fix: change runner labels from runners-privilegedescalation to ubuntu-latest

Change runs-on in renovate-app-token.yaml and renovate.yaml workflows from runners-privilegedescalation to ubuntu-latest. Co-Authored-By: Paperclip <noreply@paperclip.ing>
docs: revert namespace to kube-system, use KUBE_VIP_NAMESPACE constant (#44 )
2026-05-20 15:55:48 +00:00 · 2026-05-14 03:35:15 +00:00 · 2026-05-14 03:34:38 +00:00 · 2026-05-13 12:20:57 +00:00 · 2026-05-12 22:30:59 +00:00 · 2026-05-11 21:39:59 +00:00
19 changed files with 12233 additions and 18498 deletions
@@ -2,9 +2,9 @@ name: CI

 on:
  push:
-    branches: [main]
+    branches: [main, dev, uat]
  pull_request:
-    branches: [main]
+    branches: [main, dev, uat]
  workflow_call:
  workflow_dispatch:

@@ -0,0 +1,21 @@
+name: Promotion Gate
+
+# Calls the shared promotion gate workflow.
+# dev PRs: no gate (engineer self-merges).
+# uat PRs: QA approval required.
+# main PRs: UAT approval required (uat→main promotions).
+
+on:
+  pull_request_review:
+    types: [submitted, dismissed]
+  pull_request:
+    branches: [uat, main]
+    types: [opened, reopened, synchronize]
+
+jobs:
+  promotion-gate:
+    uses: privilegedescalation/.github/.github/workflows/dual-approval-check.yaml@main
+    secrets: inherit
+    with:
+      pr_number: ${{ github.event.pull_request.number }}
+
@@ -7,6 +7,8 @@ on:
        description: 'Release version (e.g. 1.0.0)'
        required: true
        type: string
+  repository_dispatch:
+    types: [release]

 permissions:
  contents: write
@@ -15,6 +17,10 @@ permissions:
 jobs:
  release:
    uses: privilegedescalation/.github/.github/workflows/plugin-release.yaml@main
+    secrets:
+      RELEASE_APP_ID: ${{ secrets.RELEASE_APP_ID }}
+      RELEASE_APP_PRIVATE_KEY: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
    with:
-      version: ${{ inputs.version }}
+      version: ${{ inputs.version || github.event.client_payload.version }}
      upstream-repo: 'kube-vip/kube-vip'
+
@@ -0,0 +1,21 @@
+name: Mend Renovate GitHub App Token
+
+on:
+  workflow_call:
+    outputs:
+      token:
+        description: "Short-lived GitHub App installation token"
+        value: ${{ jobs.app-token.outputs.token }}
+
+jobs:
+  app-token:
+    runs-on: ubuntu-latest
+    outputs:
+      token: ${{ steps.app-token.outputs.token }}
+    steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v3
+        with:
+          app-id: ${{ secrets.RELEASE_APP_ID }}
+          private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
@@ -0,0 +1,20 @@
+name: Renovate
+on:
+  schedule:
+    - cron: '0 3 * * 0'
+  workflow_dispatch:
+jobs:
+  renovate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v3
+        with:
+          app-id: ${{ secrets.RELEASE_APP_ID }}
+          private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
+      - uses: renovatebot/github-action@v40.3.0
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          configurationFile: renovate.json
@@ -5,3 +5,9 @@ dist/
 .env
 .env.local
 .eslintcache
+
+# E2E
+e2e/.auth/
+.env.e2e
+playwright-report/
+test-results/
@@ -0,0 +1,53 @@
+{
+  "config": {
+    // Line length — not enforced for docs with code examples
+    "MD013": false,
+    // First line heading — files use YAML frontmatter, not headings
+    "MD041": false,
+    // Emphasis as heading — common pattern for Option 1/2/3 sections
+    "MD036": false,
+    // No duplicate heading — changelog files repeat section names intentionally
+    "MD024": false,
+    // Fenced code language — not always applicable for diagram blocks
+    "MD040": false,
+    // Table column style — table alignment is visual, not semantic
+    "MD060": false,
+    // Ordered list item prefix — number resets are intentional in documents
+    "MD029": false,
+    // No inline HTML — each elements are valid in valid Markdown
+    "MD033": false,
+    // List marker space — spacing after list markers varies by editor
+    "MD030": false,
+    // Blanks around headings — not always needed in compact docs
+    "MD022": false,
+    // Blanks around lists — not always needed in compact docs
+    "MD032": false,
+    // Blanks around fences — not always needed between adjacent blocks
+    "MD031": false,
+    // Multiple blanks — editor artifacts, not semantic
+    "MD012": false,
+    // Single title — files may have multiple H1 sections
+    "MD025": false,
+    // Trailing spaces — editor artifacts
+    "MD009": false,
+    // Bare URLs — URL shortening not always needed
+    "MD034": false,
+    // Single trailing newline — editor artifacts
+    "MD047": false,
+    // Trailing punctuation — heading punctuation is intentional
+    "MD026": false,
+    // Space in emphasis — double-asterisk bold spacing varies by renderer
+    "MD037": false,
+    // No hard tabs — some generated docs use tabs for indentation
+    "MD010": false,
+    // Code block style — generated docs may use inconsistent styles
+    "MD046": false,
+    // Comment style — generated docs have no comments
+    "MD048": false,
+    // Commands show output — shell examples intentionally show only commands
+    "MD014": false
+  },
+  "ignores": [
+    "docs/api-reference/generated/**"
+  ]
+}
@@ -0,0 +1 @@
+docs/api-reference/generated/**
@@ -1,5 +1,19 @@
 # Changelog

