chore: regenerate pnpm-lock.yaml for elliptic override

Co-Authored-By: Paperclip <noreply@paperclip.ing>

.github/workflows/ci.yaml

@@ -2,210 +2,12 @@ name: CI
 
 on:
   push:
-    branches: ['**']
+    branches: [main]
   pull_request:
-    branches: [main, dev, uat]
+    branches: [main]
   workflow_dispatch:
-
-permissions:
-  contents: read
+  workflow_call:
 
 jobs:
   ci:
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    container: node:22-slim
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-
-      - name: Install Python
-        run: apt-get update && apt-get install -y --no-install-recommends python3 python3-yaml
-
-      - name: Validate artifacthub-pkg.yml
-        run: |
-          python3 - <<'EOF'
-          import sys, re
-          try:
-              import yaml
-          except ImportError:
-              print("::warning::PyYAML not available, skipping artifacthub-pkg.yml validation")
-              sys.exit(0)
-
-          try:
-              with open("artifacthub-pkg.yml") as f:
-                  pkg = yaml.safe_load(f)
-          except FileNotFoundError:
-              print("::error::artifacthub-pkg.yml not found")
-              sys.exit(1)
-          except yaml.YAMLError as e:
-              print(f"::error::artifacthub-pkg.yml is invalid YAML: {e}")
-              sys.exit(1)
-
-          errors = []
-
-          for field in ["version", "name", "description", "homeURL"]:
-              if not pkg.get(field):
-                  errors.append(f"Missing required field: {field}")
-
-          version = pkg.get("version", "")
-          if version and not re.match(r'^\d+\.\d+\.\d+$', str(version)):
-              errors.append(f"version '{version}' is not SemVer (expected X.Y.Z)")
-
-          annotations = pkg.get("annotations", {}) or {}
-          archive_url = annotations.get("headlamp/plugin/archive-url", "")
-          archive_checksum = annotations.get("headlamp/plugin/archive-checksum", "")
-
-          if not archive_url:
-              errors.append("Missing annotation: headlamp/plugin/archive-url")
-          if not archive_checksum:
-              errors.append("Missing annotation: headlamp/plugin/archive-checksum")
-          elif not re.match(r'^sha256:[0-9a-f]{64}$', str(archive_checksum)):
-              errors.append(f"archive-checksum has unexpected format: '{archive_checksum}' (expected sha256:<64 hex chars>)")
-
-          if errors:
-              for e in errors:
-                  print(f"::error::{e}")
-              sys.exit(1)
-
-          print(f"artifacthub-pkg.yml valid: name={pkg['name']} version={pkg['version']}")
-          EOF
-
-      - name: Detect package manager
-        id: pkg-manager
-        run: |
-          if [ -f "pnpm-lock.yaml" ]; then
-            echo "manager=pnpm" >> $GITHUB_OUTPUT
-            PM=$(python3 -c "import json,sys; d=json.load(open('package.json')); print('true' if d.get('packageManager','').startswith('pnpm@') else 'false')" 2>/dev/null || echo "false")
-            echo "has_package_manager=$PM" >> $GITHUB_OUTPUT
-          else
-            echo "manager=npm" >> $GITHUB_OUTPUT
-            echo "has_package_manager=false" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Setup Node
-        uses: actions/setup-node@v6
-        with:
-          node-version: '22'
-          cache: ${{ steps.pkg-manager.outputs.manager == 'npm' && 'npm' || '' }}
-
-      - name: Setup pnpm (via Corepack, reads version from packageManager field)
-        if: steps.pkg-manager.outputs.manager == 'pnpm' && steps.pkg-manager.outputs.has_package_manager == 'true'
-        run: |
-          npm install -g corepack
-          corepack enable pnpm
-          corepack install
-
-      - name: Setup pnpm (version latest)
-        if: steps.pkg-manager.outputs.manager == 'pnpm' && steps.pkg-manager.outputs.has_package_manager == 'false'
-        uses: pnpm/action-setup@v5
-        with:
-          run_install: false
-          version: latest
