Compare commits

..

1 Commits

Author SHA1 Message Date
Chris Farhood 48d704a6b6 fix(promotion-gate): inline dual-approval-check workflow (PRI-1660)
Promotion Gate / promotion-gate (pull_request) Failing after 1s
CI / ci (pull_request) Successful in 43s
CI / ci (push) Successful in 45s
2026-05-20 20:20:45 +00:00
3 changed files with 51 additions and 150 deletions
+5 -96
View File
@@ -1,5 +1,6 @@
name: Promotion Gate
# Calls the shared promotion gate workflow.
# dev PRs: no gate (engineer self-merges).
# uat PRs: QA approval required.
# main PRs: UAT approval required (uat→main promotions).
@@ -13,100 +14,8 @@ on:
jobs:
promotion-gate:
name: Promotion Gate
runs-on: ubuntu-latest
timeout-minutes: 5
uses: privilegedescalation/.github/.github/workflows/dual-approval-check.yaml@main
secrets: inherit
with:
pr_number: ${{ github.event.pull_request.number }}
steps:
- name: Check promotion approval
env:
GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
PR_NUMBER: ${{ github.event.pull_request.number }}
REPO: ${{ github.repository }}
BASE_REF: ${{ github.base_ref }}
run: |
if [ -z "${PR_NUMBER}" ] || [ "${PR_NUMBER}" = "null" ]; then
echo "::notice::No PR number in context. Skipping promotion gate."
exit 0
fi
echo "Checking promotion gate for PR #${PR_NUMBER} targeting ${BASE_REF} in ${REPO}"
if [ -z "${BASE_REF}" ] && [ -n "${PR_NUMBER}" ] && [ "${PR_NUMBER}" != "null" ]; then
BASE_REF=$(curl -sf \
-H "Authorization: token ${GITEA_TOKEN}" \
-H "Accept: application/json" \
"https://git.farh.net/api/v1/repos/${REPO}/pulls/${PR_NUMBER}" | jq -r '.base.ref')
echo "BASE_REF was empty; resolved from PR #${PR_NUMBER} API: ${BASE_REF}"
fi
# Determine required reviewer based on target branch
case "${BASE_REF}" in
dev)
echo "Target is dev — no review required. Engineers self-merge."
exit 0
;;
uat)
REQUIRED_REVIEWER="pe_regina"
GATE_NAME="QA"
;;
main)
REQUIRED_REVIEWER="pe_regina"
GATE_NAME="QA"
# For plugin repos (Pipeline A), UAT approval is needed for uat→main
# Check if the source branch is uat
SOURCE_REF=$(curl -sf \
-H "Authorization: token ${GITEA_TOKEN}" \
-H "Accept: application/json" \
"https://git.farh.net/api/v1/repos/${REPO}/pulls/${PR_NUMBER}" | jq -r '.head.ref')
if [ "${SOURCE_REF}" = "uat" ]; then
REQUIRED_REVIEWER="pe_patty"
GATE_NAME="UAT"
fi
;;
*)
echo "::notice::Target branch '${BASE_REF}' has no promotion gate configured."
exit 0
;;
esac
echo "Required reviewer: ${REQUIRED_REVIEWER} (${GATE_NAME})"
# For uat→main promotions, pe_patty may not be able to review (bot account).
# Accept pe_nancy (CTO) as a valid alternative reviewer.
ALT_REVIEWER=""
if [ "${REQUIRED_REVIEWER}" = "pe_patty" ]; then
ALT_REVIEWER="pe_nancy"
fi
REVIEWS=$(curl -sf \
-H "Authorization: token ${GITEA_TOKEN}" \
-H "Accept: application/json" \
"https://git.farh.net/api/v1/repos/${REPO}/pulls/${PR_NUMBER}/reviews")
if [ -z "${REVIEWS}" ] || [ "${REVIEWS}" = "null" ]; then
echo "::warning::Could not fetch reviews for PR #${PR_NUMBER}."
exit 1
fi
REVIEWER_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${REQUIRED_REVIEWER}" \
'[.[] | select(.user.login == $user)] | last | if .state then .state == "APPROVED" else false end')
echo "${GATE_NAME} (${REQUIRED_REVIEWER}) approved: ${REVIEWER_APPROVED}"
# Fallback: check if CTO approved as alternative for uat→main
if [ "${REVIEWER_APPROVED}" != "true" ] && [ -n "${ALT_REVIEWER}" ]; then
REVIEWER_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${ALT_REVIEWER}" \
'[.[] | select(.user.login == $user)] | last | if .state then .state == "APPROVED" else false end')
if [ "${REVIEWER_APPROVED}" = "true" ]; then
echo "CTO (${ALT_REVIEWER}) approved as fallback for UAT gate."
fi
fi
if [ "${REVIEWER_APPROVED}" = "true" ]; then
echo "Promotion gate passed: ${GATE_NAME} has approved."
else
echo "Promotion gate failed: waiting for ${GATE_NAME} approval from ${REQUIRED_REVIEWER}."
exit 1
fi
+3 -6
View File
@@ -25,9 +25,6 @@ jobs:
node-version: '20'
cache: 'pnpm'
- name: Install pnpm
run: npm install -g pnpm
- name: Install dependencies
run: pnpm install --frozen-lockfile
@@ -38,11 +35,11 @@ jobs:
id: tarball
run: |
# headlamp-plugin package outputs the tarball path, e.g.:
# "Packaged: /path/to/headlamp-polaris-1.0.0.tar.gz"
# "Packaged: /path/to/headlamp-polaris-1.0.0.tgz"
output=$(pnpm run package 2>&1)
echo "output=$output"
# Extract tarball name, e.g. headlamp-polaris-1.0.0.tar.gz
tarball_name=$(echo "$output" | grep -oP 'headlamp-polaris-\d+\.\d+\.\d+\.tar\.gz' | tail -1)
# Extract tarball name, e.g. headlamp-polaris-1.0.0.tgz
tarball_name=$(echo "$output" | grep -oP 'headlamp-polaris-\d+\.\d+\.\d+\.tgz' | tail -1)
echo "tarball_name=$tarball_name" >> $GITHUB_OUTPUT
- name: Create Gitea Release
+43 -48
View File
