Replace privilegedescalation-dev with headlamp-dev namespace

Co-Authored-By: Paperclip <noreply@paperclip.ing>
fix: patch high-severity vulnerabilities in picomatch and vite (#128 )
2026-05-05 01:47:25 +00:00 · 2026-05-04 11:01:53 +00:00 · 2026-05-04 10:50:27 +00:00 · 2026-05-03 17:43:58 +00:00 · 2026-04-15 03:33:19 +00:00 · 2026-03-24 22:26:32 +00:00
12 changed files with 584 additions and 181 deletions
@@ -16,3 +16,5 @@ jobs:
  dual-approval:
    uses: privilegedescalation/.github/.github/workflows/dual-approval-check.yaml@main
    secrets: inherit
+    with:
+      pr_number: ${{ github.event.pull_request.number }}
@@ -10,9 +10,22 @@ on:
 permissions:
  contents: read

+# Only one E2E run at a time: the shared E2E_RELEASE (headlamp-e2e) in
+# headlamp-dev cannot be shared across concurrent runs.
+# cancel-in-progress: false (queue, don't cancel) — cancelling in-flight
+# runs may skip the if:always() teardown, leaving dangling cluster resources.
+concurrency:
+  group: e2e-${{ github.repository }}
+  cancel-in-progress: false
+
 env:
-  E2E_NAMESPACE: privilegedescalation-dev
+  E2E_NAMESPACE: headlamp-dev
  E2E_RELEASE: headlamp-e2e
+  # Pin to a known-good Headlamp version. Using :latest is risky because
+  # the tag can change between CI runs, causing flaky failures when a newer
+  # image is pulled on some nodes but not others (IfNotPresent pull policy).
+  # Update this when Headlamp is upgraded in production (kube-system).
+  HEADLAMP_VERSION: v0.40.1

 jobs:
  e2e:
@@ -59,6 +72,16 @@ jobs:
          HEADLAMP_URL: ${{ env.HEADLAMP_URL }}
          HEADLAMP_TOKEN: ${{ env.HEADLAMP_TOKEN }}

+      - name: Collect deployment diagnostics on failure
+        if: failure()
+        run: |
+          echo "=== Pod state ==="
+          kubectl get pods -n "$E2E_NAMESPACE" -l "app.kubernetes.io/instance=$E2E_RELEASE" 2>&1 || true
+          echo "=== Pod describe ==="
+          kubectl describe pods -n "$E2E_NAMESPACE" -l "app.kubernetes.io/instance=$E2E_RELEASE" 2>&1 || true
+          echo "=== Recent namespace events ==="
+          kubectl get events -n "$E2E_NAMESPACE" --sort-by='.lastTimestamp' 2>&1 | tail -20 || true
+
      - name: Teardown E2E instance
        if: always()
        run: scripts/teardown-e2e-headlamp.sh
@@ -229,7 +229,7 @@ Headlamp v0.39.0 with default `watchPlugins: true` treats catalog-managed plugin
 **Action Items:**
 - [ ] Parallelize test execution
 - [ ] Add npm cache to GitHub Actions
- [ ] Integrate Dependabot
+- [x] Renovate is configured org-wide via `github>privilegedescalation/.github:renovate-config`
 - [ ] Add semantic-release

 ---
@@ -212,7 +212,7 @@ If you discover a security vulnerability in this plugin, please report it via:

 The project uses:
 - **npm audit**: Runs automatically during `npm install`
- **Dependabot**: GitHub Dependabot monitors dependencies and creates PRs for updates
+- **Renovate**: Automated dependency updates via Mend Renovate (org-wide configured)
 - **GitHub Actions**: CI workflow runs `npm audit` on every commit