-
-      - name: Get pnpm store directory
-        id: pnpm-store
-        if: steps.pkg-manager.outputs.manager == 'pnpm'
-        run: echo "dir=$(pnpm store path --silent)" >> $GITHUB_OUTPUT
-
-      - name: Cache pnpm store
-        if: steps.pkg-manager.outputs.manager == 'pnpm'
-        uses: actions/cache@v5
-        with:
-          path: ${{ steps.pnpm-store.outputs.dir }}
-          key: ${{ runner.os }}-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }}
-          restore-keys: |
-            ${{ runner.os }}-pnpm-
-
-      - name: Validate pnpm lockfile freshness
-        if: steps.pkg-manager.outputs.manager == 'pnpm'
-        run: |
-          if [ ! -f "pnpm-lock.yaml" ]; then
-            echo "No pnpm-lock.yaml found, skipping lockfile freshness check"
-            exit 0
-          fi
-          if ! grep -q 'overrides:' pnpm-lock.yaml 2>/dev/null; then
-            echo "No overrides section in pnpm-lock.yaml, skipping lockfile freshness check"
-            exit 0
-          fi
-          echo "Detected pnpm-lock.yaml with overrides section. Checking lockfile freshness..."
-          ERR_FILE=$(mktemp)
-          if pnpm install --frozen-lockfile 2>&1 | tee "$ERR_FILE"; then
-            echo "Lockfile is fresh."
-          else
-            if grep -q "CONFIG_MISMATCH\|EBADLOCKFILE\|ERR_PNPM_LOCKFILE" "$ERR_FILE"; then
-              echo ""
-              echo "::error::pnpm-lock.yaml is out of sync with package.json overrides."
-              echo "::error::Run 'pnpm install' to regenerate the lockfile and commit the updated pnpm-lock.yaml."
-              rm -f "$ERR_FILE"
-              exit 1
-            fi
-            rm -f "$ERR_FILE"
-            echo "::warning::Install failed with a different error. Will retry in the Install dependencies step."
-          fi
-
-      - name: Install dependencies
-        run: |
-          max_attempts=3
-          attempt=1
-          while [ $attempt -le $max_attempts ]; do
-            echo "Attempt $attempt of $max_attempts"
-            if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
-              pnpm install --frozen-lockfile && break
-            else
-              npm ci && break
-            fi
-            if [ $attempt -lt $max_attempts ]; then
-              echo "::warning::Install step failed on attempt $attempt. Retrying in 5 seconds..."
-              sleep 5
-            fi
-            attempt=$((attempt + 1))
-          done
-          if [ $attempt -gt $max_attempts ]; then
-            echo "::error::Install step failed after $max_attempts attempts."
-            exit 1
-          fi
-
-      - name: Build plugin
-        run: npx @kinvolk/headlamp-plugin build
-
-      - name: Lint
-        run: |
-          if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
-            pnpm run lint
-          else
-            npm run lint
-          fi
-
-      - name: Type-check
-        run: |
-          if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
-            pnpm run tsc
-          else
-            npm run tsc
-          fi
-
-      - name: Format check
-        run: |
-          if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
-            pnpm run format:check
-          else
-            npm run format:check
-          fi
-
-      - name: Run tests
-        run: |
-          if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
-            pnpm test
-          else
-            npm test
-          fi
-
-      - name: Security audit
-        run: |
-          if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
-            npx audit-ci --pnpm --audit-level=high --config ./audit-ci.jsonc
-          else
-            npx audit-ci --npm --audit-level=high --config ./audit-ci.jsonc
-          fi
+    uses: privilegedescalation/.github/.github/workflows/plugin-ci.yaml@main

.github/workflows/dual-approval.yaml

@@ -1,116 +1,18 @@
-name: Promotion Gate
+name: Dual Approval (CTO + QA)
 
