407 Commits

This Branch

This Branch

All Branches

Author	SHA1	Message	Date
Null Pointer Nancy	f03a27bedc	Merge pull request 'Promote to uat: artifacthub-pkg.yml v1.0.1 with Gitea archive URL' (#184) from promote/uat-artifacthub-v1.0.1 into uat ... Promote to uat: artifacthub-pkg.yml v1.0.1 with Gitea archive URL (#184) Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-21 00:45:09 +00:00
Chris Farhood	ec1acbb130	fix(ci): resolve merge conflict and sanitize reviews JSON ... Merge dev workflow fix (remove container/install step) and add python3 JSON roundtrip to handle Gitea API responses with control characters that break jq parsing. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-21 00:43:12 +00:00
Null Pointer Nancy	5907a494d0	chore(artifacthub): update to v1.0.1 with Gitea archive URL ... Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-21 00:19:15 +00:00
Chris Farhood	5e6cd6603b	Merge pull request #183 from gandalf/fix-promotion-gate-ci ... fix(dual-approval): remove container ubuntu:latest and Install dependencies step	2026-05-20 23:59:04 +00:00
Chris Farhood	d7cbe969fb	fix(dual-approval): remove container: ubuntu:latest and Install dependencies step ... The ubuntu-latest runner host already has curl, jq, and ca-certificates pre-installed. The apt-get update call inside the Docker container was failing due to broken container networking on the runner host (runs 577, 578), blocking PR #182 (dev→uat promotion). Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-20 23:56:41 +00:00
Null Pointer Nancy	2ba0751443	Merge pull request 'chore(artifacthub): update to v1.0.1' (#181) from pri-1681-update-artifacthub-1.0.1 into dev ... chore(artifacthub): update to v1.0.1 with Gitea archive URL (#181) Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-20 23:35:11 +00:00
Null Pointer Nancy	e52d995123	fix: use Gitea archive URL in annotation ... The GitHub release does not exist (404). Per board all-Gitea decision, archive URLs must point to git.farh.net. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-20 23:33:35 +00:00
Chris Farhood	791935947d	Fix install docs and archive URL to use GitHub (from QA review) ... - Restore install as multi-line Markdown guide (was replaced by url/digest object) - Point annotations.archive-url to github.com instead of git.farh.net	2026-05-20 23:30:11 +00:00
Null Pointer Nancy	639e4eaa68	fix: use Gitea archive URL per board all-Gitea decision ... The GitHub release for v1.0.1 does not exist (404). Per board decision (2026-05-16), all PE projects use Gitea releases. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-20 23:19:16 +00:00
Chris Farhood	69db99d3d1	chore(artifacthub): update to v1.0.1 ... Bumps version to 1.0.1, updates createdAt date, and points archive URL/checksum to the v1.0.1 GitHub release. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-20 23:04:55 +00:00
Null Pointer Nancy	7f03ae6265	Merge pull request 'promote: dev → uat (tarball grep fix for release workflow)' (#179) from dev into uat ... promote: dev → uat (tarball grep fix for release workflow) (#179)	2026-05-20 22:27:08 +00:00
Null Pointer Nancy	53fce54df8	Merge pull request 'fix: match .tar.gz instead of .tgz in release workflow grep pattern' (#178) from fix/release-tarball-pattern into dev ... fix: match .tar.gz instead of .tgz in release workflow grep pattern (#178) Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-20 22:25:40 +00:00
Chris Farhood	6c6e8a55ce	fix: match .tar.gz instead of .tgz in release workflow grep pattern ... The headlamp-plugin package command outputs filenames with .tar.gz extension, not .tgz. This caused the "Get tarball path" step to fail (exit code 1) on the v1.0.1 release run #554. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-20 22:13:45 +00:00
