chore: regenerate pnpm-lock.yaml for elliptic override branch

Resolves ERR_PNPM_LOCKFILE_CONFIG_MISMATCH (template#9):
- Updates transitive dependency versions (typescript 5.6.2 -> 5.9.3, etc.)
- Lockfile now passes --frozen-lockfile with current pnpm v10.33.0

Co-Authored-By: Paperclip <noreply@paperclip.ing>

.github/workflows/ci.yaml

@@ -2,210 +2,12 @@ name: CI
 
 on:
   push:
-    branches: ['**']
+    branches: [main]
   pull_request:
-    branches: [main, dev, uat]
+    branches: [main]
   workflow_dispatch:
-
-permissions:
-  contents: read
+  workflow_call:
 
 jobs:
   ci:
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    container: node:22-slim
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-
-      - name: Install Python
-        run: apt-get update && apt-get install -y --no-install-recommends python3 python3-yaml
-
-      - name: Validate artifacthub-pkg.yml
-        run: |
-          python3 - <<'EOF'
-          import sys, re
-          try:
-              import yaml
-          except ImportError:
-              print("::warning::PyYAML not available, skipping artifacthub-pkg.yml validation")
-              sys.exit(0)
-
-          try:
-              with open("artifacthub-pkg.yml") as f:
-                  pkg = yaml.safe_load(f)
-          except FileNotFoundError:
-              print("::error::artifacthub-pkg.yml not found")
-              sys.exit(1)
-          except yaml.YAMLError as e:
-              print(f"::error::artifacthub-pkg.yml is invalid YAML: {e}")
-              sys.exit(1)
-
-          errors = []
-
-          for field in ["version", "name", "description", "homeURL"]:
-              if not pkg.get(field):
-                  errors.append(f"Missing required field: {field}")
-
-          version = pkg.get("version", "")
-          if version and not re.match(r'^\d+\.\d+\.\d+$', str(version)):
-              errors.append(f"version '{version}' is not SemVer (expected X.Y.Z)")
-
-          annotations = pkg.get("annotations", {}) or {}
-          archive_url = annotations.get("headlamp/plugin/archive-url", "")
-          archive_checksum = annotations.get("headlamp/plugin/archive-checksum", "")
-
-          if not archive_url:
-              errors.append("Missing annotation: headlamp/plugin/archive-url")
-          if not archive_checksum:
-              errors.append("Missing annotation: headlamp/plugin/archive-checksum")
-          elif not re.match(r'^sha256:[0-9a-f]{64}$', str(archive_checksum)):
-              errors.append(f"archive-checksum has unexpected format: '{archive_checksum}' (expected sha256:<64 hex chars>)")
-
-          if errors:
-              for e in errors:
-                  print(f"::error::{e}")
-              sys.exit(1)
-
-          print(f"artifacthub-pkg.yml valid: name={pkg['name']} version={pkg['version']}")
-          EOF
-
-      - name: Detect package manager
-        id: pkg-manager
-        run: |
-          if [ -f "pnpm-lock.yaml" ]; then
-            echo "manager=pnpm" >> $GITHUB_OUTPUT
-            PM=$(python3 -c "import json,sys; d=json.load(open('package.json')); print('true' if d.get('packageManager','').startswith('pnpm@') else 'false')" 2>/dev/null || echo "false")
-            echo "has_package_manager=$PM" >> $GITHUB_OUTPUT
-          else
-            echo "manager=npm" >> $GITHUB_OUTPUT
-            echo "has_package_manager=false" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Setup Node
-        uses: actions/setup-node@v6
-        with:
-          node-version: '22'
-          cache: ${{ steps.pkg-manager.outputs.manager == 'npm' && 'npm' || '' }}
-
-      - name: Setup pnpm (via Corepack, reads version from packageManager field)
-        if: steps.pkg-manager.outputs.manager == 'pnpm' && steps.pkg-manager.outputs.has_package_manager == 'true'
-        run: |
-          npm install -g corepack
-          corepack enable pnpm
-          corepack install
-
-      - name: Setup pnpm (version latest)
-        if: steps.pkg-manager.outputs.manager == 'pnpm' && steps.pkg-manager.outputs.has_package_manager == 'false'
-        uses: pnpm/action-setup@v5
-        with:
-          run_install: false
