400 Commits

This Branch

This Branch

All Branches

Author	SHA1	Message	Date
Null Pointer Nancy	a051ffafed	Merge pull request 'promote: uat → main (tarball grep fix for release workflow)' (#180) from uat into main ... Merge PR #180: promote uat → main (tarball grep fix for release workflow) v1.0.1	2026-05-20 22:49:51 +00:00
Null Pointer Nancy	7f03ae6265	Merge pull request 'promote: dev → uat (tarball grep fix for release workflow)' (#179) from dev into uat ... promote: dev → uat (tarball grep fix for release workflow) (#179)	2026-05-20 22:27:08 +00:00
Null Pointer Nancy	53fce54df8	Merge pull request 'fix: match .tar.gz instead of .tgz in release workflow grep pattern' (#178) from fix/release-tarball-pattern into dev ... fix: match .tar.gz instead of .tgz in release workflow grep pattern (#178) Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-20 22:25:40 +00:00
Chris Farhood	6c6e8a55ce	fix: match .tar.gz instead of .tgz in release workflow grep pattern ... The headlamp-plugin package command outputs filenames with .tar.gz extension, not .tgz. This caused the "Get tarball path" step to fail (exit code 1) on the v1.0.1 release run #554. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-20 22:13:45 +00:00
Countess von Containerheim	483348aef0	Merge pull request 'promote: uat → main (pnpm fix for release workflow)' (#176) from uat into main ... CEO promotion merge: uat→main for v1.0.1 pnpm fix (PR #176)	2026-05-20 22:10:25 +00:00
Null Pointer Nancy	9502ca804d	Merge pull request 'promote: dev → uat (pnpm fix for release workflow)' (#175) from dev into uat ... promote: dev → uat (pnpm fix for release workflow) (#175)	2026-05-20 21:48:49 +00:00
Null Pointer Nancy	76d0e106b2	Merge pull request 'fix: add pnpm install step to release workflow' (#174) from gandalf/pri-1671-pnpm-install into dev ... fix: add pnpm install step to release workflow (#174)	2026-05-20 21:48:24 +00:00
Chris Farhood	63050174e9	fix: add pnpm install step to release workflow ... Add explicit pnpm installation before Install dependencies step. Without this, ubuntu-latest runner fails with 'pnpm: command not found' since pnpm is not bundled with the Node 20 action. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-20 21:39:46 +00:00
Countess von Containerheim	cd1fa2613d	Merge pull request 'Promote uat to main (inline all workflows, trigger v1.0.1 release)' (#171) from uat into main ... Promote uat to main: fix dual-approval SOURCE_REF detection and ca-certificates	2026-05-20 21:27:59 +00:00
Chris Farhood	bfeb1068bb	fix(ci): add ca-certificates for SSL verification in promotion gate ... Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-20 21:20:53 +00:00
Gandalf the Greybeard	2aff05b632	fix(ci): use github.head_ref for SOURCE_REF detection in promotion gate ... Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-20 21:01:16 +00:00
Null Pointer Nancy	d37431ce8c	Merge pull request 'Promote dev → uat: include PRI-1660 dual-approval fix' (#173) from dev into uat ... Promote dev → uat: include PRI-1660 dual-approval fix (#173)	2026-05-20 20:48:31 +00:00
Gandalf the Greybeard	b2a97cdcad	Merge pull request 'fix(promotion-gate): restore inlined dual-approval to fix uat->main CI (PRI-1660)' (#172) from nancy/fix-dual-approval-uat-regress into dev	2026-05-20 20:40:48 +00:00
Null Pointer Nancy	73b2baec9d	fix(promotion-gate): restore inlined dual-approval from main (PRI-1660) ... PR #170 merged conflict with old uat version instead of inlined dev version. Restore inlined dual-approval.yaml to match main, fixing uat->main promotion gate. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-20 20:36:27 +00:00
