The ubuntu-latest runner host already has curl, jq, and ca-certificates
pre-installed. The apt-get update call inside the Docker container was
failing due to broken container networking on the runner host (runs 577,
578), blocking PR #182 (dev→uat promotion).
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The GitHub release does not exist (404). Per board all-Gitea
decision, archive URLs must point to git.farh.net.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Restore install as multi-line Markdown guide (was replaced by url/digest object)
- Point annotations.archive-url to github.com instead of git.farh.net
The GitHub release for v1.0.1 does not exist (404). Per board
decision (2026-05-16), all PE projects use Gitea releases.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Bumps version to 1.0.1, updates createdAt date, and points
archive URL/checksum to the v1.0.1 GitHub release.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The headlamp-plugin package command outputs filenames with .tar.gz extension,
not .tgz. This caused the "Get tarball path" step to fail (exit code 1) on
the v1.0.1 release run #554.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Add explicit pnpm installation before Install dependencies step.
Without this, ubuntu-latest runner fails with 'pnpm: command not found'
since pnpm is not bundled with the Node 20 action.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
PR #170 merged conflict with old uat version instead of inlined dev version.
Restore inlined dual-approval.yaml to match main, fixing uat->main promotion gate.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The project declares pnpm@10.32.1 as packageManager but had a committed
package-lock.json. Running npm install produced a broken node_modules
layout. Delete the stale lockfile and add it to .gitignore.
Note: tests were failing before this change due to a missing tsconfig
for vitest.setup.ts — tracked separately as pre-existing issue.
Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Upgraded @kinvolk/headlamp-plugin from ^0.13.0 to ^0.14.0 and added
fast-uri >=3.1.2 to pnpm overrides to address:
- GHSA-q3j6-qgpj-74h6 (fast-uri path traversal, patched in >=3.1.1)
- GHSA-v39h-62p7-jpjc (fast-uri host confusion, patched in >=3.1.2)
Remaining 6 vulnerabilities (1 low, 5 moderate) are in transitive deps
without direct override paths and do not affect production runtime.
Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
CTO decision (PRI-854): high-severity vulns from @kinvolk/headlamp-plugin
transitive deps (Picomatch, Vite, lodash) are dev/build-time only and do
not ship in production plugin artifacts.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
CI triggers on dev/uat/main. Promotion gate replaces dual-approval.
Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
Removed lines 28-29 which listed ghost E2E commands (npm run e2e, npm run e2e:headed). The repo has no E2E files, no playwright.config.ts, no e2e/ directory, and no e2e script in package.json.
Resolves: PRI-1147
Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
The lockfile was out of sync with package.json after playwright removal,
causing CI to fail with --frozen-lockfile.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
PRI-750: update plugin repos to reference shared infra RBAC (PRI-695 follow-up)
- deployment/e2e-ci-runner-rbac.yaml: replaced duplicate manifest with
reference comment pointing to privilegedescalation/infra/base/rbac/e2e-ci-runner-headlamp-rbac.yaml
- scripts/deploy-e2e-headlamp.sh: updated RBAC preflight comment and error
message to reference infra path
- scripts/teardown-e2e-headlamp.sh: added RBAC reference comment
Infra RBAC is the source of truth managed by Flux GitOps. CI workflow
unchanged (Hugh owns .github/workflows/).
* chore: replace Dependabot references with Renovate
- SECURITY.md: update to mention Renovate (org-wide Mend Renovate)
- PROJECT_ASSESSMENT.md: mark Renovate as integrated (org-wide config)
Closes PRI-389. Parent PRI-387.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix: override picomatch >=4.0.4 and vite >=6.4.2 to patch high-severity vulnerabilities
Resolves 3 high-severity vulnerabilities from pnpm audit:
- GHSA-c2c7-rcm5-vvqj: Picomatch ReDoS via extglob quantifiers (>=4.0.0 <4.0.4)
- GHSA-p9ff-h696-f583: Vite arbitrary file read via dev server WebSocket
- GHSA-4w7w-66w2-5vf9: Vite path traversal in optimized deps .map handling
Also addresses moderate GHSA-3v7f-55p6-f55p (picomatch method injection).
Remaining vulnerabilities (moderate/low) are in transitive dependencies
managed by @kinvolk/headlamp-plugin and @headlamp-k8s/eslint-config
which require upstream updates to those packages.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
---------
Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
The E2E workflow and deploy scripts were targeting the legacy
privilegedescalation-dev namespace, which is not managed by Flux GitOps
in privilegedescalation/infra.
The infra repo (PR #11) already provisions the headlamp-dev namespace
and corresponding RBAC (e2e-ci-runner-headlamp-rbac.yaml) that grants
the ARC runner SA (runners-privilegedescalation-gha-rs-no-permission in
arc-runners) the permissions needed to deploy/teardown the E2E
Headlamp instance.
This change aligns all E2E infrastructure to use headlamp-dev:
- .github/workflows/e2e.yaml: E2E_NAMESPACE=headlamp-dev
- scripts/deploy-e2e-headlamp.sh: default namespace and comments
- scripts/teardown-e2e-headlamp.sh: default namespace
- deployment/e2e-ci-runner-rbac.yaml: namespace and add missing events
permission (already present in infra copy)
Refs: PRI-423
Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
* fix: override lodash >=4.18.0 to patch code injection vulnerability
GHSA-r5fr-rjxr-66jc is a code injection vulnerability in lodash
below 4.18.0. The vulnerable transitive dependency comes through
@kinvolk/headlamp-plugin.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* fix: update pnpm-lock.yaml to satisfy lodash override
The package.json pnpm.overrides requires lodash >=4.18.0, but the lockfile
had an older version. Regenerated lockfile with pnpm install.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix(e2e): scope heading locators to main content area
Fix E2E test failures by scoping heading locators to the main
content area instead of searching the entire page. This prevents
matching headings in the sidebar or other non-content areas.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix(e2e): scope remaining getByText to main element
The 'Cluster Score' text matcher was still searching the entire page
instead of being scoped to the main content area. This could cause
false positives if the same text appears in the sidebar.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* ci: trigger fresh E2E run
Re-pushing to trigger a new CI run since the last E2E was cancelled.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix(e2e): use [role=main] instead of main element
Switch from 'main' element selector to '[role="main"]' attribute
selector for better compatibility with Headlamp's app structure.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix(e2e): hybrid approach - unscoped headings, main-scoped text
Use broader heading selectors matching intel-gpu pattern, but
keep text checks scoped to main element to avoid sidebar conflicts.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* ci: re-test original code to verify baseline
---------
Co-authored-by: Gandalf the Greybeard <gandalf@privilegedescalation.dev>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Co-authored-by: Paperclip <noreply@paperclip.ing>
Chris Farhood
Null Pointer Nancy
Gandalf the Greybeard
Countess von Containerheim
privilegedescalation-engineer[bot]