.github/workflows/ci.yaml

@@ -2,9 +2,9 @@ name: CI
 
 on:
   push:
-    branches: [main]
+    branches: [main, dev, uat]
   pull_request:
-    branches: [main]
+    branches: [main, dev, uat]
   workflow_dispatch:
   workflow_call:
 

audit-ci.jsonc

@@ -0,0 +1,20 @@
+{
+  // Allowlist for inherited dev-dependency CVEs from @kinvolk/headlamp-plugin
+  // CTO decision (PRI-854): these high-severity vulns are dev/build-time only,
+  // trace to @kinvolk/headlamp-plugin transitive deps (Picomatch, Vite, lodash),
+  // and do NOT ship in production plugin artifacts.
+  "allowlist": [
+    {
+      "id": "GHSA-hhpm-516h-p3p6",
+      "reason": "Picomatch ReDoS: devDependency only, does not ship in production plugin bundle"
+    },
+    {
+      "id": "GHSA-36xf-7xpp-53w5",
+      "reason": "Vite arbitrary file read: devDependency only, does not ship in production plugin bundle"
+    },
+    {
+      "id": "GHSA-jf8v-p3pp-93qh",
+      "reason": "lodash code injection via _.template: devDependency only, does not ship in production plugin bundle"
+    }
+  ]
+}

deployment/e2e-ci-runner-rbac.yaml

@@ -0,0 +1,12 @@
+---
+# RBAC for the GitHub Actions CI runner to manage E2E Headlamp instances.
+# CI-only test fixture — NOT for production use.
+#
+# This file is a REFERENCE ONLY. The canonical manifest lives in:
+#   privilegedescalation/infra/base/rbac/e2e-ci-runner-headlamp-rbac.yaml
+#
+# The infra repo is managed by Flux GitOps and is the source of truth.
+# Do not apply this file directly — it is kept here for developer reference only.
+#
+# E2E resources run in `privilegedescalation-dev` — nothing persists beyond a test run.
+# RBAC is managed via Flux from privilegedescalation/infra — do not apply manually.