-# dev PRs: no gate (engineer self-merges).
-# uat PRs: QA approval required.
-# main PRs: UAT approval required (uat→main promotions).
+# Calls the shared dual-approval-check workflow.
+# Passes when both privilegedescalation-cto and privilegedescalation-qa
+# have approved the PR. Add "Dual Approval (CTO + QA)" to required_status_checks
+# in branch protection to enforce this gate.
 
 on:
   pull_request_review:
     types: [submitted, dismissed]
   pull_request:
-    branches: [uat, main]
+    branches: [main]
     types: [opened, reopened, synchronize]
 
 jobs:
-  promotion-gate:
-    name: Promotion Gate
-    runs-on: ubuntu-latest
-    container: ubuntu:latest
-    timeout-minutes: 5
-
-    steps:
-      - name: Install dependencies
-        run: apt-get update -qq && apt-get install -y --no-install-recommends curl jq
-
-      - name: Check promotion approval
-        env:
-          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-          REPO: ${{ github.repository }}
-          BASE_REF: ${{ github.base_ref }}
-        run: |
-          if [ -z "${PR_NUMBER}" ] || [ "${PR_NUMBER}" = "null" ]; then
-            echo "::notice::No PR number in context. Skipping promotion gate."
-            exit 0
-          fi
-
-          echo "Checking promotion gate for PR #${PR_NUMBER} targeting ${BASE_REF} in ${REPO}"
-
-          if [ -z "${BASE_REF}" ] && [ -n "${PR_NUMBER}" ] && [ "${PR_NUMBER}" != "null" ]; then
-            BASE_REF=$(curl -sf \
-              -H "Authorization: token ${GITEA_TOKEN}" \
-              -H "Accept: application/json" \
-              "https://git.farh.net/api/v1/repos/${REPO}/pulls/${PR_NUMBER}" | jq -r '.base.ref')
-            echo "BASE_REF was empty; resolved from PR #${PR_NUMBER} API: ${BASE_REF}"
-          fi
-
-          # Determine required reviewer based on target branch
-          case "${BASE_REF}" in
-            dev)
-              echo "Target is dev — no review required. Engineers self-merge."
-              exit 0
-              ;;
-            uat)
-              REQUIRED_REVIEWER="pe_regina"
-              GATE_NAME="QA"
-              ;;
-            main)
-              REQUIRED_REVIEWER="pe_regina"
-              GATE_NAME="QA"
-              # For plugin repos (Pipeline A), UAT approval is needed for uat→main
-              # Check if the source branch is uat
-              SOURCE_REF=$(curl -sf \
-                -H "Authorization: token ${GITEA_TOKEN}" \
-                -H "Accept: application/json" \
-                "https://git.farh.net/api/v1/repos/${REPO}/pulls/${PR_NUMBER}" | jq -r '.head.ref')
-
-              if [ "${SOURCE_REF}" = "uat" ]; then
-                REQUIRED_REVIEWER="pe_patty"
-                GATE_NAME="UAT"
-              fi
-              ;;
-            *)
-              echo "::notice::Target branch '${BASE_REF}' has no promotion gate configured."
-              exit 0
-              ;;
-          esac
-
-          echo "Required reviewer: ${REQUIRED_REVIEWER} (${GATE_NAME})"
-
-          # For uat→main promotions, pe_patty may not be able to review (bot account).
-          # Accept pe_nancy (CTO) as a valid alternative reviewer.
-          ALT_REVIEWER=""
-          if [ "${REQUIRED_REVIEWER}" = "pe_patty" ]; then
-            ALT_REVIEWER="pe_nancy"
-          fi
-
-          REVIEWS=$(curl -sf \
-            -H "Authorization: token ${GITEA_TOKEN}" \
-            -H "Accept: application/json" \
-            "https://git.farh.net/api/v1/repos/${REPO}/pulls/${PR_NUMBER}/reviews")
-
-          if [ -z "${REVIEWS}" ] || [ "${REVIEWS}" = "null" ]; then
-            echo "::warning::Could not fetch reviews for PR #${PR_NUMBER}."
-            exit 1
-          fi
-
-          REVIEWER_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${REQUIRED_REVIEWER}" \
-            '[.[] | select(.user.login == $user)] | last | if .state then .state == "APPROVED" else false end')
-
-          echo "${GATE_NAME} (${REQUIRED_REVIEWER}) approved: ${REVIEWER_APPROVED}"
-
-          # Fallback: check if CTO approved as alternative for uat→main
-          if [ "${REVIEWER_APPROVED}" != "true" ] && [ -n "${ALT_REVIEWER}" ]; then
-            REVIEWER_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${ALT_REVIEWER}" \
-              '[.[] | select(.user.login == $user)] | last | if .state then .state == "APPROVED" else false end')
-            if [ "${REVIEWER_APPROVED}" = "true" ]; then
-              echo "CTO (${ALT_REVIEWER}) approved as fallback for UAT gate."
-            fi
-          fi
-
-          if [ "${REVIEWER_APPROVED}" = "true" ]; then
-            echo "Promotion gate passed: ${GATE_NAME} has approved."
-          else
-            echo "Promotion gate failed: waiting for ${GATE_NAME} approval from ${REQUIRED_REVIEWER}."
-            exit 1
-          fi
+  dual-approval:
+    uses: privilegedescalation/.github/.github/workflows/dual-approval-check.yaml@main
+    secrets: inherit

