chore(renovate): pin action to v40.3.0, fix inputs per spec

* fix(ci): guard dual-approval job against null pull_request context

When triggered by pull_request_review events, github.event.pull_request
is undefined, which can cause issues when the job tries to access
github.event.pull_request.number. Add a job-level if guard to prevent
the job from running in these conditions.

This addresses the dual approval failures seen on feature branches where
the workflow was running without a valid PR context.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

* fix(e2e): use pnpm-capable workflow branch

Reference @hugh/add-pnpm-support-plugin-e2e which has pnpm support via corepack.

PRI-634

* fix(e2e): use pnpm-capable workflow branch

Reference @hugh/add-pnpm-support-plugin-e2e which has pnpm support via corepack.

PRI-634

* Update e2e.yaml to use @main and pass plugin-name

Use @main workflow ref and add plugin-name input so the
reusable workflow can derive ConfigMap name and mount path.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

---------

Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>

.github/workflows/dual-approval.yaml

@@ -14,6 +14,7 @@ on:
 
 jobs:
   dual-approval:
+    if: github.event.pull_request != null
     uses: privilegedescalation/.github/.github/workflows/dual-approval-check.yaml@main
     secrets: inherit
     with:

.github/workflows/e2e.yaml

@@ -16,8 +16,9 @@ concurrency:
 
 jobs:
   e2e:
-    uses: privilegedescalation/.github/.github/workflows/plugin-e2e.yaml@hugh/add-pnpm-support-plugin-e2e
+    uses: privilegedescalation/.github/.github/workflows/plugin-e2e.yaml@main
     with:
       node-version: '22'
       headlamp-version: v0.40.1
       e2e-namespace: headlamp-dev
+      plugin-name: headlamp-kube-vip

.github/workflows/renovate.yml

@@ -0,0 +1,14 @@
+name: Renovate
+on:
+  schedule:
+    - cron: '0 3 * * *'
+  workflow_dispatch:
+jobs:
+  renovate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: renovatebot/github-action@v40.3.0
+        with:
+          configurationFile: renovate.json
+          renovate-json5: true

SECURITY.md

@@ -22,3 +22,28 @@ All data is fetched through Headlamp's built-in API proxy, which respects the us
 ## Reporting a Vulnerability
 
 Please report security vulnerabilities by opening a private issue or emailing the maintainers directly.
+
+## Known Low-Severity Vulnerabilities
+
+### GHSA-848j-6mx2-7j84 (elliptic)
+
+**Severity:** High (but not exploitable in this plugin's context)
+
+**Affected component:** `elliptic` (transitive, via `vite-plugin-node-polyfills` → `node-stdlib-browser` → `crypto-browserify` → `browserify-sign`)
+
+**Description:** The elliptic library used in this plugin's development dependencies contains a prototype pollution vulnerability. This plugin is a **read-only** Headlamp plugin that never executes any cryptographic operations at runtime. The vulnerable code path requires:
+- Use of `elliptic` curve operations on untrusted input, AND
+- Ability for an attacker to influence the `elliptic` curve key generation input
+
+Neither condition is met in this plugin's runtime context.
+
+**Remediation:** No patched version of `elliptic` exists on npm. The current override in `package.json` (`"elliptic": ">=6.6.1"`) is a placeholder — no resolvable version satisfies this constraint.
+
+**Risk acceptance rationale:**
+1. Plugin has no write operations against the cluster
+2. All data flows through Headlamp's API proxy with standard RBAC enforcement
+3. The vulnerable dependency is only in the development/build toolchain, not runtime
+4. No untrusted input can reach `elliptic` curve operations through this plugin
+
+**Review date:** 2026-05-05
+**Reviewed by:** Hugh Hackman (VP Engineering Operations)

e2e/kube-vip.spec.ts

@@ -1,35 +1,28 @@
 import { test, expect } from '@playwright/test';
 
-async function waitForSidebar(page: import('@playwright/test').Page) {
-  const sidebar = page.getByRole('navigation', { name: 'Navigation' });
-  await expect(sidebar).toBeVisible({ timeout: 15_000 });
-  await page.waitForLoadState('networkidle');
-  return sidebar;
-}
-
 test.describe('kube-vip plugin smoke tests', () => {
   test('sidebar contains kube-vip entry', async ({ page }) => {
     await page.goto('/');
-    const sidebar = await waitForSidebar(page);
+    const sidebar = page.getByRole('navigation', { name: 'Navigation' });
+    await expect(sidebar).toBeVisible({ timeout: 15_000 });
     await expect(sidebar.getByRole('button', { name: /kube.vip/i })).toBeVisible();
   });
 
   test('kube-vip sidebar entry navigates to kube-vip view', async ({ page }) => {
     await page.goto('/');
-    const sidebar = await waitForSidebar(page);
+    const sidebar = page.getByRole('navigation', { name: 'Navigation' });
+    await expect(sidebar).toBeVisible({ timeout: 15_000 });
 
     const entry = sidebar.getByRole('button', { name: /kube.vip/i });
     await expect(entry).toBeVisible();
     await entry.click();
 