Null Pointer Nancy	9502ca804d	Merge pull request 'promote: dev → uat (pnpm fix for release workflow)' (#175) from dev into uat ... promote: dev → uat (pnpm fix for release workflow) (#175)	2026-05-20 21:48:49 +00:00
Null Pointer Nancy	76d0e106b2	Merge pull request 'fix: add pnpm install step to release workflow' (#174) from gandalf/pri-1671-pnpm-install into dev ... fix: add pnpm install step to release workflow (#174)	2026-05-20 21:48:24 +00:00
Chris Farhood	63050174e9	fix: add pnpm install step to release workflow ... Add explicit pnpm installation before Install dependencies step. Without this, ubuntu-latest runner fails with 'pnpm: command not found' since pnpm is not bundled with the Node 20 action. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-20 21:39:46 +00:00
Chris Farhood	bfeb1068bb	fix(ci): add ca-certificates for SSL verification in promotion gate ... Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-20 21:20:53 +00:00
Gandalf the Greybeard	2aff05b632	fix(ci): use github.head_ref for SOURCE_REF detection in promotion gate ... Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-20 21:01:16 +00:00
Null Pointer Nancy	d37431ce8c	Merge pull request 'Promote dev → uat: include PRI-1660 dual-approval fix' (#173) from dev into uat ... Promote dev → uat: include PRI-1660 dual-approval fix (#173)	2026-05-20 20:48:31 +00:00
Gandalf the Greybeard	b2a97cdcad	Merge pull request 'fix(promotion-gate): restore inlined dual-approval to fix uat->main CI (PRI-1660)' (#172) from nancy/fix-dual-approval-uat-regress into dev	2026-05-20 20:40:48 +00:00
Null Pointer Nancy	73b2baec9d	fix(promotion-gate): restore inlined dual-approval from main (PRI-1660) ... PR #170 merged conflict with old uat version instead of inlined dev version. Restore inlined dual-approval.yaml to match main, fixing uat->main promotion gate. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-20 20:36:27 +00:00
Gandalf the Greybeard	36e220660d	Merge pull request 'Promote dev to uat (inline release and CI workflows)' (#170) from dev into uat	2026-05-20 20:24:46 +00:00
Chris Farhood	51e68b1b88	fix(promotion-gate): inline dual-approval-check workflow (PRI-1660)	2026-05-20 20:22:33 +00:00
Chris Farhood	48d704a6b6	fix(promotion-gate): inline dual-approval-check workflow (PRI-1660)	2026-05-20 20:20:45 +00:00
Chris Farhood	b0cefdbe24	fix: resolve ci.yaml conflict, use inlined version	2026-05-20 20:20:34 +00:00
Chris Farhood	92f8c958d8	fix(release): inline release workflow, remove broken .github reference (PRI-1660)	2026-05-20 20:19:01 +00:00
Chris Farhood	22fea9a99d	Merge remote-tracking branch 'origin/main' into dev	2026-05-20 20:14:59 +00:00
Gandalf the Greybeard	73fb1359ed	Merge pull request 'inline(release): replace broken reusable workflow with inlined steps' (#168) from gandalf/pri-1659-inline-release-workflow into dev	2026-05-20 20:04:38 +00:00
Chris Farhood	cf9e0513b9	fix(CI): inline ci.yaml, remove broken reusable workflow reference (PRI-1660)	2026-05-20 19:53:35 +00:00
Chris Farhood	733cfad8d3	inline(release): replace broken reusable workflow with inlined steps ... The reusable workflow reference to privilegedescalation/.github does not exist on Gitea, blocking the v1.0.1 release. This change inlines the build/package/release steps directly into release.yaml. Steps inlined: - actions/checkout@v4 - actions/setup-node@v4 (Node 20, pnpm cache) - pnpm install --frozen-lockfile - pnpm run build - pnpm run package (produces headlamp-polaris-{version}.tgz) - Gitea API: create release + upload tarball as asset Refs: PRI-1659, PRI-1634	2026-05-20 19:47:01 +00:00
Null Pointer Nancy	5aa54a526b	Merge pull request 'fix(CI): inline dual-approval-check, install curl/jq (PRI-1636)' (#167) from gandalf/pri-1636-inline-dual-approval into main ... Merge PR #167: Inline dual-approval workflow (PRI-1636)	2026-05-20 13:53:45 +00:00