.github/workflows/renovate.yml

@@ -1,15 +0,0 @@
-name: Renovate
-on:
-  schedule:
-    - cron: '0 3 * * *'
-  workflow_dispatch:
-jobs:
-  renovate:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: renovatebot/github-action@v40.3.0
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          configurationFile: renovate.json
-          renovate-json5: true

artifacthub-pkg.yml

@@ -1,22 +1,24 @@
 # Artifact Hub package metadata
 # https://artifacthub.io/docs/topics/repositories/headlamp-plugins/
+# Replace ALL placeholder values before publishing.
 
 version: "0.1.0"
-name: my-headlamp-plugin
-displayName: My Headlamp Plugin
-createdAt: "2026-05-20T00:00:00Z"
-description: A Headlamp plugin for Kubernetes
+name: my-headlamp-plugin                       # TODO: change to your plugin name (lowercase, hyphens)
+displayName: My Headlamp Plugin                # TODO: human-readable display name
+createdAt: "2026-01-01T00:00:00Z"              # TODO: set to your initial release date
+description: A Headlamp plugin for Kubernetes  # TODO: describe your plugin
 license: Apache-2.0
-homeURL: https://git.farh.net/privilegedescalation/headlamp-plugin-template
-appVersion: "0.1.0"
+homeURL: https://github.com/YOUR_ORG/YOUR_REPO  # TODO: update
+appVersion: "0.1.0"                            # TODO: version of the app this plugin targets
 keywords:
   - headlamp
   - kubernetes
+  # TODO: add your plugin-specific keywords
 annotations:
-  headlamp/plugin/archive-url: "https://git.farh.net/privilegedescalation/headlamp-plugin-template/releases/download/v0.1.0/my-headlamp-plugin-0.1.0.tar.gz"
-  headlamp/plugin/archive-checksum: "sha256:e2cfecedbef47931c54612a0f77f3b95c85a16923bd578e6d3a50bf15f55403b"
+  headlamp/plugin/archive-url: "https://github.com/YOUR_ORG/YOUR_REPO/releases/download/v0.1.0/my-headlamp-plugin-0.1.0.tar.gz"  # TODO: update per release
+  headlamp/plugin/archive-checksum: "sha256:REPLACE_WITH_ACTUAL_CHECKSUM"  # TODO: compute from release artifact
   headlamp/plugin/version-compat: ">=0.13.0"
   headlamp/plugin/distro-compat: "desktop,in-cluster,web,docker-desktop"
 links:
   - name: Source Code
-    url: https://git.farh.net/privilegedescalation/headlamp-plugin-template
+    url: https://github.com/YOUR_ORG/YOUR_REPO  # TODO: update