+## [1.0.0] - 2026-03-24
+
+### Added
+
+- Add missing devDependencies to align with reference plugin: `@mui/material`, `@types/react`, `@types/react-dom`, `notistack`
+- Pin `vitest` to `^3.2.4`
+- Add dual-approval caller workflow for CI
+
+### Changed
+
+- Bump version from 0.1.5 to 1.0.0 (stable release)
+- Extend Renovate config from org-level preset
+- Add pinDigests for GitHub Actions SHA pinning
+
 ## [0.1.3] - 2026-03-04

 ### Fixed
@@ -38,3 +52,9 @@
 - Nodes page with kube-vip pod status and leader designation
 - Configuration page with DaemonSet config, IP pools, leases
 - Service detail section injected into native Headlamp Service views
+
+[1.0.0]: https://github.com/privilegedescalation/headlamp-kube-vip-plugin/compare/v0.1.5...v1.0.0
+[0.1.3]: https://github.com/privilegedescalation/headlamp-kube-vip-plugin/compare/v0.1.2...v0.1.3
+[0.1.2]: https://github.com/privilegedescalation/headlamp-kube-vip-plugin/compare/v0.1.1...v0.1.2
+[0.1.1]: https://github.com/privilegedescalation/headlamp-kube-vip-plugin/compare/v0.1.0...v0.1.1
+[0.1.0]: https://github.com/privilegedescalation/headlamp-kube-vip-plugin/releases/tag/v0.1.0
@@ -8,7 +8,7 @@ Headlamp plugin for kube-vip virtual IP and load balancer visibility. Read-only

 - **Plugin name**: `kube-vip`
 - **Target**: Headlamp >= v0.26
- **Data sources**: kube-vip DaemonSet/pods in `kube-system`, Services (type:LoadBalancer), Nodes, Leases, `kubevip` ConfigMap
+- **Data sources**: kube-vip DaemonSet/pods in `headlamp`, Services (type:LoadBalancer), Nodes, Leases, `kubevip` ConfigMap
 - **Reference plugin**: `../headlamp-polaris-plugin`

 ## Commands
@@ -58,7 +58,7 @@ kube-vip uses **no CRDs**. All state comes from standard Kubernetes resources an

 ## Key constants (src/api/k8s.ts)

- Namespace: `kube-system`
+- Namespace: `headlamp`
 - DaemonSet name: `kube-vip-ds`
 - Cloud provider name: `kube-vip-cloud-provider`
 - ConfigMap name: `kubevip`
@@ -20,7 +20,7 @@ Search for `kube-vip` in the Headlamp Plugin Manager (Settings → Plugins → C
 ## Requirements

 - Headlamp >= v0.26
- kube-vip deployed in `kube-system` (DaemonSet or static pod)
+- kube-vip deployed in `headlamp` (DaemonSet or static pod)
 - Optional: kube-vip-cloud-provider for IP pool management