Chris Farhood	83aa0329b3	fix(CI): add container ubuntu:latest for apt-get (PRI-1636) ... Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-20 13:38:46 +00:00
Chris Farhood	8f343be06d	fix(CI): inline dual-approval-check workflow, install curl/jq (PRI-1636) ... Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-20 13:27:20 +00:00
Countess von Containerheim	9dc5fd673d	fix(ci): inline CI workflow, remove reusable .github dependency (PRI-1630)	2026-05-20 10:45:01 +00:00
privilegedescalation-engineer[bot]	125b06734a	Merge pull request #164 from privilegedescalation/uat ... Promote uat to main	2026-05-14 03:16:38 +00:00
Chris Farhood	def89f8d71	Merge remote-tracking branch 'origin/uat' into dev	2026-05-14 03:06:01 +00:00
privilegedescalation-qa[bot]	90721641cc	Promote dev to uat ... Routine dev→uat promotion approved by QA (Regression Regina). All blockers resolved, CI passing.	2026-05-14 01:44:51 +00:00
Chris Farhood	af42d9c52a	Merge origin/uat into dev to resolve promotion conflicts ... Accept uat version for all conflicting files. Removes files deleted in uat (e2e-ci-runner-rbac.yaml, deploy/teardown-e2e-headlamp.sh). Resolves merge conflict blocking PR #163. Adds trailing newline to audit-ci.jsonc. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-14 01:25:10 +00:00
privilegedescalation-engineer[bot]	61582d7534	fix: remove stale package-lock.json causing npm install failures ... The project declares pnpm@10.32.1 as packageManager but had a committed package-lock.json. Running npm install produced a broken node_modules layout. Delete the stale lockfile and add it to .gitignore. Note: tests were failing before this change due to a missing tsconfig for vitest.setup.ts — tracked separately as pre-existing issue. Co-authored-by: Chris Farhood <chris@farhood.org> Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-14 00:15:30 +00:00
privilegedescalation-engineer[bot]	f6a296df1b	fix: override fast-uri to patched version to resolve 2 high severity CVEs (#159) ... Upgraded @kinvolk/headlamp-plugin from ^0.13.0 to ^0.14.0 and added fast-uri >=3.1.2 to pnpm overrides to address: - GHSA-q3j6-qgpj-74h6 (fast-uri path traversal, patched in >=3.1.1) - GHSA-v39h-62p7-jpjc (fast-uri host confusion, patched in >=3.1.2) Remaining 6 vulnerabilities (1 low, 5 moderate) are in transitive deps without direct override paths and do not affect production runtime. Co-authored-by: Chris Farhood <chris@farhood.org> Co-authored-by: Paperclip <noreply@paperclip.ing>	2026-05-13 17:43:20 +00:00
privilegedescalation-qa[bot]	d593a11fd9	fix: sync CI trigger branches on dev ... fix: sync CI trigger branches on dev	2026-05-13 13:18:34 +00:00
Chris Farhood	8fb9215933	feat(security): add audit-ci.jsonc allowlist for dev-branch CVEs ... CTO decision (PRI-854): high-severity vulns from @kinvolk/headlamp-plugin transitive deps (Picomatch, Vite, lodash) are dev/build-time only and do not ship in production plugin artifacts. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-13 13:13:54 +00:00
Chris Farhood	35c09186df	fix: sync CI trigger branches on dev ... Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-13 13:00:27 +00:00
privilegedescalation-engineer[bot]	5744d9083f	chore(ci): add audit-ci allowlist for inherited @kinvolk/headlamp-plugin CVEs (PRI-855) ... QA reviewed and approved. Adds audit-ci.jsonc with 3 CVE allowlist entries for dev-only dependencies.	2026-05-12 22:22:41 +00:00
privilegedescalation-ceo[bot]	34ea111776	Update CI and approval workflows for three-branch SDLC (#158) ... CI triggers on dev/uat/main. Promotion gate replaces dual-approval. Co-authored-by: Chris Farhood <chris@farhood.org> Co-authored-by: Paperclip <noreply@paperclip.ing>	2026-05-11 21:40:07 +00:00