audit-ci.jsonc

@@ -1,20 +0,0 @@
-{
-  // Allowlist for inherited dev-dependency CVEs from @kinvolk/headlamp-plugin
-  // CTO decision (PRI-854): these high-severity vulns are dev/build-time only,
-  // trace to @kinvolk/headlamp-plugin transitive deps (Picomatch, Vite, lodash),
-  // and do NOT ship in production plugin artifacts.
-  "allowlist": [
-    {
-      "id": "GHSA-hhpm-516h-p3p6",
-      "reason": "Picomatch ReDoS: devDependency only, does not ship in production plugin bundle"
-    },
-    {
-      "id": "GHSA-36xf-7xpp-53w5",
-      "reason": "Vite arbitrary file read: devDependency only, does not ship in production plugin bundle"
-    },
-    {
-      "id": "GHSA-jf8v-p3pp-93qh",
-      "reason": "lodash code injection via _.template: devDependency only, does not ship in production plugin bundle"
-    }
-  ]
-}

package.json

@@ -4,15 +4,14 @@
   "description": "A Headlamp plugin for Kubernetes",
   "repository": {
     "type": "git",
-    "url": "https://git.farh.net/privilegedescalation/headlamp-plugin-template.git"
+    "url": "https://github.com/YOUR_ORG/YOUR_REPO.git"
   },
   "bugs": {
-    "url": "https://git.farh.net/privilegedescalation/headlamp-plugin-template/issues"
+    "url": "https://github.com/YOUR_ORG/YOUR_REPO/issues"
   },
-  "homepage": "https://git.farh.net/privilegedescalation/headlamp-plugin-template",
-  "author": "Privileged Escalation",
+  "homepage": "https://github.com/YOUR_ORG/YOUR_REPO#readme",
+  "author": "YOUR_NAME",
   "license": "Apache-2.0",
-  "packageManager": "pnpm@10.32.1",
   "scripts": {
     "start": "headlamp-plugin start",
     "build": "headlamp-plugin build",
@@ -37,20 +36,13 @@
     "react-dom": "^18.3.1",
     "react-router-dom": "^5.3.0",
     "typescript": "^5.6.2",
+    "vite": "^6.4.1",
+    "vite-plugin-svgr": "^4.5.0",
     "vitest": "^3.0.5"
   },
   "pnpm": {
-    "onlyBuiltDependencies": [
-      "@swc/core",
-      "esbuild",
-      "msw"
-    ]
-  },
-  "overrides": {
-    "tar": "^7.5.11",
-    "undici": "^7.24.3",
-    "vite": ">=6.4.2",
-    "lodash": ">=4.18.0",
-    "elliptic": ">=6.6.1"
+    "overrides": {
+      "elliptic": ">=6.6.1"
+    }
   }
 }

pnpm-lock.yaml

@@ -4,6 +4,9 @@ settings:
   autoInstallPeers: true
   excludeLinksFromLockfile: false
 
+overrides:
+  elliptic: '>=6.6.1'
+
 importers:
 
   .:
@@ -41,6 +44,12 @@ importers:
       typescript:
         specifier: ^5.6.2
         version: 5.9.3
+      vite:
+        specifier: ^6.4.1
+        version: 6.4.2(@types/node@20.19.39)(terser@5.46.2)(yaml@2.8.4)
+      vite-plugin-svgr:
+        specifier: ^4.5.0
+        version: 4.5.0(rollup@4.60.3)(typescript@5.9.3)(vite@6.4.2(@types/node@20.19.39)(terser@5.46.2)(yaml@2.8.4))
       vitest:
         specifier: ^3.0.5
         version: 3.2.4(@types/debug@4.1.13)(@types/node@20.19.39)(jsdom@24.1.3)(msw@2.4.9(typescript@5.9.3))(terser@5.46.2)(yaml@2.8.4)
@@ -6572,16 +6581,27 @@ snapshots:
       - supports-color
       - typescript
 