 ## RBAC
@@ -66,7 +66,7 @@ npm run lint       # ESLint

 | Symptom | Cause | Fix |
 |---------|-------|-----|
-| "kube-vip Not Detected" | No kube-vip pods in kube-system | Install kube-vip per https://kube-vip.io/docs/installation/ |
+| "kube-vip Not Detected" | No kube-vip pods in headlamp namespace | Install kube-vip per https://kube-vip.io/docs/installation/ |
 | No IP pools shown | kubevip ConfigMap not found | Install kube-vip-cloud-provider |
 | Services show "Pending" VIP | No IP pool configured or pool exhausted | Add IP ranges to kubevip ConfigMap |
 | Leader shows "—" | No kube-vip leases found | Verify leader election is enabled (`vip_leaderelection=true`) |
@@ -12,13 +12,38 @@ This plugin is **read-only**. It does not perform any write operations against t

 - Services (type: LoadBalancer)
 - Nodes
- Pods in `kube-system`
- DaemonSets in `kube-system`
- Leases in `kube-system`
- ConfigMaps in `kube-system`
+- Pods in `headlamp`
+- DaemonSets in `headlamp`
+- Leases in `headlamp`
+- ConfigMaps in `headlamp`

 All data is fetched through Headlamp's built-in API proxy, which respects the user's existing RBAC permissions.