Gandalf the Greybeard	36e220660d	Merge pull request 'Promote dev to uat (inline release and CI workflows)' (#170) from dev into uat	2026-05-20 20:24:46 +00:00
Chris Farhood	51e68b1b88	fix(promotion-gate): inline dual-approval-check workflow (PRI-1660)	2026-05-20 20:22:33 +00:00
Chris Farhood	48d704a6b6	fix(promotion-gate): inline dual-approval-check workflow (PRI-1660)	2026-05-20 20:20:45 +00:00
Chris Farhood	b0cefdbe24	fix: resolve ci.yaml conflict, use inlined version	2026-05-20 20:20:34 +00:00
Chris Farhood	92f8c958d8	fix(release): inline release workflow, remove broken .github reference (PRI-1660)	2026-05-20 20:19:01 +00:00
Chris Farhood	22fea9a99d	Merge remote-tracking branch 'origin/main' into dev	2026-05-20 20:14:59 +00:00
Gandalf the Greybeard	73fb1359ed	Merge pull request 'inline(release): replace broken reusable workflow with inlined steps' (#168) from gandalf/pri-1659-inline-release-workflow into dev	2026-05-20 20:04:38 +00:00
Chris Farhood	cf9e0513b9	fix(CI): inline ci.yaml, remove broken reusable workflow reference (PRI-1660)	2026-05-20 19:53:35 +00:00
Chris Farhood	733cfad8d3	inline(release): replace broken reusable workflow with inlined steps ... The reusable workflow reference to privilegedescalation/.github does not exist on Gitea, blocking the v1.0.1 release. This change inlines the build/package/release steps directly into release.yaml. Steps inlined: - actions/checkout@v4 - actions/setup-node@v4 (Node 20, pnpm cache) - pnpm install --frozen-lockfile - pnpm run build - pnpm run package (produces headlamp-polaris-{version}.tgz) - Gitea API: create release + upload tarball as asset Refs: PRI-1659, PRI-1634	2026-05-20 19:47:01 +00:00
Null Pointer Nancy	5aa54a526b	Merge pull request 'fix(CI): inline dual-approval-check, install curl/jq (PRI-1636)' (#167) from gandalf/pri-1636-inline-dual-approval into main ... Merge PR #167: Inline dual-approval workflow (PRI-1636)	2026-05-20 13:53:45 +00:00
Chris Farhood	83aa0329b3	fix(CI): add container ubuntu:latest for apt-get (PRI-1636) ... Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-20 13:38:46 +00:00
Chris Farhood	8f343be06d	fix(CI): inline dual-approval-check workflow, install curl/jq (PRI-1636) ... Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-20 13:27:20 +00:00
Countess von Containerheim	9dc5fd673d	fix(ci): inline CI workflow, remove reusable .github dependency (PRI-1630)	2026-05-20 10:45:01 +00:00
privilegedescalation-engineer[bot]	125b06734a	Merge pull request #164 from privilegedescalation/uat ... Promote uat to main	2026-05-14 03:16:38 +00:00
Chris Farhood	def89f8d71	Merge remote-tracking branch 'origin/uat' into dev	2026-05-14 03:06:01 +00:00
privilegedescalation-qa[bot]	90721641cc	Promote dev to uat ... Routine dev→uat promotion approved by QA (Regression Regina). All blockers resolved, CI passing.	2026-05-14 01:44:51 +00:00
Chris Farhood	af42d9c52a	Merge origin/uat into dev to resolve promotion conflicts ... Accept uat version for all conflicting files. Removes files deleted in uat (e2e-ci-runner-rbac.yaml, deploy/teardown-e2e-headlamp.sh). Resolves merge conflict blocking PR #163. Adds trailing newline to audit-ci.jsonc. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-14 01:25:10 +00:00
privilegedescalation-engineer[bot]	61582d7534	fix: remove stale package-lock.json causing npm install failures ... The project declares pnpm@10.32.1 as packageManager but had a committed package-lock.json. Running npm install produced a broken node_modules layout. Delete the stale lockfile and add it to .gitignore. Note: tests were failing before this change due to a missing tsconfig for vitest.setup.ts — tracked separately as pre-existing issue. Co-authored-by: Chris Farhood <chris@farhood.org> Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-14 00:15:30 +00:00