+  '@svgr/core@8.1.0(typescript@5.9.3)':
+    dependencies:
+      '@babel/core': 7.29.0
+      '@svgr/babel-preset': 8.1.0(@babel/core@7.29.0)
+      camelcase: 6.3.0
+      cosmiconfig: 8.3.6(typescript@5.9.3)
+      snake-case: 3.0.4
+    transitivePeerDependencies:
+      - supports-color
+      - typescript
+
   '@svgr/hast-util-to-babel-ast@8.0.0':
     dependencies:
       '@babel/types': 7.29.0
       entities: 4.5.0
 
-  '@svgr/plugin-jsx@8.1.0(@svgr/core@8.1.0(typescript@5.6.2))':
+  '@svgr/plugin-jsx@8.1.0(@svgr/core@8.1.0(typescript@5.9.3))':
     dependencies:
       '@babel/core': 7.29.0
       '@svgr/babel-preset': 8.1.0(@babel/core@7.29.0)
-      '@svgr/core': 8.1.0(typescript@5.6.2)
+      '@svgr/core': 8.1.0(typescript@5.9.3)
       '@svgr/hast-util-to-babel-ast': 8.0.0
       svg-parser: 2.0.4
     transitivePeerDependencies:
@@ -7752,6 +7772,15 @@ snapshots:
     optionalDependencies:
       typescript: 5.6.2
 
+  cosmiconfig@8.3.6(typescript@5.9.3):
+    dependencies:
+      import-fresh: 3.3.1
+      js-yaml: 4.1.1
+      parse-json: 5.2.0
+      path-type: 4.0.0
+    optionalDependencies:
+      typescript: 5.9.3
+
   create-ecdh@4.0.4:
     dependencies:
       bn.js: 4.12.3
@@ -11324,7 +11353,18 @@ snapshots:
     dependencies:
       '@rollup/pluginutils': 5.3.0(rollup@4.60.3)
       '@svgr/core': 8.1.0(typescript@5.6.2)
-      '@svgr/plugin-jsx': 8.1.0(@svgr/core@8.1.0(typescript@5.6.2))
+      '@svgr/plugin-jsx': 8.1.0(@svgr/core@8.1.0(typescript@5.9.3))
+      vite: 6.4.2(@types/node@20.19.39)(terser@5.46.2)(yaml@2.8.4)
+    transitivePeerDependencies:
+      - rollup
+      - supports-color
+      - typescript
+
+  vite-plugin-svgr@4.5.0(rollup@4.60.3)(typescript@5.9.3)(vite@6.4.2(@types/node@20.19.39)(terser@5.46.2)(yaml@2.8.4)):
+    dependencies:
+      '@rollup/pluginutils': 5.3.0(rollup@4.60.3)
+      '@svgr/core': 8.1.0(typescript@5.9.3)
+      '@svgr/plugin-jsx': 8.1.0(@svgr/core@8.1.0(typescript@5.9.3))
       vite: 6.4.2(@types/node@20.19.39)(terser@5.46.2)(yaml@2.8.4)
     transitivePeerDependencies:
       - rollup

tsconfig.json

@@ -3,7 +3,7 @@
   "compilerOptions": {
     "jsx": "react",
     "skipLibCheck": true,
-    "types": ["vitest/globals", "@testing-library/jest-dom"]
+    "types": ["vite/client", "vite-plugin-svgr/client", "vitest/globals", "@testing-library/jest-dom"]
   },
   "include": ["src"]
 }