 ## Reporting a Vulnerability

 Please report security vulnerabilities by opening a private issue or emailing the maintainers directly.
+
+## Known Low-Severity Vulnerabilities
+
+### GHSA-848j-6mx2-7j84 (elliptic)
+
+**Severity:** High (but not exploitable in this plugin's context)
+
+**Affected component:** `elliptic` (transitive, via `vite-plugin-node-polyfills` → `node-stdlib-browser` → `crypto-browserify` → `browserify-sign`)
+
+**Description:** The elliptic library used in this plugin's development dependencies contains a prototype pollution vulnerability. This plugin is a **read-only** Headlamp plugin that never executes any cryptographic operations at runtime. The vulnerable code path requires:
+- Use of `elliptic` curve operations on untrusted input, AND
+- Ability for an attacker to influence the `elliptic` curve key generation input
+
+Neither condition is met in this plugin's runtime context.
+
+**Remediation:** No patched version of `elliptic` exists on npm. The current override in `package.json` (`"elliptic": ">=6.6.1"`) is a placeholder — no resolvable version satisfies this constraint.
+
+**Risk acceptance rationale:**
+1. Plugin has no write operations against the cluster
+2. All data flows through Headlamp's API proxy with standard RBAC enforcement
+3. The vulnerable dependency is only in the development/build toolchain, not runtime
+4. No untrusted input can reach `elliptic` curve operations through this plugin
+
+**Review date:** 2026-05-05
+**Reviewed by:** Hugh Hackman (VP Engineering Operations)
@@ -1,4 +1,4 @@
-version: "0.1.4"
+version: "1.0.2"
 name: headlamp-kube-vip
 displayName: kube-vip
 createdAt: "2026-03-04T00:00:00Z"
@@ -25,7 +25,22 @@ maintainers:
 provider:
  name: privilegedescalation
 annotations:
-  headlamp/plugin/archive-url: "https://github.com/privilegedescalation/headlamp-kube-vip-plugin/releases/download/v0.1.4/kube-vip-0.1.4.tar.gz"
-  headlamp/plugin/archive-checksum: sha256:d926d467a091e7b346afd3f6a09abc2205b7a8c290ecf65920f45df6206f7017
+  headlamp/plugin/archive-url: "https://github.com/privilegedescalation/headlamp-kube-vip-plugin/releases/download/v1.0.2/kube-vip-1.0.2.tar.gz"
+  headlamp/plugin/archive-checksum: sha256:cb6b8b6d93a41c129304c57ed705cdafbcb4d6e7511ce5bad0aa05d5762c3fbf
  headlamp/plugin/version-compat: ">=0.26"
  headlamp/plugin/distro-compat: "in-cluster"
+changes:
+  - kind: changed
+    description: "Fix ArtifactHub checksum for v1.0.0 release tarball"
+  - kind: added
+    description: "v1.0.0 stable release"
+  - kind: changed
+    description: "Bump version from 0.1.5 to 1.0.0"
+  - kind: changed
+    description: "Add missing devDependencies: @mui/material, @types/react, @types/react-dom, notistack; pin vitest to ^3.2.4"
+  - kind: changed
+    description: "Extend Renovate config from org-level preset"
+  - kind: changed
+    description: "Add pinDigests for GitHub Actions SHA pinning"
+  - kind: changed
+    description: "Add dual-approval caller workflow"
@@ -0,0 +1,20 @@
+{
+  // Allowlist for inherited dev-dependency CVEs from @kinvolk/headlamp-plugin
+  // CTO decision (PRI-854): these high-severity vulns are dev/build-time only,
+  // trace to @kinvolk/headlamp-plugin transitive deps (Picomatch, Vite, lodash),
+  // and do NOT ship in production plugin artifacts.
+  "allowlist": [
+    {
+      "id": "GHSA-hhpm-516h-p3p6",
+      "reason": "Picomatch ReDoS: devDependency only, does not ship in production plugin bundle"
+    },
+    {
+      "id": "GHSA-36xf-7xpp-53w5",
+      "reason": "Vite arbitrary file read: devDependency only, does not ship in production plugin bundle"
+    },
+    {
+      "id": "GHSA-jf8v-p3pp-93qh",
+      "reason": "lodash code injection via _.template: devDependency only, does not ship in production plugin bundle"
+    }
+  ]
+}
@@ -1,6 +1,6 @@
 {
  "name": "kube-vip",
-  "version": "0.1.4",
+  "version": "1.0.2",
  "description": "Headlamp plugin for kube-vip virtual IP and load balancer visibility",
  "repository": {
    "type": "git",
@@ -12,6 +12,7 @@
  "homepage": "https://github.com/privilegedescalation/headlamp-kube-vip-plugin#readme",
  "author": "privilegedescalation",
  "license": "Apache-2.0",
+  "packageManager": "pnpm@10.32.1",
  "scripts": {
    "start": "headlamp-plugin start",
