fix: correct archive checksum and automate CI updates (#1)

## Summary
- Fix the v0.0.1 archive checksum in `artifacthub-pkg.yml` to match the actual GitHub release tarball (was causing "Checksum mismatch" on Headlamp plugin install)
- Gitea CI now computes the checksum after packaging and updates `artifacthub-pkg.yml` on `main` via the Gitea API, then uploads the **same tarball** to GitHub releases (requires `GH_PAT` secret) so both releases serve identical artifacts
- GitHub CI becomes a fallback — skips entirely if the Gitea CI already created the release, preventing a second build from producing a mismatched tarball

## Setup required
Add a `GH_PAT` secret to the Gitea repo containing a GitHub personal access token with `repo` scope. Without it, the GitHub release step gracefully skips and the GitHub Actions fallback handles it.

## Test plan
- [ ] Verify `GH_PAT` secret is set in Gitea repo settings
- [ ] Tag and push a new release (`v0.0.2`)
- [ ] Confirm Gitea CI updates `artifacthub-pkg.yml` checksum on `main`
- [ ] Confirm GitHub release is created by Gitea CI with matching tarball
- [ ] Confirm GitHub Actions fallback skips (release already exists)
- [ ] Verify Headlamp plugin installs without checksum mismatch

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Chris Farhood <chris@farhood.org>
Reviewed-on: farhoodliquor/polaris-headlamp-plugin#1
Co-authored-by: claude <no-reply.claude@farh.net>
Co-committed-by: claude <no-reply.claude@farh.net>

.gitea/workflows/release.yaml

@@ -22,6 +22,32 @@ jobs:
       - name: Package tarball
         run: npx @kinvolk/headlamp-plugin package
 
+      - name: Compute tarball checksum
+        run: |
+          TARBALL=$(ls *.tar.gz)
+          CHECKSUM=$(sha256sum "$TARBALL" | awk '{print $1}')
+          echo "TARBALL=$TARBALL" >> $GITHUB_ENV
+          echo "CHECKSUM=$CHECKSUM" >> $GITHUB_ENV
+          echo "Tarball: $TARBALL"
+          echo "Checksum: sha256:$CHECKSUM"
+
+      - name: Update artifacthub-pkg.yml on main
+        run: |
+          VERSION=${GITHUB_REF_NAME#v}
+          sed -i "s|headlamp/plugin/archive-checksum:.*|headlamp/plugin/archive-checksum: sha256:${CHECKSUM}|" artifacthub-pkg.yml
+          sed -i "s|headlamp/plugin/archive-url:.*|headlamp/plugin/archive-url: \"https://github.com/cpfarhood/polaris-headlamp-plugin/releases/download/${GITHUB_REF_NAME}/polaris-headlamp-plugin-${VERSION}.tar.gz\"|" artifacthub-pkg.yml
+          sed -i "s|^version:.*|version: ${VERSION}|" artifacthub-pkg.yml
+          FILE_SHA=$(curl -sf \
+            -H "Authorization: token ${{ github.token }}" \
+            "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/contents/artifacthub-pkg.yml?ref=main" \
+            | node -e "process.stdin.resume();let d='';process.stdin.on('data',c=>d+=c);process.stdin.on('end',()=>console.log(JSON.parse(d).sha))")
+          CONTENT=$(base64 -w 0 artifacthub-pkg.yml)
+          curl -sf -X PUT \
+            -H "Authorization: token ${{ github.token }}" \
+            -H "Content-Type: application/json" \
+            "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/contents/artifacthub-pkg.yml" \
+            -d "{\"content\":\"${CONTENT}\",\"sha\":\"${FILE_SHA}\",\"message\":\"ci: update artifact hub metadata for ${GITHUB_REF_NAME}\",\"branch\":\"main\"}"
+
       - name: Install Docker CLI
         run: apt-get update && apt-get install -y docker.io
 
@@ -34,9 +60,35 @@ jobs:
           docker push git.farh.net/${{ github.repository }}:${{ github.ref_name }}
           docker push git.farh.net/${{ github.repository }}:latest
 