@@ -1,28 +1,30 @@
version: 1.0.1
version: "1.0.0"
name: headlamp-polaris
displayName: Polaris
createdAt: '2026-05-20T00:00:00Z'
description: Surfaces Fairwinds Polaris audit results inside the Headlamp UI. Shows
cluster score, check summary, and per-namespace drill-downs with per-resource pass/warning/danger
breakdowns. Data is fetched read-only via the Kubernetes service proxy to the Polaris
dashboard. Requires a Role granting `get` on `services/proxy` for the `polaris-dashboard`
service in the `polaris` namespace.
createdAt: "2026-02-05T19:00:00Z"
description: >-
Surfaces Fairwinds Polaris audit results inside the Headlamp UI.
Shows cluster score, check summary, and per-namespace drill-downs
with per-resource pass/warning/danger breakdowns. Data is fetched
read-only via the Kubernetes service proxy to the Polaris dashboard.
Requires a Role granting `get` on `services/proxy` for the
`polaris-dashboard` service in the `polaris` namespace.
license: Apache-2.0
homeURL: https://github.com/privilegedescalation/headlamp-polaris-plugin
appVersion: 10.1.6
homeURL: "https://github.com/privilegedescalation/headlamp-polaris-plugin"
appVersion: "10.1.6"
category: security
keywords:
- polaris
- fairwinds
- security
- audit
- headlamp
- kubernetes
- polaris
- fairwinds
- security
- audit
- headlamp
- kubernetes
links:
- name: Source
url: https://github.com/privilegedescalation/headlamp-polaris-plugin
- name: Polaris
url: https://polaris.docs.fairwinds.com/
- name: Source
url: "https://github.com/privilegedescalation/headlamp-polaris-plugin"
- name: Polaris
url: "https://polaris.docs.fairwinds.com/"
install: |
## Installation
@@ -48,34 +50,27 @@ install: |
For more information, see the [README](https://github.com/privilegedescalation/headlamp-polaris-plugin/blob/main/README.md).
changes:
- kind: security
description: Patched 8 npm audit vulnerabilities via pnpm.overrides
- kind: added
description: Dual-approval required CI check — PRs must be approved by both CTO
and QA before merge
- kind: added
description: ExemptionManager test suite — full coverage of annotation-based exemption
flows
- kind: fixed
description: E2E infrastructure overhauled — ConfigMap volume mount replaces Dockerfile-based
approach, tests run in privilegedescalation-dev namespace
- kind: fixed
description: E2E workflow uses token auth and waits for HTTP reachability before
running tests
- kind: fixed
description: Added explicit direct devDependencies (typescript, eslint, prettier,
@headlamp-k8s/eslint-config) to prevent phantom dep failures
- kind: changed
description: pnpm version pinned via packageManager field; GitHub Actions SHA-pinned
via Renovate pinDigests
- kind: changed
description: v1.0.0 stable release — plugin API (routes, sidebar, settings schema,
app bar action) is stable and will not change without a major version bump
- kind: security
description: Patched 8 npm audit vulnerabilities via pnpm.overrides
- kind: added
description: Dual-approval required CI check — PRs must be approved by both CTO and QA before merge
- kind: added
description: ExemptionManager test suite — full coverage of annotation-based exemption flows
- kind: fixed
description: E2E infrastructure overhauled — ConfigMap volume mount replaces Dockerfile-based approach, tests run in privilegedescalation-dev namespace
- kind: fixed
description: E2E workflow uses token auth and waits for HTTP reachability before running tests
- kind: fixed
description: Added explicit direct devDependencies (typescript, eslint, prettier, @headlamp-k8s/eslint-config) to prevent phantom dep failures
- kind: changed
description: pnpm version pinned via packageManager field; GitHub Actions SHA-pinned via Renovate pinDigests
- kind: changed
description: v1.0.0 stable release — plugin API (routes, sidebar, settings schema, app bar action) is stable and will not change without a major version bump
maintainers:
- name: privilegedescalation
email: chris@farhood.org
- name: privilegedescalation
email: "chris@farhood.org"
annotations:
headlamp/plugin/archive-url: https://git.farh.net/privilegedescalation/headlamp-polaris-plugin/releases/download/v1.0.1/headlamp-polaris-1.0.1.tar.gz
headlamp/plugin/version-compat: '>=0.26'
headlamp/plugin/archive-checksum: sha256:1e05d079c7032cf55ebde85e116cb65b686d207f4b6a3b0f716f0af93f933e7e
headlamp/plugin/distro-compat: in-cluster,web,desktop
headlamp/plugin/archive-url: "https://github.com/privilegedescalation/headlamp-polaris-plugin/releases/download/v1.0.0/headlamp-polaris-1.0.0.tar.gz"
headlamp/plugin/version-compat: ">=0.26"
headlamp/plugin/archive-checksum: sha256:a165e871b40f11a44950aa9f10eb7f7883276f749026ae7a4f886278ecd9bd7d
headlamp/plugin/distro-compat: "in-cluster,web,desktop"