From 7037a7b29cc5a128d5fab7a95b3cac701201e9ff Mon Sep 17 00:00:00 2001
From: Chris Farhood <chris@farhood.org>
Date: Wed, 13 May 2026 13:00:29 +0000
Subject: [PATCH 1/2] fix: sync CI trigger branches on dev

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 .github/workflows/ci.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 899f2b1..654169d 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -2,9 +2,9 @@ name: CI
 
 on:
   push:
-    branches: [main]
+    branches: [main, dev, uat]
   pull_request:
-    branches: [main]
+    branches: [main, dev, uat]
   workflow_dispatch:
   workflow_call:
 
-- 
2.52.0


From 3f22fb356104fdde2a6f24cf863d8f872a471781 Mon Sep 17 00:00:00 2001
From: Chris Farhood <chris@farhood.org>
Date: Wed, 13 May 2026 13:15:11 +0000
Subject: [PATCH 2/2] feat(security): add audit-ci.jsonc allowlist for
 dev-branch CVEs

CTO decision (PRI-854): high-severity vulns from @kinvolk/headlamp-plugin
transitive deps (Picomatch, Vite, lodash) are dev/build-time only and do
not ship in production plugin artifacts.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 audit-ci.jsonc | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 audit-ci.jsonc

diff --git a/audit-ci.jsonc b/audit-ci.jsonc
new file mode 100644
index 0000000..0921bea
--- /dev/null
+++ b/audit-ci.jsonc
@@ -0,0 +1,20 @@
+{
+  // Allowlist for inherited dev-dependency CVEs from @kinvolk/headlamp-plugin
+  // CTO decision (PRI-854): these high-severity vulns are dev/build-time only,
+  // trace to @kinvolk/headlamp-plugin transitive deps (Picomatch, Vite, lodash),
+  // and do NOT ship in production plugin artifacts.
+  "allowlist": [
+    {
+      "id": "GHSA-hhpm-516h-p3p6",
+      "reason": "Picomatch ReDoS: devDependency only, does not ship in production plugin bundle"
+    },
+    {
+      "id": "GHSA-36xf-7xpp-53w5",
+      "reason": "Vite arbitrary file read: devDependency only, does not ship in production plugin bundle"
+    },
+    {
+      "id": "GHSA-jf8v-p3pp-93qh",
+      "reason": "lodash code injection via _.template: devDependency only, does not ship in production plugin bundle"
+    }
+  ]
+}
\ No newline at end of file
-- 
2.52.0