-    await page.waitForLoadState('networkidle');
     await expect(page).toHaveURL(/kube-vip/);
     await expect(page.getByRole('heading', { name: /kube.vip/i })).toBeVisible();
   });
 
   test('kube-vip page renders content', async ({ page }) => {
     await page.goto('/c/main/kube-vip');
-    await waitForSidebar(page);
 
     await expect(page.getByRole('heading', { name: /kube.vip/i })).toBeVisible({
       timeout: 15_000,
@@ -42,7 +35,6 @@ test.describe('kube-vip plugin smoke tests', () => {
 
   test('plugin settings page shows kube-vip plugin entry', async ({ page }) => {
     await page.goto('/settings/plugins');
-    await page.waitForLoadState('networkidle');
 
     const pluginEntry = page.locator('text=/kube.vip/i').first();
     await expect(pluginEntry).toBeVisible({ timeout: 30_000 });

package.json

@@ -35,7 +35,8 @@
     "tar": "^7.5.11",
     "undici": "^7.24.3",
     "lodash": ">=4.18.0",
-    "vite": ">=6.4.2"
+    "vite": ">=6.4.2",
+    "elliptic": ">=6.6.1"
   },
   "devDependencies": {
     "@headlamp-k8s/eslint-config": "^0.6.0",

scripts/deploy-e2e-headlamp.sh

@@ -1,4 +1,20 @@
 #!/usr/bin/env bash
+# deploy-e2e-headlamp.sh
+#
+# Deploys a stock Headlamp instance with the rook plugin loaded via
+# a ConfigMap volume mount.
+#
+# E2E resources are deployed to the `headlamp-dev` namespace. Nothing
+# persists beyond the test run — teardown cleans up all created resources.
+#
+# Prerequisites:
+#   - Plugin built (dist/ exists with plugin-main.js + package.json)
+#   - kubectl configured with cluster access
+#
+# Environment:
+#   E2E_NAMESPACE     — namespace for E2E Headlamp (default: headlamp-dev)
+#   E2E_RELEASE       — release/resource name prefix (default: headlamp-e2e)
+#   HEADLAMP_VERSION  — Headlamp image tag (default: latest)
 set -euo pipefail
 
 REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
@@ -27,9 +43,13 @@ echo "  Release:   $E2E_RELEASE"
 echo ""
 echo "Creating ConfigMap with plugin files..."
 
-kubectl delete configmap headlamp-kube-vip-plugin   -n "$E2E_NAMESPACE" --ignore-not-found
+kubectl delete configmap headlamp-kube-vip-plugin \
+  -n "$E2E_NAMESPACE" --ignore-not-found
 
-kubectl create configmap headlamp-kube-vip-plugin   -n "$E2E_NAMESPACE"   --from-file="$DIST_DIR"   --from-file=package.json="$REPO_ROOT/package.json"
+kubectl create configmap headlamp-kube-vip-plugin \
+  -n "$E2E_NAMESPACE" \
+  --from-file="$DIST_DIR" \
+  --from-file=package.json="$REPO_ROOT/package.json"
 
 echo ""
 echo "Removing any existing E2E deployment (clean-start)..."
@@ -68,7 +88,7 @@ spec:
         app.kubernetes.io/instance: ${E2E_RELEASE}
     spec:
       serviceAccountName: ${E2E_RELEASE}
-      automountServiceAccountToken: true
+      automountServiceAccountToken: false
       securityContext: {}
       containers:
         - name: headlamp
@@ -101,11 +121,11 @@ spec:
             initialDelaySeconds: 10
             periodSeconds: 10
           volumeMounts:
-            - name: kube-vip-plugin
+            - name: rook-plugin
               mountPath: /headlamp/plugins/headlamp-kube-vip
               readOnly: true
       volumes:
-        - name: kube-vip-plugin
+        - name: rook-plugin
           configMap:
             name: headlamp-kube-vip-plugin
 ---
@@ -130,7 +150,9 @@ spec:
 EOF
 
 echo "Waiting for rollout..."
-kubectl rollout status "deployment/${E2E_RELEASE}"   -n "$E2E_NAMESPACE" --timeout=120s
+sleep 2
+kubectl rollout status "deployment/${E2E_RELEASE}" \
+  -n "$E2E_NAMESPACE" --timeout=120s
 
 SVC_URL="http://${E2E_RELEASE}.${E2E_NAMESPACE}.svc.cluster.local"
 
@@ -152,7 +174,8 @@ echo "E2E Headlamp is ready at: ${SVC_URL}"
 
 echo ""
 echo "Creating service account token for E2E auth..."
-kubectl create serviceaccount headlamp-e2e-test   -n "$E2E_NAMESPACE" --dry-run=client -o yaml | kubectl apply -f -
+kubectl create serviceaccount headlamp-e2e-test \
+  -n "$E2E_NAMESPACE" --dry-run=client -o yaml | kubectl apply -f -
 
 TOKEN=$(kubectl create token headlamp-e2e-test -n "$E2E_NAMESPACE" --duration=1h 2>/dev/null || echo "")
 if [ -n "$TOKEN" ]; then