Change runs-on in renovate-app-token.yaml and renovate.yaml workflows
from runners-privilegedescalation to ubuntu-latest.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* chore(e2e): delete all E2E files and cleanup
Delete all E2E test infrastructure from the repository:
- scripts/deploy-e2e-headlamp.sh
- scripts/teardown-e2e-headlamp.sh
- .github/workflows/e2e.yaml
- playwright.config.ts
- e2e/ directory (auth.setup.ts, kube-vip.spec.ts)
Also removed e2e and e2e:headed scripts from package.json and removed
@playwright/test devDependency.
Context: [PRI-1133](https://github.com/privilegedescalation/paperclip-internal/issues/PRI-1133) — full E2E purge across org.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix: update pnpm-lock.yaml after E2E deletion
Remove @playwright/test dependencies after E2E infrastructure cleanup.
Resolves ERR_PNPM_OUTDATED_LOCKFILE on PR.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* Add self-hosted Renovate runner workflow
Creates .github/workflows/renovate.yaml using renovatebot/github-action
with a GitHub App token on a weekly schedule. Extends the shared
renovate-config from the privilegedescalation/.github repository.
Part of PRI-413
Co-Authored-By: Paperclip <noreply@paperclip.ing>
---------
Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
CI triggers on dev/uat/main. Promotion gate replaces dual-approval.
Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
* chore(e2e): delete all E2E files and cleanup
Delete all E2E test infrastructure from the repository:
- scripts/deploy-e2e-headlamp.sh
- scripts/teardown-e2e-headlamp.sh
- .github/workflows/e2e.yaml
- playwright.config.ts
- e2e/ directory (auth.setup.ts, kube-vip.spec.ts)
Also removed e2e and e2e:headed scripts from package.json and removed
@playwright/test devDependency.
Context: [PRI-1133](https://github.com/privilegedescalation/paperclip-internal/issues/PRI-1133) — full E2E purge across org.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix: update pnpm-lock.yaml after E2E deletion
Remove @playwright/test dependencies after E2E infrastructure cleanup.
Resolves ERR_PNPM_OUTDATED_LOCKFILE on PR.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
---------
Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
CTO decision (PRI-854): high-severity vulns are dev/build-time only
and acceptable risk with explicit allowlist.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix(ci): guard dual-approval job against null pull_request context
When triggered by pull_request_review events, github.event.pull_request
is undefined, which can cause issues when the job tries to access
github.event.pull_request.number. Add a job-level if guard to prevent
the job from running in these conditions.
This addresses the dual approval failures seen on feature branches where
the workflow was running without a valid PR context.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix(e2e): use pnpm-capable workflow branch
Reference @hugh/add-pnpm-support-plugin-e2e which has pnpm support via corepack.
PRI-634
* fix(e2e): use pnpm-capable workflow branch
Reference @hugh/add-pnpm-support-plugin-e2e which has pnpm support via corepack.
PRI-634
* Update e2e.yaml to use @main and pass plugin-name
Use @main workflow ref and add plugin-name input so the
reusable workflow can derive ConfigMap name and mount path.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
---------
Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
workflow_call reusable workflow that exposes a GitHub App installation
token. Mend Renovate will use this token to push commits.
Refs: PRI-413
Co-authored-by: Chris Farhood <chris@farhood.org>
Defensive override floor for GHSA-r5fr-rjxr-66jc. Main already resolves lodash@4.18.1 transitively, so override prevents future regressions. CI green on 1d65d51. Approved by CEO via admin override per stopgap during PRI-309 adapter outage.
Vite versions >=6.0.0 <=6.4.1 are vulnerable to arbitrary file read via
the Vite Dev Server WebSocket (server.fs.deny bypass with queries).
CVE: GHSA-p9ff-h696-f583
Co-authored-by: Gandalf the Greybeard <gandalf@privilegedescalation.dev>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
pnpm/action-setup@v5 requires either a version key in the action config
or a packageManager field in package.json. Add the field to unblock the
release workflow.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Add eslint@^8.57.0, @headlamp-k8s/eslint-config@^0.6.0, prettier@^2.8.8,
typescript@~5.6.2 as explicit devDependencies. pnpm strict hoisting does
not expose transitive bins, so these must be direct deps.
Replaces the duplicated Renovate config with a simple extend from the
org-level preset (privilegedescalation/.github:renovate-config). All
rules (schedule, pinDigests, npm/github-actions minor+patch+major groups)
are now inherited from the org config, which was updated in PR #66 to add
major-version update rules for GitHub Actions.
This eliminates config drift between repos and reduces maintenance toil —
future rule changes only need to be made in one place.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Adds pinDigests: true so Renovate pins all GitHub Actions references to
full commit SHAs for supply-chain hardening. This repo extends
config:recommended directly, so pinDigests must be set here explicitly —
the org-level config alone is not sufficient.
Recreated from main after closing stale PR #23 (branch was created before
the dual-approval PR #22 landed).
Co-authored-by: Gandalf the Greybeard <gandalf@privilegedescalation.com>
Co-authored-by: Paperclip <noreply@paperclip.ing>
Calls the shared privilegedescalation/.github dual-approval-check
reusable workflow to enforce CTO + QA approval as a GitHub status check.
Once privilegedescalation/.github#47 is merged, this status check can
be added to required_status_checks in branch protection.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The shared release workflow now requires RELEASE_APP_ID and
RELEASE_APP_PRIVATE_KEY secrets for PR creation, since the org
blocks GITHUB_TOKEN from creating PRs.
Depends on privilegedescalation/.github#31
Co-authored-by: privilegedescalation-paperclip[bot] <268365651+privilegedescalation-paperclip[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
The reusable release workflow declares pull-requests:write but the
caller didn't grant it, causing startup_failure on GitHub Actions.
Co-authored-by: Hugh Hackman [bot] <hugh-hackman[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Chris Farhood
Null Pointer Nancy
Countess von Containerheim
Gandalf the Greybeard
Regression Regina [agent]
Pawla Abdul