-          version: latest
-
-      - name: Get pnpm store directory
-        id: pnpm-store
-        if: steps.pkg-manager.outputs.manager == 'pnpm'
-        run: echo "dir=$(pnpm store path --silent)" >> $GITHUB_OUTPUT
-
-      - name: Cache pnpm store
-        if: steps.pkg-manager.outputs.manager == 'pnpm'
-        uses: actions/cache@v5
-        with:
-          path: ${{ steps.pnpm-store.outputs.dir }}
-          key: ${{ runner.os }}-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }}
-          restore-keys: |
-            ${{ runner.os }}-pnpm-
-
-      - name: Validate pnpm lockfile freshness
-        if: steps.pkg-manager.outputs.manager == 'pnpm'
-        run: |
-          if [ ! -f "pnpm-lock.yaml" ]; then
-            echo "No pnpm-lock.yaml found, skipping lockfile freshness check"
-            exit 0
-          fi
-          if ! grep -q 'overrides:' pnpm-lock.yaml 2>/dev/null; then
-            echo "No overrides section in pnpm-lock.yaml, skipping lockfile freshness check"
-            exit 0
-          fi
-          echo "Detected pnpm-lock.yaml with overrides section. Checking lockfile freshness..."
-          ERR_FILE=$(mktemp)
-          if pnpm install --frozen-lockfile 2>&1 | tee "$ERR_FILE"; then
-            echo "Lockfile is fresh."
-          else
-            if grep -q "CONFIG_MISMATCH\|EBADLOCKFILE\|ERR_PNPM_LOCKFILE" "$ERR_FILE"; then
-              echo ""
-              echo "::error::pnpm-lock.yaml is out of sync with package.json overrides."
-              echo "::error::Run 'pnpm install' to regenerate the lockfile and commit the updated pnpm-lock.yaml."
-              rm -f "$ERR_FILE"
-              exit 1
-            fi
-            rm -f "$ERR_FILE"
-            echo "::warning::Install failed with a different error. Will retry in the Install dependencies step."
-          fi
-
-      - name: Install dependencies
-        run: |
-          max_attempts=3
-          attempt=1
-          while [ $attempt -le $max_attempts ]; do
-            echo "Attempt $attempt of $max_attempts"
-            if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
-              pnpm install --frozen-lockfile && break
-            else
-              npm ci && break
-            fi
-            if [ $attempt -lt $max_attempts ]; then
-              echo "::warning::Install step failed on attempt $attempt. Retrying in 5 seconds..."
-              sleep 5
-            fi
-            attempt=$((attempt + 1))
-          done
-          if [ $attempt -gt $max_attempts ]; then
-            echo "::error::Install step failed after $max_attempts attempts."
-            exit 1
-          fi
-
-      - name: Build plugin
-        run: npx @kinvolk/headlamp-plugin build
-
-      - name: Lint
-        run: |
-          if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
-            pnpm run lint
-          else
-            npm run lint
-          fi
-
-      - name: Type-check
-        run: |
-          if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
-            pnpm run tsc
-          else
-            npm run tsc
-          fi
-
-      - name: Format check
-        run: |
-          if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
-            pnpm run format:check
-          else
-            npm run format:check
-          fi
-
-      - name: Run tests
-        run: |
-          if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
-            pnpm test
-          else
-            npm test
-          fi
-
-      - name: Security audit
-        run: |
-          if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
-            npx audit-ci --pnpm --audit-level=high --config ./audit-ci.jsonc
-          else
-            npx audit-ci --npm --audit-level=high --config ./audit-ci.jsonc
-          fi
+    uses: privilegedescalation/.github/.github/workflows/plugin-ci.yaml@main

.github/workflows/dual-approval.yaml

@@ -15,6 +15,4 @@ on:
 jobs:
   dual-approval:
     uses: privilegedescalation/.github/.github/workflows/dual-approval-check.yaml@main
-    with:
-      pr_number: ${{ github.event.pull_request.number }}
     secrets: inherit