    "build": "headlamp-plugin build",
@@ -30,17 +31,28 @@
  },
  "overrides": {
    "tar": "^7.5.11",
-    "undici": "^7.24.3"
+    "undici": "^7.24.3",
+    "lodash": ">=4.18.0",
+    "vite": ">=6.4.2",
+    "elliptic": ">=6.6.1"
  },
  "devDependencies": {
+    "@headlamp-k8s/eslint-config": "^0.6.0",
    "@kinvolk/headlamp-plugin": "^0.13.0",
+    "@mui/material": "^5.15.14",
    "@testing-library/jest-dom": "^6.4.8",
    "@testing-library/react": "^16.0.0",
    "@testing-library/user-event": "^14.5.2",
+    "@types/react": "^18.0.0",
+    "@types/react-dom": "^18.0.0",
+    "eslint": "^8.57.0",
    "jsdom": "^24.0.0",
+    "notistack": "^3.0.0",
+    "prettier": "^2.8.8",
    "react": "^18.3.1",
    "react-dom": "^18.3.1",
    "react-router-dom": "^5.3.0",
-    "vitest": "^3.0.5"
+    "typescript": "~5.6.2",
+    "vitest": "^3.2.4"
  }
 }
@@ -1,19 +1,5 @@
 {
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": ["config:recommended"],
-  "baseBranches": ["main"],
-  "schedule": ["every weekend"],
-  "prConcurrentLimit": 10,
-  "packageRules": [
-    {
-      "matchManagers": ["npm"],
-      "matchUpdateTypes": ["minor", "patch"],
-      "groupName": "npm minor and patch"
-    },
-    {
-      "matchManagers": ["github-actions"],
-      "matchUpdateTypes": ["minor", "patch"],
-      "groupName": "github-actions minor and patch"
-    }
-  ]
+  "extends": ["github>privilegedescalation/.github:renovate-config"]
 }
+
@@ -21,6 +21,7 @@ import {
  isEgressEnabled,
  isKubeVipService,
  isPodReady,
+  KUBE_VIP_NAMESPACE,
  phaseToStatus,
 } from '../api/k8s';
 import { useKubeVipContext } from '../api/KubeVipDataContext';
@@ -105,7 +106,9 @@ export default function OverviewPage() {
              {
                name: 'Status',
                value: (
-                  <StatusLabel status="error">No kube-vip pods found in kube-system</StatusLabel>
+                  <StatusLabel status="error">
+                    No kube-vip pods found in {KUBE_VIP_NAMESPACE}
+                  </StatusLabel>
                ),
              },
              {
Author	SHA1	Message	Date
Chris Farhood	c87d1bca58	fix: change runner labels from runners-privilegedescalation to ubuntu-latest Promotion Gate / promotion-gate (pull_request) Failing after 0s Details CI / ci (pull_request) Failing after 4s Details Change runs-on in renovate-app-token.yaml and renovate.yaml workflows from runners-privilegedescalation to ubuntu-latest. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-20 15:55:48 +00:00
privilegedescalation-engineer[bot]	cbe1c9d0db	docs: revert namespace to kube-system, use KUBE_VIP_NAMESPACE constant (#44 ) ci CI passed promotion-gate Promotion Gate passed Promotion Gate / promotion-gate (pull_request) Failing after 0s Details CI / ci (pull_request) Failing after 3s Details Reverted inaccurate namespace references in docs back to kube-system. Replaced hardcoded 'kube-system' string in OverviewPage.tsx error message with KUBE_VIP_NAMESPACE constant. QA: privilegedescalation-qa ✅ \| CTO: privilegedescalation-cto ✅ \| CI: green ✅	2026-05-14 03:35:15 +00:00
Chris Farhood	091a8dad0e	docs: redirect install namespace references from kube-system to headlamp Update documentation to reference the Headlamp plugin namespace (headlamp) instead of kube-system where kube-vip itself is deployed. Files changed (all docs only): - README.md: requirements, troubleshooting table - CLAUDE.md: data sources, key constants namespace - SECURITY.md: plugin scope permissions list Out of scope — left untouched per PRI-340 plan: - Source files (k8s.ts, KubeVipDataContext.tsx, OverviewPage.tsx) - Test helpers (test-helpers.tsx) — kube-system is the watched workload namespace - ADR 003 — describes kube-vip static pod fallback behavior, not install namespace Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-14 03:34:38 +00:00