-      - name: Create release
+      - name: Create Gitea release
         uses: akkuman/gitea-release-action@v1
         with:
           files: |
             *.tar.gz
           token: ${{ github.token }}
+
+      - name: Create GitHub release
+        continue-on-error: true
+        run: |
+          RELEASE_RESPONSE=$(curl -s -w "\n%{http_code}" -X POST \
+            -H "Authorization: token ${{ secrets.GH_PAT }}" \
+            -H "Accept: application/vnd.github+json" \
+            "https://api.github.com/repos/cpfarhood/polaris-headlamp-plugin/releases" \
+            -d "{\"tag_name\":\"${GITHUB_REF_NAME}\",\"name\":\"${GITHUB_REF_NAME}\",\"generate_release_notes\":true}")
+          HTTP_CODE=$(echo "$RELEASE_RESPONSE" | tail -1)
+          BODY=$(echo "$RELEASE_RESPONSE" | sed '$d')
+          if [ "$HTTP_CODE" = "422" ]; then
+            echo "Release already exists, fetching it..."
+            BODY=$(curl -sf \
+              -H "Authorization: token ${{ secrets.GH_PAT }}" \
+              -H "Accept: application/vnd.github+json" \
+              "https://api.github.com/repos/cpfarhood/polaris-headlamp-plugin/releases/tags/${GITHUB_REF_NAME}")
+          fi
+          RELEASE_ID=$(echo "$BODY" | node -e "process.stdin.resume();let d='';process.stdin.on('data',c=>d+=c);process.stdin.on('end',()=>console.log(JSON.parse(d).id))")
+          echo "Release ID: $RELEASE_ID"
+          curl -sf -X POST \
+            -H "Authorization: token ${{ secrets.GH_PAT }}" \
+            -H "Content-Type: application/gzip" \
+            "https://uploads.github.com/repos/cpfarhood/polaris-headlamp-plugin/releases/${RELEASE_ID}/assets?name=${TARBALL}" \
+            --data-binary "@${TARBALL}"
+          echo "GitHub release created with same tarball (checksum guaranteed to match)"

.github/workflows/release.yml

@@ -1,4 +1,4 @@
-name: GitHub Release
+name: GitHub Release (fallback)
 
 on:
   push:
@@ -12,25 +12,44 @@ jobs:
   release:
     runs-on: ubuntu-latest
     steps:
+      - name: Check if release already exists
+        id: check
+        run: |
+          if gh release view "${{ github.ref_name }}" --repo "${{ github.repository }}" &>/dev/null; then
+            echo "Release ${{ github.ref_name }} already exists (created by Gitea CI), skipping."
+            echo "exists=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "No existing release found, building as fallback."
+            echo "exists=false" >> "$GITHUB_OUTPUT"
+          fi
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Checkout
+        if: steps.check.outputs.exists == 'false'
         uses: actions/checkout@v4
 
       - name: Setup Node.js
+        if: steps.check.outputs.exists == 'false'
         uses: actions/setup-node@v4
         with:
           node-version: '20'
           cache: 'npm'
 
       - name: Install dependencies
+        if: steps.check.outputs.exists == 'false'
         run: npm ci
 
       - name: Build plugin
+        if: steps.check.outputs.exists == 'false'
         run: npx @kinvolk/headlamp-plugin build
 
       - name: Package tarball
+        if: steps.check.outputs.exists == 'false'
         run: npx @kinvolk/headlamp-plugin package
 
       - name: Create GitHub Release
+        if: steps.check.outputs.exists == 'false'
         uses: softprops/action-gh-release@v2
         with:
           files: "*.tar.gz"

artifacthub-pkg.yml

@@ -1,4 +1,4 @@
-version: 0.0.1
+version: 0.0.2
 name: polaris-headlamp-plugin
 displayName: Polaris
 createdAt: "2026-02-05T19:00:00Z"
@@ -24,5 +24,5 @@ maintainers:
 annotations:
   headlamp/plugin/archive-url: "https://github.com/cpfarhood/polaris-headlamp-plugin/releases/download/v0.0.1/polaris-headlamp-plugin-0.0.1.tar.gz"
   headlamp/plugin/version-compat: ">=0.26"
-  headlamp/plugin/archive-checksum: sha256:456f09cf8b126816b80c723b6c6f300b2af0c2e1288ee67da13f435b0e35c04d
+  headlamp/plugin/archive-checksum: sha256:f76db2b6f6944341fad3d61e2250d2d73d64529d1c22333ca4678ba16fa5f300
   headlamp/plugin/distro-compat: in-cluster

package.json

@@ -1,6 +1,6 @@
 {
   "name": "polaris-headlamp-plugin",
-  "version": "0.0.1",
+  "version": "0.0.2",
   "description": "Headlamp plugin for Fairwinds Polaris audit results",
   "scripts": {
     "start": "headlamp-plugin start",