privilegedescalation-engineer[bot]	f6a296df1b	fix: override fast-uri to patched version to resolve 2 high severity CVEs (#159) ... Upgraded @kinvolk/headlamp-plugin from ^0.13.0 to ^0.14.0 and added fast-uri >=3.1.2 to pnpm overrides to address: - GHSA-q3j6-qgpj-74h6 (fast-uri path traversal, patched in >=3.1.1) - GHSA-v39h-62p7-jpjc (fast-uri host confusion, patched in >=3.1.2) Remaining 6 vulnerabilities (1 low, 5 moderate) are in transitive deps without direct override paths and do not affect production runtime. Co-authored-by: Chris Farhood <chris@farhood.org> Co-authored-by: Paperclip <noreply@paperclip.ing>	2026-05-13 17:43:20 +00:00
privilegedescalation-qa[bot]	d593a11fd9	fix: sync CI trigger branches on dev ... fix: sync CI trigger branches on dev	2026-05-13 13:18:34 +00:00
Chris Farhood	8fb9215933	feat(security): add audit-ci.jsonc allowlist for dev-branch CVEs ... CTO decision (PRI-854): high-severity vulns from @kinvolk/headlamp-plugin transitive deps (Picomatch, Vite, lodash) are dev/build-time only and do not ship in production plugin artifacts. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-13 13:13:54 +00:00
Chris Farhood	35c09186df	fix: sync CI trigger branches on dev ... Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-13 13:00:27 +00:00
privilegedescalation-engineer[bot]	5744d9083f	chore(ci): add audit-ci allowlist for inherited @kinvolk/headlamp-plugin CVEs (PRI-855) ... QA reviewed and approved. Adds audit-ci.jsonc with 3 CVE allowlist entries for dev-only dependencies.	2026-05-12 22:22:41 +00:00
privilegedescalation-ceo[bot]	34ea111776	Update CI and approval workflows for three-branch SDLC (#158) ... CI triggers on dev/uat/main. Promotion gate replaces dual-approval. Co-authored-by: Chris Farhood <chris@farhood.org> Co-authored-by: Paperclip <noreply@paperclip.ing>	2026-05-11 21:40:07 +00:00
privilegedescalation-engineer[bot]	398e3f3b95	docs: remove stale e2e command references from CLAUDE.md ... Removed lines 28-29 which listed ghost E2E commands (npm run e2e, npm run e2e:headed). The repo has no E2E files, no playwright.config.ts, no e2e/ directory, and no e2e script in package.json. Resolves: PRI-1147 Co-authored-by: Chris Farhood <chris@farhood.org> Co-authored-by: Paperclip <noreply@paperclip.ing>	2026-05-11 17:23:29 +00:00
privilegedescalation-ceo[bot]	1343ba3e65	chore: remove all E2E infrastructure — approach is dead ... Remove all E2E infrastructure — approach is dead	2026-05-11 09:22:58 +00:00
Chris Farhood	96145c21cb	fix: update pnpm-lock.yaml after removing @playwright/test ... The lockfile was out of sync with package.json after playwright removal, causing CI to fail with --frozen-lockfile. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-11 09:20:51 +00:00
Chris Farhood	a781027d3b	Remove all E2E infrastructure — approach is dead ... Delete the entire local E2E testing setup: - e2e/ directory (Playwright tests) - scripts/deploy-e2e-headlamp.sh and teardown-e2e-headlamp.sh - .github/workflows/e2e.yaml - deployment/ (RBAC files and PLUGIN_LOADING_FIX.md) - playwright.config.ts - E2E npm scripts and @playwright/test dependency - E2E-related .gitignore entries RBAC is managed by Flux GitOps in privilegedescalation/infra. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-11 01:15:39 +00:00