 ### Updating Dependencies
@@ -57,7 +57,7 @@ changes:
  - kind: added
    description: ExemptionManager test suite — full coverage of annotation-based exemption flows
  - kind: fixed
-    description: E2E infrastructure overhauled — ConfigMap volume mount replaces Dockerfile-based approach, tests run in privilegedescalation-dev namespace
+    description: E2E infrastructure overhauled — ConfigMap volume mount replaces Dockerfile-based approach, tests run in headlamp-dev namespace
  - kind: fixed
    description: E2E workflow uses token auth and waits for HTTP reachability before running tests
  - kind: fixed
@@ -2,26 +2,26 @@
 # RBAC for the GitHub Actions CI runner to manage the E2E Headlamp instance.
 # CI-only test fixture — NOT for production use.
 #
-# Grants the ARC runner service account permissions in the privilegedescalation-dev
+# Grants the ARC runner service account permissions in the headlamp-dev
 # namespace to deploy and tear down a dedicated Headlamp instance via Helm.
-# E2E resources run in `privilegedescalation-dev` — nothing persists beyond a test run.
+# E2E resources run in `headlamp-dev` — nothing persists beyond a test run.
 #
 # Plugin is loaded via ConfigMap volume mount — no custom Docker images.
 #
-# Prerequisites:
-#   kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
+# Note: This RBAC is mirrored in privilegedescalation/infra (base/rbac/)
+# and managed by Flux GitOps. The infra repo is the source of truth.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: e2e-ci-runner
-  namespace: privilegedescalation-dev
+  namespace: headlamp-dev
 rules:
  # Helm needs to manage these resources for the Headlamp chart
  - apiGroups: ["apps"]
    resources: ["deployments"]
    verbs: ["get", "list", "create", "update", "patch", "delete", "watch"]
  - apiGroups: [""]
-    resources: ["services", "serviceaccounts", "configmaps", "secrets"]
+    resources: ["services", "serviceaccounts", "configmaps", "secrets", "events"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: [""]
    resources: ["pods"]
@@ -35,7 +35,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: e2e-ci-runner-binding
-  namespace: privilegedescalation-dev
+  namespace: headlamp-dev
 subjects:
  - kind: ServiceAccount
    name: runners-privilegedescalation-gha-rs-no-permission
@@ -45,8 +45,12 @@ async function authenticateWithToken(page: Page, token: string): Promise<void> {
  await page.waitForURL(/\/(login|token)$/);

  if (page.url().includes('/login')) {
-    // OIDC login page — click "use a token" to reach token auth
-    await page.getByRole('button', { name: /use a token/i }).click();
+    // OIDC login page — click "use a token" to reach token auth.
+    // Wait explicitly before clicking so failures surface at 15 s
+    // with a clear message rather than silently timing out at 60 s.
+    const useTokenBtn = page.getByRole('button', { name: /use a token/i });
+    await useTokenBtn.waitFor({ state: 'visible', timeout: 15_000 });
+    await useTokenBtn.click();
    await page.waitForURL('**/token');
  }

@@ -35,7 +35,10 @@
    "overrides": {
      "tar": "^7.5.11",
      "undici": "^7.24.3",
-      "flatted": "^3.4.2"
+      "flatted": "^3.4.2",
+      "lodash": ">=4.18.0",
+      "picomatch": ">=4.0.4",
+      "vite": ">=6.4.2"
    }
  },
  "devDependencies": {
@@ -1,21 +1,5 @@
 {
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": ["config:recommended"],
-  "baseBranches": ["main"],
-  "schedule": ["every weekend"],
-  "prConcurrentLimit": 10,
-  "pinDigests": true,
-  "packageRules": [
-    {
-      "matchManagers": ["npm"],
-      "matchUpdateTypes": ["minor", "patch"],
-      "groupName": "npm minor and patch"
-    },
-    {
-      "matchManagers": ["github-actions"],
-      "matchUpdateTypes": ["minor", "patch"],
-      "groupName": "github-actions minor and patch"
-    }
-  ]
+  "extends": ["github>privilegedescalation/.github:renovate-config"]
 }

@@ -5,26 +5,26 @@
 # a ConfigMap volume mount. No custom Docker images — the plugin is built
 # in CI and injected as a ConfigMap.
 #
-# E2E resources are deployed to the `privilegedescalation-dev` namespace. Nothing
-# persists beyond the test run — teardown cleans up all created resources.
+# E2E resources are deployed to the `headlamp-dev` namespace. Nothing
+# persists beyond a test run — teardown cleans up all created resources.
 #
 # Prerequisites:
 #   - Plugin built (dist/ exists with plugin-main.js + package.json)
 #   - kubectl configured with cluster access
-#   - RBAC applied: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
+#   - RBAC applied (managed by Flux GitOps in privilegedescalation/infra)
 #
 # Environment:
-#   E2E_NAMESPACE     — namespace for E2E Headlamp (default: privilegedescalation-dev)
+#   E2E_NAMESPACE     — namespace for E2E Headlamp (default: headlamp-dev)
 #   E2E_RELEASE       — release/resource name prefix (default: headlamp-e2e)
-#   HEADLAMP_VERSION  — Headlamp image tag (default: latest)
+#   HEADLAMP_VERSION  — Headlamp image tag (default: v0.40.1, pinned to match production)
 set -euo pipefail

 REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
 DIST_DIR="$REPO_ROOT/dist"

-E2E_NAMESPACE="${E2E_NAMESPACE:-privilegedescalation-dev}"
+E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-dev}"
 E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}"
-HEADLAMP_VERSION="${HEADLAMP_VERSION:-latest}"
+HEADLAMP_VERSION="${HEADLAMP_VERSION:-v0.40.1}"

 if [ ! -d "$DIST_DIR" ]; then
  echo "ERROR: dist/ not found. Run 'npm run build' first." >&2
@@ -58,6 +58,16 @@ kubectl create configmap headlamp-polaris-plugin \
  --from-file="$DIST_DIR" \
  --from-file=package.json="$REPO_ROOT/package.json"

+# --- Tear down any existing E2E deployment for a clean start ---
+# kubectl apply without prior deletion only patches in-place: if the pod spec is
+# unchanged between runs, no new rollout is triggered and a degraded pod keeps
+# serving. Delete first to guarantee a fresh pod regardless of prior state.
+echo ""
+echo "Removing any existing E2E deployment (clean-start)..."
+kubectl delete deployment "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait
+kubectl delete service "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait
+kubectl delete serviceaccount "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait
+
 # --- Deploy Headlamp via kubectl apply ---
 echo ""
 echo "Deploying Headlamp E2E instance..."
@@ -4,13 +4,13 @@
 # Tears down the dedicated E2E Headlamp instance deployed by deploy-e2e-headlamp.sh.
 #
 # Environment:
-#   E2E_NAMESPACE  — namespace to clean up (default: privilegedescalation-dev)
+#   E2E_NAMESPACE  — namespace to clean up (default: headlamp-dev)
 #   E2E_RELEASE    — release/resource name prefix (default: headlamp-e2e)
 set -euo pipefail

 REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"

-E2E_NAMESPACE="${E2E_NAMESPACE:-privilegedescalation-dev}"
+E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-dev}"
 E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}"

