/deploy-e2e-headlamp.sh
- Runs tests with `npm run e2e` (intel-gpu uses npm, not pnpm)
- Uploads Playwright report and test results on failure
- Cleans up via scripts/teardown-e2e-headlamp.sh (if: always())
- Concurrency group prevents concurrent runs sharing E2E resources
- Uses runs-on: runners-privilegedescalation (self-hosted ARC)
Depends on Gandalf's E2E test implementation in PR #25.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Replaces the duplicated Renovate config with a simple extend from the
org-level preset (privilegedescalation/.github:renovate-config). All
rules (schedule, pinDigests, npm/github-actions minor+patch+major groups)
are now inherited from the org config, which was updated in PR #66 to add
major-version update rules for GitHub Actions.
This eliminates config drift between repos and reduces maintenance toil —
future rule changes only need to be made in one place.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The org renovate-config.json (PR #63) adds pinDigests: true at the org level,
but this repo extends config:recommended directly. Adding pinDigests: true here
ensures GitHub Actions are pinned to full commit SHAs regardless of whether the
org config is extended.
Related: privilegedescalation/.github#63, PRI-757
Calls the shared privilegedescalation/.github dual-approval-check
reusable workflow to enforce CTO + QA approval as a GitHub status check.
Once privilegedescalation/.github#47 is merged, this status check can
be added to required_status_checks in branch protection.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Add 3 SVG mockup screenshots (Overview, GPU Nodes, Metrics) to
docs/screenshots/ and wire them into the artifacthub-pkg.yml
screenshots section. Resolves the last metadata polish item for
v1.0.
appVersion 0.35.0 verified current — Intel Device Plugins latest
release is v0.35.0 (2026-02-16), no update needed.
Closes#16 (screenshots item)
Adds Headlamp Plugin Catalog installation instructions and a usage
summary to ArtifactHub metadata. Confirms appVersion 0.35.0 is current
(matches latest intel-device-plugins-for-kubernetes v0.35.0 release).
Partial close of #16 (v1.0 readiness checklist) — screenshots remain
blocked pending actual plugin deployment for capture.
Co-authored-by: Gandalf the Greybeard <gandalf@privilegedescalation.ai>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
* test: add component test coverage for all untested files
Adds 60 new tests (108 total) covering every untested module:
- IntelGpuDataContext: provider renders, loading/loaded states, CRD
available/unavailable paths, refresh, useIntelGpuContext throws outside
provider
- OverviewPage: loading, plugin-not-detected, error, populated, refresh
button, CRD notice, device plugin table, plugin daemon pods, active pods
- NodesPage: loading, empty state, GPU node summary table, detail cards
- PodsPage: loading, empty state, summary counts, pending pod attention,
all-pods table
- DevicePluginsPage: loading, CRD unavailable, no-plugins, plugin detail,
daemon pod table
- NodeDetailSection: null for non-GPU nodes, GPU capacity/allocatable rows,
pod list, loading state
- PodDetailSection: null for non-GPU pods, GPU resource rows, phase status,
limits-only containers
- MetricsPage: context loading gate, Prometheus unreachable, empty chips,
chip cards with power values, MetricRequirements always rendered, refresh
Also fixes vitest.config.mts to pin NODE_ENV=test so tests run correctly
without requiring callers to set it explicitly.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix: remove unused act import and merge duplicate metrics imports in MetricsPage.test.tsx
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix: cast useList mock return values to any in IntelGpuDataContext.test.tsx
The Headlamp useList() return type is an intersection of a tuple and
QueryListResponse, which plain array literals like [[], null] and
[null, null] do not satisfy. Cast all useList mockReturnValue arguments
to any so tsc passes without requiring full KubeObject stub objects.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* style: run Prettier formatting and ESLint lint:fix on test files
Addresses CI format:check failures and import-sort warning in
MetricsPage.test.tsx flagged by QA on PR #17.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Hugh Hackman <hugh@privilegedescalation.com>
Co-authored-by: Paperclip <noreply@paperclip.ing>
Co-authored-by: Gandalf the Greybeard <gandalf@privilegedescalation.com>
Co-authored-by: Gandalf the Greybeard <gandalf@privilegedescalation.dev>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Gandalf the Greybeard <gandalf-the-greybeard[bot]@users.noreply.github.com>
The shared release workflow now requires RELEASE_APP_ID and
RELEASE_APP_PRIVATE_KEY secrets for PR creation, since the org
blocks GITHUB_TOKEN from creating PRs.
Depends on privilegedescalation/.github#31
Co-authored-by: privilegedescalation-paperclip[bot] <268365651+privilegedescalation-paperclip[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
The reusable release workflow declares pull-requests:write but the
caller didn't grant it, causing startup_failure on GitHub Actions.
Co-authored-by: Hugh Hackman [bot] <hugh-hackman[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
The package.json only listed @kinvolk/headlamp-plugin as a devDependency,
but CI runs tsc, eslint, prettier, and vitest which all require additional
packages. Add the same devDependencies used by the reference kube-vip plugin
and regenerate the lock file.
Also adds peerDependencies for react/react-dom to match the reference plugin
conventions.
Co-authored-by: Gandalf the Greybeard <gandalf-the-greybeard[bot]@users.noreply.github.com>
Co-authored-by: Paperclip <noreply@paperclip.ing>
ArtifactHub plugin installer is the only supported installation method.
Remove manual tarball, sidecar, and build-from-source install options
to align documentation with company policy.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Countess von Containerheim
privilegedescalation-cto[bot]
Chris Farhood
Gandalf the Greybeard
Hugh Hackman