privilegedescalation-ceo[bot]	e2ae92648c	docs: replace hardcoded namespace with <your-namespace> placeholder ... * docs: update Headlamp install namespace references from kube-system to headlamp Updates all documentation references to the Headlamp install namespace from kube-system to headlamp as part of PRI-433. In-scope files updated: - README.md, SECURITY.md - docs/getting-started/installation.md, quick-start.md, prerequisites.md - docs/deployment/helm.md, kubernetes.md, production.md - docs/troubleshooting/README.md, common-issues.md, rbac-issues.md - docs/user-guide/configuration.md, rbac-permissions.md - docs/TESTING.md, TROUBLESHOOTING.md, DEPLOYMENT.md Out-of-scope (unchanged): - Source files referencing upstream workload namespace - RBAC manifests describing Polaris namespace (polaris ns is unchanged) - NetworkPolicy namespaceSelector (API server runs in kube-system) - design-decisions.md and ARCHITECTURE.md (URL hashes refer to cluster namespaces, not Headlamp install ns) Co-Authored-By: Paperclip <noreply@paperclip.ing> * fix: correct RBAC manifest per QA review (PRI-555) - Remove rbac.authorization.k8s.io privilege escalation block - Fix orphaned comment from round 1 - Add EOF newline - Keep serviceaccounts/token for E2E auth (confirmed needed) - Namespace already correct (privilegedescalation-dev) Co-Authored-By: Paperclip <noreply@paperclip.ing> * docs: replace hardcoded namespace with <your-namespace> placeholder Users choose their own namespace for Headlamp. Replace all hardcoded namespace references (headlamp, kube-system) in user-facing docs with <your-namespace> so users substitute their own value. Conventions: - Helm install: --namespace <your-namespace> --create-namespace - kubectl commands: -n <your-namespace> - YAML metadata: namespace: <your-namespace> - Prose: "the namespace where Headlamp is installed" Out-of-scope references left untouched: - kube-system in NetworkPolicy selectors (API server namespace) - polaris namespace references (upstream workload namespace) - Source code and test files Refs: PRI-433 Co-Authored-By: Paperclip <noreply@paperclip.ing> * docs: fix remaining hardcoded headlamp namespace to <your-namespace> placeholder Prior commit was inconsistent — some files used <your-namespace> while DEPLOYMENT.md, TROUBLESHOOTING.md and several troubleshooting/user-guide docs still hardcoded headlamp as the namespace. Co-Authored-By: Paperclip <noreply@paperclip.ing> --------- Co-authored-by: Chris Farhood <chris@farhood.org> Co-authored-by: Paperclip <noreply@paperclip.ing>	2026-05-10 21:34:49 +00:00
privilegedescalation-engineer[bot]	7a0c068a93	fix: override elliptic for GHSA-848j-6mx2-7j84 ... * fix: add elliptic override for GHSA-848j-6mx2-7j84 Add pnpm.overrides.elliptic to prevent version regression on the transitive elliptic vulnerability (CVE-2025-14505). Vulnerability path: @kinvolk/headlamp-plugin → vite-plugin-node-polyfills → node-stdlib-browser → crypto-browserify → browserify-sign → elliptic Note: pnpm audit will still report the vulnerability until upstream publishes elliptic 6.6.2+. This override safeguards against pulling a worse version. Co-Authored-By: Paperclip <noreply@paperclip.ing> * chore: regenerate pnpm-lock.yaml with elliptic override --------- Co-authored-by: Chris Farhood <chris@farhood.org> Co-authored-by: Paperclip <noreply@paperclip.ing>	2026-05-06 02:14:10 +00:00
privilegedescalation-engineer[bot]	2d629809a2	fix: add markdownlint config for headlamp-polaris-plugin (#141) ... Co-authored-by: Chris Farhood <chris@farhood.org>	2026-05-06 00:43:48 +00:00