 echo "=== E2E Headlamp Teardown ==="
Author	SHA1	Message	Date
Chris Farhood	ba0848dd54	Replace privilegedescalation-dev with headlamp-dev namespace Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-05 01:47:25 +00:00
privilegedescalation-engineer[bot]	aa1db9215a	fix: patch high-severity vulnerabilities in picomatch and vite (#128 ) * chore: replace Dependabot references with Renovate - SECURITY.md: update to mention Renovate (org-wide Mend Renovate) - PROJECT_ASSESSMENT.md: mark Renovate as integrated (org-wide config) Closes PRI-389. Parent PRI-387. Co-Authored-By: Paperclip <noreply@paperclip.ing> * fix: override picomatch >=4.0.4 and vite >=6.4.2 to patch high-severity vulnerabilities Resolves 3 high-severity vulnerabilities from pnpm audit: - GHSA-c2c7-rcm5-vvqj: Picomatch ReDoS via extglob quantifiers (>=4.0.0 <4.0.4) - GHSA-p9ff-h696-f583: Vite arbitrary file read via dev server WebSocket - GHSA-4w7w-66w2-5vf9: Vite path traversal in optimized deps .map handling Also addresses moderate GHSA-3v7f-55p6-f55p (picomatch method injection). Remaining vulnerabilities (moderate/low) are in transitive dependencies managed by @kinvolk/headlamp-plugin and @headlamp-k8s/eslint-config which require upstream updates to those packages. Co-Authored-By: Paperclip <noreply@paperclip.ing> --------- Co-authored-by: Chris Farhood <chris@farhood.org> Co-authored-by: Paperclip <noreply@paperclip.ing>	2026-05-04 11:01:53 +00:00
privilegedescalation-engineer[bot]	202ce66c61	fix(e2e): migrate E2E namespace from privilegedescalation-dev to headlamp-dev (#130 ) The E2E workflow and deploy scripts were targeting the legacy privilegedescalation-dev namespace, which is not managed by Flux GitOps in privilegedescalation/infra. The infra repo (PR #11) already provisions the headlamp-dev namespace and corresponding RBAC (e2e-ci-runner-headlamp-rbac.yaml) that grants the ARC runner SA (runners-privilegedescalation-gha-rs-no-permission in arc-runners) the permissions needed to deploy/teardown the E2E Headlamp instance. This change aligns all E2E infrastructure to use headlamp-dev: - .github/workflows/e2e.yaml: E2E_NAMESPACE=headlamp-dev - scripts/deploy-e2e-headlamp.sh: default namespace and comments - scripts/teardown-e2e-headlamp.sh: default namespace - deployment/e2e-ci-runner-rbac.yaml: namespace and add missing events permission (already present in infra copy) Refs: PRI-423 Co-authored-by: Chris Farhood <chris@farhood.org> Co-authored-by: Paperclip <noreply@paperclip.ing>	2026-05-04 10:50:27 +00:00
privilegedescalation-engineer[bot]	58c9597388	fix: override lodash >=4.18.0 to patch code injection vulnerability (#120 ) * fix: override lodash >=4.18.0 to patch code injection vulnerability GHSA-r5fr-rjxr-66jc is a code injection vulnerability in lodash below 4.18.0. The vulnerable transitive dependency comes through @kinvolk/headlamp-plugin. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * fix: update pnpm-lock.yaml to satisfy lodash override The package.json pnpm.overrides requires lodash >=4.18.0, but the lockfile had an older version. Regenerated lockfile with pnpm install. Co-Authored-By: Paperclip <noreply@paperclip.ing> * fix(e2e): scope heading locators to main content area Fix E2E test failures by scoping heading locators to the main content area instead of searching the entire page. This prevents matching headings in the sidebar or other non-content areas. Co-Authored-By: Paperclip <noreply@paperclip.ing> * fix(e2e): scope remaining getByText to main element The 'Cluster Score' text matcher was still searching the entire page instead of being scoped to the main content area. This could cause false positives if the same text appears in the sidebar. Co-Authored-By: Paperclip <noreply@paperclip.ing> * ci: trigger fresh E2E run Re-pushing to trigger a new CI run since the last E2E was cancelled. Co-Authored-By: Paperclip <noreply@paperclip.ing> * fix(e2e): use [role=main] instead of main element Switch from 'main' element selector to '[role="main"]' attribute selector for better compatibility with Headlamp's app structure. Co-Authored-By: Paperclip <noreply@paperclip.ing> * fix(e2e): hybrid approach - unscoped headings, main-scoped text Use broader heading selectors matching intel-gpu pattern, but keep text checks scoped to main element to avoid sidebar conflicts. Co-Authored-By: Paperclip <noreply@paperclip.ing> * ci: re-test original code to verify baseline --------- Co-authored-by: Gandalf the Greybeard <gandalf@privilegedescalation.dev> Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> Co-authored-by: Paperclip <noreply@paperclip.ing>	2026-05-03 17:43:58 +00:00
privilegedescalation-engineer[bot]	dff1265435	fix: pass pr_number to dual-approval-check workflow (#119 ) Companion PR to privilegedescalation/.github#81 Co-authored-by: Hugh Hackman <hugh@paperclip.ing> Co-authored-by: Paperclip <noreply@paperclip.ing>	2026-04-15 03:33:19 +00:00
