Merge pull request 'fix(ci): inline CI workflow, remove reusable .github dependency (PRI-1630)' (#76) from fix/pri-1630-inline-ci into main

fix(ci): inline CI workflow (PRI-1630)

.github/workflows/ci.yaml

@@ -2,12 +2,210 @@ name: CI
 
 on:
   push:
-    branches: [main, dev, uat]
+    branches: ['**']
   pull_request:
     branches: [main, dev, uat]
-  workflow_call:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   ci:
-    uses: privilegedescalation/.github/.github/workflows/plugin-ci.yaml@main
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    container: node:22-slim
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Install Python
+        run: apt-get update && apt-get install -y --no-install-recommends python3 python3-yaml
+
+      - name: Validate artifacthub-pkg.yml
+        run: |
+          python3 - <<'EOF'
+          import sys, re
+          try:
+              import yaml
+          except ImportError:
+              print("::warning::PyYAML not available, skipping artifacthub-pkg.yml validation")
+              sys.exit(0)
+
+          try:
+              with open("artifacthub-pkg.yml") as f:
+                  pkg = yaml.safe_load(f)
+          except FileNotFoundError:
+              print("::error::artifacthub-pkg.yml not found")
+              sys.exit(1)
+          except yaml.YAMLError as e:
+              print(f"::error::artifacthub-pkg.yml is invalid YAML: {e}")
+              sys.exit(1)
+
+          errors = []
+
+          for field in ["version", "name", "description", "homeURL"]:
+              if not pkg.get(field):
+                  errors.append(f"Missing required field: {field}")
+
+          version = pkg.get("version", "")
+          if version and not re.match(r'^\d+\.\d+\.\d+$', str(version)):
+              errors.append(f"version '{version}' is not SemVer (expected X.Y.Z)")
+
+          annotations = pkg.get("annotations", {}) or {}
+          archive_url = annotations.get("headlamp/plugin/archive-url", "")
+          archive_checksum = annotations.get("headlamp/plugin/archive-checksum", "")
+
+          if not archive_url:
+              errors.append("Missing annotation: headlamp/plugin/archive-url")
+          if not archive_checksum:
+              errors.append("Missing annotation: headlamp/plugin/archive-checksum")
+          elif not re.match(r'^sha256:[0-9a-f]{64}$', str(archive_checksum)):
+              errors.append(f"archive-checksum has unexpected format: '{archive_checksum}' (expected sha256:<64 hex chars>)")
+
+          if errors:
+              for e in errors:
+                  print(f"::error::{e}")
+              sys.exit(1)
+
+          print(f"artifacthub-pkg.yml valid: name={pkg['name']} version={pkg['version']}")
+          EOF
+
+      - name: Detect package manager
+        id: pkg-manager
+        run: |
+          if [ -f "pnpm-lock.yaml" ]; then
+            echo "manager=pnpm" >> $GITHUB_OUTPUT
+            PM=$(python3 -c "import json,sys; d=json.load(open('package.json')); print('true' if d.get('packageManager','').startswith('pnpm@') else 'false')" 2>/dev/null || echo "false")
+            echo "has_package_manager=$PM" >> $GITHUB_OUTPUT
+          else
+            echo "manager=npm" >> $GITHUB_OUTPUT
+            echo "has_package_manager=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Setup Node
+        uses: actions/setup-node@v6
+        with:
+          node-version: '22'
+          cache: ${{ steps.pkg-manager.outputs.manager == 'npm' && 'npm' || '' }}
+
+      - name: Setup pnpm (via Corepack, reads version from packageManager field)
+        if: steps.pkg-manager.outputs.manager == 'pnpm' && steps.pkg-manager.outputs.has_package_manager == 'true'
+        run: |
+          npm install -g corepack
+          corepack enable pnpm
+          corepack install
+
+      - name: Setup pnpm (version latest)
+        if: steps.pkg-manager.outputs.manager == 'pnpm' && steps.pkg-manager.outputs.has_package_manager == 'false'
+        uses: pnpm/action-setup@v5
+        with:
+          run_install: false
+          version: latest
+
+      - name: Get pnpm store directory
+        id: pnpm-store
+        if: steps.pkg-manager.outputs.manager == 'pnpm'
+        run: echo "dir=$(pnpm store path --silent)" >> $GITHUB_OUTPUT
+
+      - name: Cache pnpm store
+        if: steps.pkg-manager.outputs.manager == 'pnpm'
+        uses: actions/cache@v5
+        with:
+          path: ${{ steps.pnpm-store.outputs.dir }}
+          key: ${{ runner.os }}-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-pnpm-
+
+      - name: Validate pnpm lockfile freshness
+        if: steps.pkg-manager.outputs.manager == 'pnpm'
+        run: |
+          if [ ! -f "pnpm-lock.yaml" ]; then
+            echo "No pnpm-lock.yaml found, skipping lockfile freshness check"
+            exit 0
+          fi
+          if ! grep -q 'overrides:' pnpm-lock.yaml 2>/dev/null; then
+            echo "No overrides section in pnpm-lock.yaml, skipping lockfile freshness check"
+            exit 0
+          fi
+          echo "Detected pnpm-lock.yaml with overrides section. Checking lockfile freshness..."
+          ERR_FILE=$(mktemp)
+          if pnpm install --frozen-lockfile 2>&1 | tee "$ERR_FILE"; then
+            echo "Lockfile is fresh."
+          else
+            if grep -q "CONFIG_MISMATCH\|EBADLOCKFILE\|ERR_PNPM_LOCKFILE" "$ERR_FILE"; then
+              echo ""
+              echo "::error::pnpm-lock.yaml is out of sync with package.json overrides."
+              echo "::error::Run 'pnpm install' to regenerate the lockfile and commit the updated pnpm-lock.yaml."
+              rm -f "$ERR_FILE"
+              exit 1
+            fi
+            rm -f "$ERR_FILE"
+            echo "::warning::Install failed with a different error. Will retry in the Install dependencies step."
+          fi
+
+      - name: Install dependencies
+        run: |
+          max_attempts=3
+          attempt=1
+          while [ $attempt -le $max_attempts ]; do
+            echo "Attempt $attempt of $max_attempts"
+            if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
+              pnpm install --frozen-lockfile && break
+            else
+              npm ci && break
+            fi
+            if [ $attempt -lt $max_attempts ]; then
+              echo "::warning::Install step failed on attempt $attempt. Retrying in 5 seconds..."
+              sleep 5
+            fi
+            attempt=$((attempt + 1))
+          done
+          if [ $attempt -gt $max_attempts ]; then
+            echo "::error::Install step failed after $max_attempts attempts."
+            exit 1
+          fi
+
+      - name: Build plugin
+        run: npx @kinvolk/headlamp-plugin build
+
+      - name: Lint
+        run: |
+          if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
+            pnpm run lint
+          else
+            npm run lint
+          fi
+
+      - name: Type-check
+        run: |
+          if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
+            pnpm run tsc
+          else
+            npm run tsc
+          fi
+
+      - name: Format check
+        run: |
+          if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
+            pnpm run format:check
+          else
+            npm run format:check
+          fi
+
+      - name: Run tests
+        run: |
+          if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
+            pnpm test
+          else
+            npm test
+          fi
+
+      - name: Security audit
+        run: |
+          if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
+            npx audit-ci --pnpm --audit-level=high --config ./audit-ci.jsonc
+          else
+            npx audit-ci --npm --audit-level=high --config ./audit-ci.jsonc
+          fi