.github/workflows/renovate.yml

@@ -1,15 +0,0 @@
-name: Renovate
-on:
-  schedule:
-    - cron: '0 3 * * *'
-  workflow_dispatch:
-jobs:
-  renovate:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: renovatebot/github-action@v40.3.0
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          configurationFile: renovate.json
-          renovate-json5: true

audit-ci.jsonc

@@ -1,20 +0,0 @@
-{
-  // Allowlist for inherited dev-dependency CVEs from @kinvolk/headlamp-plugin
-  // CTO decision (PRI-854): these high-severity vulns are dev/build-time only,
-  // trace to @kinvolk/headlamp-plugin transitive deps (Picomatch, Vite, lodash),
-  // and do NOT ship in production plugin artifacts.
-  "allowlist": [
-    {
-      "id": "GHSA-hhpm-516h-p3p6",
-      "reason": "Picomatch ReDoS: devDependency only, does not ship in production plugin bundle"
-    },
-    {
-      "id": "GHSA-36xf-7xpp-53w5",
-      "reason": "Vite arbitrary file read: devDependency only, does not ship in production plugin bundle"
-    },
-    {
-      "id": "GHSA-jf8v-p3pp-93qh",
-      "reason": "lodash code injection via _.template: devDependency only, does not ship in production plugin bundle"
-    }
-  ]
-}

pnpm-lock.yaml

@@ -2486,8 +2486,8 @@ packages:
   eastasianwidth@0.2.0:
     resolution: {integrity: sha512-I88TYZWc9XiYHRQ4/3c5rjjfgkjhLyW2luGIheGERbNQ6OY7yTybanSpDXZa8y7VUP9YmDcYa+eyq4ca7iLqWA==}
 
-  electron-to-chromium@1.5.350:
-    resolution: {integrity: sha512-/KWD4qK8nMqIoJh35Rpc37fiVyOe80mcUQKpfje0Dp9uot2ROuipsh+EriCdfInxjleD5v1S4OlIn41I0LXP0g==}
+  electron-to-chromium@1.5.349:
+    resolution: {integrity: sha512-QsWVGyRuY07Aqb234QytTfwd5d9AJlfNIQ5wIOl1L+PZDzI9d9+Fn0FRale/QYlFxt/bUnB0/nLd1jFPGxGK1A==}
 
   elkjs@0.9.3:
     resolution: {integrity: sha512-f/ZeWvW/BCXbhGEf1Ujp29EASo/lk1FDnETgNKwJrsVvGZhUWCZyg3xLJjAsxfOmt8KjswHmI5EwCQcPMpOYhQ==}
@@ -3213,8 +3213,8 @@ packages:
     resolution: {integrity: sha512-1BC0BVFhS/p0qtw6enp8e+8OD0UrK0oFLztSjNzhcKA3WDuJxxAPXzPuPtKkjEY9UUoEWlX/8fgKeu2S8i9JTA==}
     engines: {node: '>= 0.4'}
 
-  is-core-module@2.16.2:
-    resolution: {integrity: sha512-evOr8xfXKxE6qSR0hSXL2r3sd7ALj8+7jQEUvPYcm5sgZFdJ+AYzT6yNmJenvIYQBgIGwfwz08sL8zoL7yq2BA==}
+  is-core-module@2.16.1:
+    resolution: {integrity: sha512-UfoeMA6fIJ8wTYFEUjelnaGI67v6+N7qXJEvQuIGa99l4xsCruSYOVSQ0uPANn4dAzm8lkYPaKLrrijLq7x23w==}
     engines: {node: '>= 0.4'}
 
   is-data-view@1.0.2:
@@ -4728,8 +4728,8 @@ packages:
     resolution: {integrity: sha512-uxc/zpqFg6x7C8vOE7lh6Lbda8eEL9zmVm/PLeTPBRhh1xCgdWaQ+J1CUieGpIfm2HdtsUpRv+HshiasBMcc6A==}
     engines: {node: '>=6'}
 