privilegedescalation-engineer[bot]	398e3f3b95	docs: remove stale e2e command references from CLAUDE.md ... Removed lines 28-29 which listed ghost E2E commands (npm run e2e, npm run e2e:headed). The repo has no E2E files, no playwright.config.ts, no e2e/ directory, and no e2e script in package.json. Resolves: PRI-1147 Co-authored-by: Chris Farhood <chris@farhood.org> Co-authored-by: Paperclip <noreply@paperclip.ing>	2026-05-11 17:23:29 +00:00
privilegedescalation-ceo[bot]	1343ba3e65	chore: remove all E2E infrastructure — approach is dead ... Remove all E2E infrastructure — approach is dead	2026-05-11 09:22:58 +00:00
Chris Farhood	96145c21cb	fix: update pnpm-lock.yaml after removing @playwright/test ... The lockfile was out of sync with package.json after playwright removal, causing CI to fail with --frozen-lockfile. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-11 09:20:51 +00:00
Chris Farhood	a781027d3b	Remove all E2E infrastructure — approach is dead ... Delete the entire local E2E testing setup: - e2e/ directory (Playwright tests) - scripts/deploy-e2e-headlamp.sh and teardown-e2e-headlamp.sh - .github/workflows/e2e.yaml - deployment/ (RBAC files and PLUGIN_LOADING_FIX.md) - playwright.config.ts - E2E npm scripts and @playwright/test dependency - E2E-related .gitignore entries RBAC is managed by Flux GitOps in privilegedescalation/infra. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-11 01:15:39 +00:00
privilegedescalation-ceo[bot]	e2ae92648c	docs: replace hardcoded namespace with <your-namespace> placeholder ... * docs: update Headlamp install namespace references from kube-system to headlamp Updates all documentation references to the Headlamp install namespace from kube-system to headlamp as part of PRI-433. In-scope files updated: - README.md, SECURITY.md - docs/getting-started/installation.md, quick-start.md, prerequisites.md - docs/deployment/helm.md, kubernetes.md, production.md - docs/troubleshooting/README.md, common-issues.md, rbac-issues.md - docs/user-guide/configuration.md, rbac-permissions.md - docs/TESTING.md, TROUBLESHOOTING.md, DEPLOYMENT.md Out-of-scope (unchanged): - Source files referencing upstream workload namespace - RBAC manifests describing Polaris namespace (polaris ns is unchanged) - NetworkPolicy namespaceSelector (API server runs in kube-system) - design-decisions.md and ARCHITECTURE.md (URL hashes refer to cluster namespaces, not Headlamp install ns) Co-Authored-By: Paperclip <noreply@paperclip.ing> * fix: correct RBAC manifest per QA review (PRI-555) - Remove rbac.authorization.k8s.io privilege escalation block - Fix orphaned comment from round 1 - Add EOF newline - Keep serviceaccounts/token for E2E auth (confirmed needed) - Namespace already correct (privilegedescalation-dev) Co-Authored-By: Paperclip <noreply@paperclip.ing> * docs: replace hardcoded namespace with <your-namespace> placeholder Users choose their own namespace for Headlamp. Replace all hardcoded namespace references (headlamp, kube-system) in user-facing docs with <your-namespace> so users substitute their own value. Conventions: - Helm install: --namespace <your-namespace> --create-namespace - kubectl commands: -n <your-namespace> - YAML metadata: namespace: <your-namespace> - Prose: "the namespace where Headlamp is installed" Out-of-scope references left untouched: - kube-system in NetworkPolicy selectors (API server namespace) - polaris namespace references (upstream workload namespace) - Source code and test files Refs: PRI-433 Co-Authored-By: Paperclip <noreply@paperclip.ing> * docs: fix remaining hardcoded headlamp namespace to <your-namespace> placeholder Prior commit was inconsistent — some files used <your-namespace> while DEPLOYMENT.md, TROUBLESHOOTING.md and several troubleshooting/user-guide docs still hardcoded headlamp as the namespace. Co-Authored-By: Paperclip <noreply@paperclip.ing> --------- Co-authored-by: Chris Farhood <chris@farhood.org> Co-authored-by: Paperclip <noreply@paperclip.ing>	2026-05-10 21:34:49 +00:00