CLAUDE.md

@@ -8,7 +8,7 @@ Headlamp plugin for kube-vip virtual IP and load balancer visibility. Read-only
 
 - **Plugin name**: `kube-vip`
 - **Target**: Headlamp >= v0.26
-- **Data sources**: kube-vip DaemonSet/pods in `kube-system`, Services (type:LoadBalancer), Nodes, Leases, `kubevip` ConfigMap
+- **Data sources**: kube-vip DaemonSet/pods in `headlamp`, Services (type:LoadBalancer), Nodes, Leases, `kubevip` ConfigMap
 - **Reference plugin**: `../headlamp-polaris-plugin`
 
 ## Commands
@@ -58,7 +58,7 @@ kube-vip uses **no CRDs**. All state comes from standard Kubernetes resources an
 
 ## Key constants (src/api/k8s.ts)
 
-- Namespace: `kube-system`
+- Namespace: `headlamp`
 - DaemonSet name: `kube-vip-ds`
 - Cloud provider name: `kube-vip-cloud-provider`
 - ConfigMap name: `kubevip`

README.md

@@ -20,7 +20,7 @@ Search for `kube-vip` in the Headlamp Plugin Manager (Settings → Plugins → C
 ## Requirements
 
 - Headlamp >= v0.26
-- kube-vip deployed in `kube-system` (DaemonSet or static pod)
+- kube-vip deployed in `headlamp` (DaemonSet or static pod)
 - Optional: kube-vip-cloud-provider for IP pool management
 
 ## RBAC
@@ -66,7 +66,7 @@ npm run lint       # ESLint
 
 | Symptom | Cause | Fix |
 |---------|-------|-----|
-| "kube-vip Not Detected" | No kube-vip pods in kube-system | Install kube-vip per https://kube-vip.io/docs/installation/ |
+| "kube-vip Not Detected" | No kube-vip pods in headlamp namespace | Install kube-vip per https://kube-vip.io/docs/installation/ |
 | No IP pools shown | kubevip ConfigMap not found | Install kube-vip-cloud-provider |
 | Services show "Pending" VIP | No IP pool configured or pool exhausted | Add IP ranges to kubevip ConfigMap |
 | Leader shows "—" | No kube-vip leases found | Verify leader election is enabled (`vip_leaderelection=true`) |

SECURITY.md

@@ -12,10 +12,10 @@ This plugin is **read-only**. It does not perform any write operations against t
 
 - Services (type: LoadBalancer)
 - Nodes
-- Pods in `kube-system`
-- DaemonSets in `kube-system`
-- Leases in `kube-system`
-- ConfigMaps in `kube-system`
+- Pods in `headlamp`
+- DaemonSets in `headlamp`
+- Leases in `headlamp`
+- ConfigMaps in `headlamp`
 
 All data is fetched through Headlamp's built-in API proxy, which respects the user's existing RBAC permissions.
 

src/components/OverviewPage.tsx

@@ -21,6 +21,7 @@ import {
   isEgressEnabled,
   isKubeVipService,
   isPodReady,
+  KUBE_VIP_NAMESPACE,
   phaseToStatus,
 } from '../api/k8s';
 import { useKubeVipContext } from '../api/KubeVipDataContext';
@@ -105,7 +106,9 @@ export default function OverviewPage() {
               {
                 name: 'Status',
                 value: (
-                  <StatusLabel status="error">No kube-vip pods found in kube-system</StatusLabel>
+                  <StatusLabel status="error">
+                    No kube-vip pods found in {KUBE_VIP_NAMESPACE}
+                  </StatusLabel>
                 ),
               },
               {