privilegedescalation-ceo[bot]	7c58826668	Merge pull request #117 from privilegedescalation/ci/e2e-deploy-diagnostics ci(e2e): add deployment diagnostics step on failure	2026-03-24 22:26:32 +00:00
privilegedescalation-engineer[bot]	4edc829b3f	ci(e2e): add deployment diagnostics step on failure When the E2E deploy step fails (rollout timeout, pod not ready, etc.), previously required manual cluster investigation to diagnose the root cause. This heartbeat had to grep CI logs and query kubectl separately to determine a :latest image drift issue. The new step captures pod state, pod describe output, and recent namespace events immediately when a failure occurs — surfacing the root cause directly in the CI run log. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-24 21:57:58 +00:00
privilegedescalation-ceo[bot]	8f10be39bd	Merge pull request #116 from privilegedescalation/fix/pin-headlamp-version-e2e fix(e2e): pin Headlamp image to v0.40.1 instead of :latest	2026-03-24 21:42:51 +00:00
privilegedescalation-engineer[bot]	27212a91e1	fix(e2e): pin Headlamp image to v0.40.1 instead of :latest The :latest tag caused E2E flakiness when a newer Headlamp image was pulled on some cluster nodes (IfNotPresent policy) but not others. Concurrent E2E runs on main saw different image versions, and the newest :latest (sha256:89c6c65) failed to pass the readiness probe within 120s. Pin to v0.40.1 — the same version running in production (kube-system) — so all nodes use the same cached digest and CI is deterministic. Update this pin when Headlamp is upgraded in production. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-24 21:28:38 +00:00
privilegedescalation-ceo[bot]	7b72306133	Merge pull request #109 from privilegedescalation/feat/renovate-extend-org-config feat: extend Renovate config from org-level preset	2026-03-24 18:45:58 +00:00
privilegedescalation-ceo[bot]	e16e6255d0	Merge pull request #110 from privilegedescalation/ci/e2e-concurrency-guard ci: add concurrency guard to E2E workflow	2026-03-24 18:45:55 +00:00
privilegedescalation-ceo[bot]	4beb0c4d0e	Merge pull request #113 from privilegedescalation/fix/e2e-clean-deploy fix(e2e): clean-delete existing deployment before redeploy for guaranteed fresh pod	2026-03-24 18:45:52 +00:00
Gandalf the Greybeard	175d3ec6a2	fix(e2e): clean-delete existing deployment before redeploy for guaranteed fresh pod kubectl apply without prior deletion patches in place: if the pod spec is unchanged between runs, no rollout is triggered and a potentially degraded pod from a prior run keeps serving. This caused the auth.setup.ts timeout (waiting for the "use a token" button) even when no concurrent runs were present — the headlamp-e2e pod was in an inconsistent state from a previous run that didn't tear down cleanly. Changes: - deploy-e2e-headlamp.sh: delete Deployment, Service, and ServiceAccount (with --wait) before applying, guaranteeing a fresh pod each run - auth.setup.ts: add explicit waitFor({ state: 'visible', timeout: 15_000 }) before the "use a token" button click, so failures surface at 15 s with a clear locator error rather than silently timing out at 60 s Fixes the pre-existing infra issue blocking PR#110. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-24 16:40:30 +00:00
privilegedescalation-engineer[bot]	e63cd03267	fix(e2e): use cancel-in-progress: false to prevent dangling cluster resources cancel-in-progress: true would cancel in-flight E2E runs when a new one arrives. GitHub Actions does not guarantee that if: always() steps run on cancelled jobs, so teardown-e2e-headlamp.sh may be skipped — leaving the headlamp-e2e Deployment/Service/ConfigMap dangling in privilegedescalation-dev. Switching to false (queue) ensures the running job always completes its teardown before the next run starts. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-24 16:34:36 +00:00
privilegedescalation-engineer[bot]	4d878c8737	ci: add concurrency guard to E2E workflow Prevents parallel E2E runs from conflicting over the shared headlamp-e2e Helm release in privilegedescalation-dev. With cancel-in-progress: true, a new push cancels any in-progress run on the same repo — only one E2E suite runs at a time. Observed failure: PR#109 and PR#108 ran concurrently and the auth setup in PR#109 timed out, likely due to resource contention on the shared headlamp-e2e instance. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-24 16:27:52 +00:00
Hugh Hackman	490807cef6	feat: extend Renovate config from org-level preset Replaces the duplicated Renovate config with a simple extend from the org-level preset (privilegedescalation/.github:renovate-config). All rules (schedule, pinDigests, npm/github-actions minor+patch+major groups) are now inherited from the org config, which was updated in PR #66 to add major-version update rules for GitHub Actions. This eliminates config drift between repos and reduces maintenance toil — future rule changes only need to be made in one place. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-24 16:16:15 +00:00