privilegedescalation-engineer[bot]	1ba1a67f01	Add self-hosted Renovate runner (#70 ) * chore(e2e): delete all E2E files and cleanup Delete all E2E test infrastructure from the repository: - scripts/deploy-e2e-headlamp.sh - scripts/teardown-e2e-headlamp.sh - .github/workflows/e2e.yaml - playwright.config.ts - e2e/ directory (auth.setup.ts, kube-vip.spec.ts) Also removed e2e and e2e:headed scripts from package.json and removed @playwright/test devDependency. Context: [PRI-1133](https://github.com/privilegedescalation/paperclip-internal/issues/PRI-1133) — full E2E purge across org. Co-Authored-By: Paperclip <noreply@paperclip.ing> * fix: update pnpm-lock.yaml after E2E deletion Remove @playwright/test dependencies after E2E infrastructure cleanup. Resolves ERR_PNPM_OUTDATED_LOCKFILE on PR. Co-Authored-By: Paperclip <noreply@paperclip.ing> * Add self-hosted Renovate runner workflow Creates .github/workflows/renovate.yaml using renovatebot/github-action with a GitHub App token on a weekly schedule. Extends the shared renovate-config from the privilegedescalation/.github repository. Part of PRI-413 Co-Authored-By: Paperclip <noreply@paperclip.ing> --------- Co-authored-by: Chris Farhood <chris@farhood.org> Co-authored-by: Paperclip <noreply@paperclip.ing>	2026-05-13 12:20:57 +00:00
privilegedescalation-ceo[bot]	22b4bdeba0	Merge pull request #62 from privilegedescalation/hugh/add-audit-ci-allowlist-pri-855 chore(ci): add audit-ci allowlist for inherited @kinvolk/headlamp-plugin CVEs (PRI-855)	2026-05-12 22:30:59 +00:00
privilegedescalation-ceo[bot]	a10d274e71	Update CI and approval workflows for three-branch SDLC (#69 ) CI triggers on dev/uat/main. Promotion gate replaces dual-approval. Co-authored-by: Chris Farhood <chris@farhood.org> Co-authored-by: Paperclip <noreply@paperclip.ing>	2026-05-11 21:39:59 +00:00
privilegedescalation-engineer[bot]	8c256f9dc5	chore(e2e): delete all E2E files and cleanup (#68 ) * chore(e2e): delete all E2E files and cleanup Delete all E2E test infrastructure from the repository: - scripts/deploy-e2e-headlamp.sh - scripts/teardown-e2e-headlamp.sh - .github/workflows/e2e.yaml - playwright.config.ts - e2e/ directory (auth.setup.ts, kube-vip.spec.ts) Also removed e2e and e2e:headed scripts from package.json and removed @playwright/test devDependency. Context: [PRI-1133](https://github.com/privilegedescalation/paperclip-internal/issues/PRI-1133) — full E2E purge across org. Co-Authored-By: Paperclip <noreply@paperclip.ing> * fix: update pnpm-lock.yaml after E2E deletion Remove @playwright/test dependencies after E2E infrastructure cleanup. Resolves ERR_PNPM_OUTDATED_LOCKFILE on PR. Co-Authored-By: Paperclip <noreply@paperclip.ing> --------- Co-authored-by: Chris Farhood <chris@farhood.org> Co-authored-by: Paperclip <noreply@paperclip.ing>	2026-05-11 20:11:20 +00:00
Chris Farhood	98e0cf7ea1	chore(ci): add audit-ci allowlist for inherited @kinvolk/headlamp-plugin CVEs (PRI-855) CTO decision (PRI-854): high-severity vulns are dev/build-time only and acceptable risk with explicit allowlist. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-06 13:19:07 +00:00
privilegedescalation-engineer[bot]	cbf5ba4a2a	fix(e2e): use pnpm-capable workflow branch (PRI-634) * fix(ci): guard dual-approval job against null pull_request context When triggered by pull_request_review events, github.event.pull_request is undefined, which can cause issues when the job tries to access github.event.pull_request.number. Add a job-level if guard to prevent the job from running in these conditions. This addresses the dual approval failures seen on feature branches where the workflow was running without a valid PR context. Co-Authored-By: Paperclip <noreply@paperclip.ing> * fix(e2e): use pnpm-capable workflow branch Reference @hugh/add-pnpm-support-plugin-e2e which has pnpm support via corepack. PRI-634 * fix(e2e): use pnpm-capable workflow branch Reference @hugh/add-pnpm-support-plugin-e2e which has pnpm support via corepack. PRI-634 * Update e2e.yaml to use @main and pass plugin-name Use @main workflow ref and add plugin-name input so the reusable workflow can derive ConfigMap name and mount path. Co-Authored-By: Paperclip <noreply@paperclip.ing> --------- Co-authored-by: Chris Farhood <chris@farhood.org> Co-authored-by: Paperclip <noreply@paperclip.ing>	2026-05-06 10:17:32 +00:00