-  tar@7.5.14:
-    resolution: {integrity: sha512-/7sHKgQO3JLP9ESlwTYUUftHUadOURUqq23xs1vjcnp8Vss6k0wCfzulyEtk5g91pjvnuriimGlyG7k6msrzRw==}
+  tar@7.5.13:
+    resolution: {integrity: sha512-tOG/7GyXpFevhXVh8jOPJrmtRpOTsYqUIkVdVooZYJS/z8WhfQUX8RJILmeuJNinGAMSu1veBr4asSHFt5/hng==}
     engines: {node: '>=18'}
 
   teex@1.0.1:
@@ -5723,7 +5723,7 @@ snapshots:
       js-yaml: 4.1.1
       semver: 7.7.4
       table: 6.9.0
-      tar: 7.5.14
+      tar: 7.5.13
       tmp: 0.2.5
       yargs: 17.7.2
 
@@ -5931,7 +5931,7 @@ snapshots:
       spacetime: 7.12.0
       storybook: 9.1.20(@testing-library/dom@10.4.1)(msw@2.4.9(typescript@5.9.3))(prettier@3.8.3)(vite@6.4.2(@types/node@20.19.39)(terser@5.46.2)(yaml@2.8.4))
       table: 6.9.0
-      tar: 7.5.14
+      tar: 7.5.13
       ts-loader: 9.5.7(typescript@5.6.2)(webpack@5.106.2(@swc/core@1.15.33)(esbuild@0.25.12))
       typescript: 5.6.2
       validate-npm-package-name: 3.0.0
@@ -7569,7 +7569,7 @@ snapshots:
     dependencies:
       baseline-browser-mapping: 2.10.27
       caniuse-lite: 1.0.30001791
-      electron-to-chromium: 1.5.350
+      electron-to-chromium: 1.5.349
       node-releases: 2.0.38
       update-browserslist-db: 1.2.3(browserslist@4.28.2)
 
@@ -8098,7 +8098,7 @@ snapshots:
 
   eastasianwidth@0.2.0: {}
 
-  electron-to-chromium@1.5.350: {}
+  electron-to-chromium@1.5.349: {}
 
   elkjs@0.9.3: {}
 
@@ -8306,7 +8306,7 @@ snapshots:
   eslint-import-resolver-node@0.3.10:
     dependencies:
       debug: 3.2.7
-      is-core-module: 2.16.2
+      is-core-module: 2.16.1
       resolve: 2.0.0-next.6
     transitivePeerDependencies:
       - supports-color
@@ -8334,7 +8334,7 @@ snapshots:
       eslint-import-resolver-node: 0.3.10
       eslint-module-utils: 2.12.1(@typescript-eslint/parser@8.59.2(eslint@8.57.1)(typescript@5.9.3))(eslint-import-resolver-node@0.3.10)(eslint@8.57.1)
       hasown: 2.0.3
-      is-core-module: 2.16.2
+      is-core-module: 2.16.1
       is-glob: 4.0.3
       minimatch: 3.1.5
       object.fromentries: 2.0.8
@@ -9086,7 +9086,7 @@ snapshots:
 
   is-callable@1.2.7: {}
 
-  is-core-module@2.16.2:
+  is-core-module@2.16.1:
     dependencies:
       hasown: 2.0.3
 
@@ -10468,14 +10468,14 @@ snapshots:
   resolve@1.22.12:
     dependencies:
       es-errors: 1.3.0
-      is-core-module: 2.16.2
+      is-core-module: 2.16.1
       path-parse: 1.0.7
       supports-preserve-symlinks-flag: 1.0.0
 
   resolve@2.0.0-next.6:
     dependencies:
       es-errors: 1.3.0
-      is-core-module: 2.16.2
+      is-core-module: 2.16.1
       node-exports-info: 1.6.0
       object-keys: 1.1.1
       path-parse: 1.0.7
@@ -10930,7 +10930,7 @@ snapshots:
 
   tapable@2.3.3: {}
 
-  tar@7.5.14:
+  tar@7.5.13:
     dependencies:
       '@isaacs/fs-minipass': 4.0.1
       chownr: 3.0.0