privilegedescalation-engineer[bot]	3fe787a550	Fix E2E kubeconfig: locate kubeconfig before RBAC step (#144) ... All pipeline gates satisfied: CI ✓, E2E ✓, UAT (Patty/PRI-792) ✓, QA (Regina/PRI-786) ✓, CTO (Nancy) ✓. Resolves PRI-785 and PRI-324.	2026-05-05 21:25:54 +00:00
Chris Farhood	1f02811731	Reference shared infra RBAC in deployment scripts ... PRI-750: update plugin repos to reference shared infra RBAC (PRI-695 follow-up) - deployment/e2e-ci-runner-rbac.yaml: replaced duplicate manifest with reference comment pointing to privilegedescalation/infra/base/rbac/e2e-ci-runner-headlamp-rbac.yaml - scripts/deploy-e2e-headlamp.sh: updated RBAC preflight comment and error message to reference infra path - scripts/teardown-e2e-headlamp.sh: added RBAC reference comment Infra RBAC is the source of truth managed by Flux GitOps. CI workflow unchanged (Hugh owns .github/workflows/).	2026-05-05 16:52:49 +00:00
Chris Farhood	7b58f684cf	fix: correct RBAC manifest per QA review (PRI-555) ... - Remove rbac.authorization.k8s.io privilege escalation block - Fix orphaned comment from round 1 - Add EOF newline - Keep serviceaccounts/token for E2E auth (confirmed needed) - Namespace already correct (privilegedescalation-dev) Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-05 00:45:38 +00:00
privilegedescalation-engineer[bot]	aa1db9215a	fix: patch high-severity vulnerabilities in picomatch and vite (#128) ... * chore: replace Dependabot references with Renovate - SECURITY.md: update to mention Renovate (org-wide Mend Renovate) - PROJECT_ASSESSMENT.md: mark Renovate as integrated (org-wide config) Closes PRI-389. Parent PRI-387. Co-Authored-By: Paperclip <noreply@paperclip.ing> * fix: override picomatch >=4.0.4 and vite >=6.4.2 to patch high-severity vulnerabilities Resolves 3 high-severity vulnerabilities from pnpm audit: - GHSA-c2c7-rcm5-vvqj: Picomatch ReDoS via extglob quantifiers (>=4.0.0 <4.0.4) - GHSA-p9ff-h696-f583: Vite arbitrary file read via dev server WebSocket - GHSA-4w7w-66w2-5vf9: Vite path traversal in optimized deps .map handling Also addresses moderate GHSA-3v7f-55p6-f55p (picomatch method injection). Remaining vulnerabilities (moderate/low) are in transitive dependencies managed by @kinvolk/headlamp-plugin and @headlamp-k8s/eslint-config which require upstream updates to those packages. Co-Authored-By: Paperclip <noreply@paperclip.ing> --------- Co-authored-by: Chris Farhood <chris@farhood.org> Co-authored-by: Paperclip <noreply@paperclip.ing>	2026-05-04 11:01:53 +00:00
privilegedescalation-engineer[bot]	202ce66c61	fix(e2e): migrate E2E namespace from privilegedescalation-dev to headlamp-dev (#130) ... The E2E workflow and deploy scripts were targeting the legacy privilegedescalation-dev namespace, which is not managed by Flux GitOps in privilegedescalation/infra. The infra repo (PR #11) already provisions the headlamp-dev namespace and corresponding RBAC (e2e-ci-runner-headlamp-rbac.yaml) that grants the ARC runner SA (runners-privilegedescalation-gha-rs-no-permission in arc-runners) the permissions needed to deploy/teardown the E2E Headlamp instance. This change aligns all E2E infrastructure to use headlamp-dev: - .github/workflows/e2e.yaml: E2E_NAMESPACE=headlamp-dev - scripts/deploy-e2e-headlamp.sh: default namespace and comments - scripts/teardown-e2e-headlamp.sh: default namespace - deployment/e2e-ci-runner-rbac.yaml: namespace and add missing events permission (already present in infra copy) Refs: PRI-423 Co-authored-by: Chris Farhood <chris@farhood.org> Co-authored-by: Paperclip <noreply@paperclip.ing>	2026-05-04 10:50:27 +00:00