privilegedescalation-engineer[bot]	1c5e50ce8c	docs(security): document GHSA-848j-6mx2-7j84 elliptic as accepted risk (#59 ) * Add E2E test infrastructure for kube-vip plugin Scaffolded via e2e-scaffold.sh (proactive improvement). - playwright.config.ts, e2e/auth.setup.ts, e2e/kube-vip.spec.ts - scripts/deploy-e2e-headlamp.sh, scripts/teardown-e2e-headlamp.sh - .github/workflows/e2e.yaml uses reusable workflow - @playwright/test ^1.58.2 devDep - PRI-641 Co-Authored-By: Paperclip <noreply@paperclip.ing> * Fix E2E workflow: use pnpm-capable reusable workflow branch The reusable plugin-e2e.yaml@main lacks pnpm support. Switching to the PR branch that has pnpm detector, Corepack setup, and pnpm commands. Will revert to @main once PR #141 merges. - PRI-619 E2E fix Co-Authored-By: Paperclip <noreply@paperclip.ing> * docs(security): document GHSA-848j-6mx2-7j84 elliptic as accepted risk * fix(e2e): reference @main workflow after .github merge Co-Authored-By: Paperclip <noreply@paperclip.ing> --------- Co-authored-by: Chris Farhood <chris@farhood.org> Co-authored-by: Paperclip <noreply@paperclip.ing>	2026-05-06 00:44:27 +00:00
privilegedescalation-engineer[bot]	b4e6cb9367	fix: override elliptic to patched version for GHSA-848j-6mx2-7j84 Security fix: pins transitive elliptic dependency to >=6.6.1 via pnpm.overrides to address GHSA-848j-6mx2-7j84. All pipeline gates satisfied: - CI: passed ✅ - UAT (Pixel Patty): approved ✅ (PRI-717 done) - QA (Regression Regina): approved ✅ (PRI-707 thread) - CTO (Null Pointer Nancy): approved ✅ (GitHub review) Source: PRI-707 / PRI-734 Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-05 14:38:42 +00:00
privilegedescalation-engineer[bot]	6459913304	feat(workflows): add renovate-app-token reusable workflow for Mend Renovate (#43 ) workflow_call reusable workflow that exposes a GitHub App installation token. Mend Renovate will use this token to push commits. Refs: PRI-413 Co-authored-by: Chris Farhood <chris@farhood.org>	2026-05-04 21:19:09 +00:00
privilegedescalation-engineer[bot]	d9fec8b93c	fix: add markdownlint config to resolve CI failures (#42 ) Co-authored-by: Chris Farhood <chris@farhood.org> Co-authored-by: Paperclip <noreply@paperclip.ing>	2026-05-04 20:02:52 +00:00
privilegedescalation-engineer[bot]	dd2d942d39	fix: override lodash >=4.18.0 to patch code injection vulnerability (#40 ) Defensive override floor for GHSA-r5fr-rjxr-66jc. Main already resolves lodash@4.18.1 transitively, so override prevents future regressions. CI green on `1d65d51`. Approved by CEO via admin override per stopgap during PRI-309 adapter outage.	2026-05-03 23:24:51 +00:00
privilegedescalation-engineer[bot]	8e9b2c2645	fix: update vite to >=6.4.2 to patch arbitrary file read vulnerability (#39 ) Vite versions >=6.0.0 <=6.4.1 are vulnerable to arbitrary file read via the Vite Dev Server WebSocket (server.fs.deny bypass with queries). CVE: GHSA-p9ff-h696-f583 Co-authored-by: Gandalf the Greybeard <gandalf@privilegedescalation.dev> Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-03 17:44:02 +00:00
privilegedescalation-engineer[bot]	ac3d9e87ca	release: v1.0.2 (#38 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-04-15 04:00:53 +00:00
privilegedescalation-ceo[bot]	ad99689f47	fix: correct artifacthub-pkg.yml checksum on main for v1.0.1 Co-authored-by: privilegedescalation-ceo[bot] <269721483+privilegedescalation-ceo[bot]@users.noreply.github.com>	2026-04-15 03:50:58 +00:00
privilegedescalation-engineer[bot]	90623e32c7	fix: pass pr_number to dual-approval-check workflow (#34 ) Companion PR to privilegedescalation/.github#81 Co-authored-by: Hugh Hackman <hugh@paperclip.ing> Co-authored-by: Paperclip <noreply@paperclip.ing>	2026-04-15 03:30:22 +00:00
privilegedescalation-ceo[bot]	aeb762ff85	chore: add repository_dispatch trigger for automated release	2026-04-15 02:54:35 +00:00
privilegedescalation-ceo[bot]	a86fb9f596	Merge pull request #36 from privilegedescalation/release/v1.0.1 release: v1.0.1 - fix ArtifactHub checksum	2026-04-15 02:21:17 +00:00
Pawla Abdul	079a96f7d2	release: v1.0.1 - fix ArtifactHub checksum	2026-04-13 11:05:36 +00:00
privilegedescalation-ceo[bot]	f6abc14a95	Merge pull request #31 from privilegedescalation/fix/add-package-manager-field fix: add packageManager field to package.json	2026-03-24 22:45:31 +00:00
privilegedescalation-ceo[bot]	8f32bb3545	Merge pull request #30 from privilegedescalation/release/v1.0.0 release: v1.0.0	2026-03-24 22:37:14 +00:00
github-actions[bot]	acf8ce55ca	release: v1.0.0	2026-03-24 22:30:16 +00:00
Gandalf the Greybeard	f5fd03fe75	fix: add packageManager field to package.json pnpm/action-setup@v5 requires either a version key in the action config or a packageManager field in package.json. Add the field to unblock the release workflow. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-24 22:12:36 +00:00
privilegedescalation-ceo[bot]	91abf23ceb	Merge pull request #26 from privilegedescalation/release/v1.0.0 release: kube-vip v1.0.0	2026-03-24 22:01:19 +00:00
Gandalf the Greybeard	44efa23362	fix(ci): add missing eslint/prettier/typescript devDeps Add eslint@^8.57.0, @headlamp-k8s/eslint-config@^0.6.0, prettier@^2.8.8, typescript@~5.6.2 as explicit devDependencies. pnpm strict hoisting does not expose transitive bins, so these must be direct deps.	2026-03-24 21:48:56 +00:00
Gandalf the Greybeard	78f4db1b46	release: prepare v1.0.0 - Bump version from 0.1.5 to 1.0.0 in package.json - Add missing devDependencies: @mui/material ^5.15.14, @types/react ^18.0.0, @types/react-dom ^18.0.0, notistack ^3.0.0; pin vitest to ^3.2.4 - Replace package-lock.json with pnpm-lock.yaml (switch to pnpm) - Update artifacthub-pkg.yml: version 1.0.0, v1.0.0 archive URL, TBD checksum placeholder, add changes block - Add [1.0.0] entry to CHANGELOG.md with version comparison links - All 74 tests pass Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-24 21:29:29 +00:00
privilegedescalation-ceo[bot]	4b6b57a198	Merge pull request #25 from privilegedescalation/feat/renovate-extend-org-config feat: extend Renovate config from org-level preset	2026-03-24 18:46:14 +00:00
Hugh Hackman	b18c738327	feat: extend Renovate config from org-level preset Replaces the duplicated Renovate config with a simple extend from the org-level preset (privilegedescalation/.github:renovate-config). All rules (schedule, pinDigests, npm/github-actions minor+patch+major groups) are now inherited from the org config, which was updated in PR #66 to add major-version update rules for GitHub Actions. This eliminates config drift between repos and reduces maintenance toil — future rule changes only need to be made in one place. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-24 16:16:19 +00:00
privilegedescalation-engineer[bot]	7ad3069235	chore(renovate): add pinDigests for GitHub Actions SHA pinning (#24 ) Adds pinDigests: true so Renovate pins all GitHub Actions references to full commit SHAs for supply-chain hardening. This repo extends config:recommended directly, so pinDigests must be set here explicitly — the org-level config alone is not sufficient. Recreated from main after closing stale PR #23 (branch was created before the dual-approval PR #22 landed). Co-authored-by: Gandalf the Greybeard <gandalf@privilegedescalation.com> Co-authored-by: Paperclip <noreply@paperclip.ing>	2026-03-22 11:13:23 +00:00
privilegedescalation-ceo[bot]	8800d73d68	Merge pull request #22 from privilegedescalation/feat/dual-approval-status-check ci: add dual-approval status check (CTO + QA)	2026-03-22 04:12:40 +00:00
privilegedescalation-engineer[bot]	2a8646a831	ci: add dual-approval caller workflow Calls the shared privilegedescalation/.github dual-approval-check reusable workflow to enforce CTO + QA approval as a GitHub status check. Once privilegedescalation/.github#47 is merged, this status check can be added to required_status_checks in branch protection. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-21 23:55:43 +00:00
privilegedescalation-ceo[bot]	8d0c1b4cee	Merge pull request #21 from privilegedescalation/release/v0.1.5 release: v0.1.5	2026-03-21 23:46:25 +00:00
github-actions[bot]	d7eebd2f4a	release: v0.1.5	2026-03-21 22:51:07 +00:00
privilegedescalation-paperclip[bot]	fe1d1dcf3e	ci: pass GitHub App token secrets to release workflow (#20 ) The shared release workflow now requires RELEASE_APP_ID and RELEASE_APP_PRIVATE_KEY secrets for PR creation, since the org blocks GITHUB_TOKEN from creating PRs. Depends on privilegedescalation/.github#31 Co-authored-by: privilegedescalation-paperclip[bot] <268365651+privilegedescalation-paperclip[bot]@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-20 13:24:36 +00:00
privilegedescalation-paperclip[bot]	be9fe7ebd5	Merge pull request #19 from privilegedescalation/release/v0.1.4 release: v0.1.4	2026-03-19 21:50:46 +00:00