ci: update artifact hub metadata for v0.0.3

Reviewed-on: farhoodliquor/polaris-headlamp-plugin#5

.gitea/workflows/release.yaml

@@ -12,31 +12,173 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Check if release is already finalized
+        run: |
+          VERSION=${GITHUB_REF_NAME#v}
+          TARBALL_URL="https://github.com/cpfarhood/polaris-headlamp-plugin/releases/download/${GITHUB_REF_NAME}/polaris-headlamp-plugin-${VERSION}.tar.gz"
+          HTTP_CODE=$(curl -sL -o /tmp/release.tar.gz -w "%{http_code}" "$TARBALL_URL" 2>/dev/null)
+          if [ "$HTTP_CODE" = "200" ]; then
+            ACTUAL="sha256:$(sha256sum /tmp/release.tar.gz | awk '{print $1}')"
+            EXPECTED=$(grep 'archive-checksum' artifacthub-pkg.yml | awk '{print $2}')
+            echo "Release tarball checksum: $ACTUAL"
+            echo "Metadata checksum:        $EXPECTED"
+            if [ "$ACTUAL" = "$EXPECTED" ]; then
+              echo "SKIP_BUILD=true" >> $GITHUB_ENV
+              echo "Checksums match - release is finalized, nothing to do"
+            fi
+          else
+            echo "No existing release (HTTP $HTTP_CODE) - will build"
+          fi
+          rm -f /tmp/release.tar.gz
 
       - name: Install dependencies
-        run: npm ci
+        run: |
+          [ "$SKIP_BUILD" = "true" ] && exit 0
+          npm ci
 
       - name: Build plugin
-        run: npx @kinvolk/headlamp-plugin build
+        run: |
+          [ "$SKIP_BUILD" = "true" ] && exit 0
+          npx @kinvolk/headlamp-plugin build
 
       - name: Package tarball
-        run: npx @kinvolk/headlamp-plugin package
+        run: |
+          [ "$SKIP_BUILD" = "true" ] && exit 0
+          npx @kinvolk/headlamp-plugin package
+
+      - name: Compute tarball checksum
+        run: |
+          [ "$SKIP_BUILD" = "true" ] && exit 0
+          TARBALL=$(ls *.tar.gz)
+          CHECKSUM=$(sha256sum "$TARBALL" | awk '{print $1}')
+          echo "TARBALL=$TARBALL" >> $GITHUB_ENV
+          echo "CHECKSUM=$CHECKSUM" >> $GITHUB_ENV
+          echo "Tarball: $TARBALL"
+          echo "Checksum: sha256:$CHECKSUM"
 
       - name: Install Docker CLI
-        run: apt-get update && apt-get install -y docker.io
-
-      - name: Build Docker image
-        run: docker build -t git.farh.net/${{ github.repository }}:${{ github.ref_name }} -t git.farh.net/${{ github.repository }}:latest .
-
-      - name: Push Docker image
         run: |
+          [ "$SKIP_BUILD" = "true" ] && exit 0
+          apt-get update && apt-get install -y docker.io
+
+      - name: Build and push Docker image
+        run: |
+          [ "$SKIP_BUILD" = "true" ] && exit 0
+          docker build -t git.farh.net/${{ github.repository }}:${{ github.ref_name }} -t git.farh.net/${{ github.repository }}:latest .
           echo "${{ secrets.REGISTRY_TOKEN }}" | docker login git.farh.net -u ${{ github.actor }} --password-stdin
           docker push git.farh.net/${{ github.repository }}:${{ github.ref_name }}
           docker push git.farh.net/${{ github.repository }}:latest
 
-      - name: Create release
-        uses: akkuman/gitea-release-action@v1
-        with:
-          files: |
-            *.tar.gz
-          token: ${{ github.token }}
+      - name: Create Gitea release
+        run: |
+          [ "$SKIP_BUILD" = "true" ] && exit 0
+          API_URL="${GITHUB_SERVER_URL}/api/v1/repos/${GITHUB_REPOSITORY}"
+          # Create release (or get existing)
+          RELEASE=$(curl -s -X POST \
+            -H "Authorization: token ${{ github.token }}" \
+            -H "Content-Type: application/json" \
+            "${API_URL}/releases" \
+            -d "{\"tag_name\":\"${GITHUB_REF_NAME}\",\"name\":\"${GITHUB_REF_NAME}\"}")
+          RELEASE_ID=$(echo "$RELEASE" | node -e "process.stdin.resume();let d='';process.stdin.on('data',c=>d+=c);process.stdin.on('end',()=>console.log(JSON.parse(d).id))")
+          if [ "$RELEASE_ID" = "undefined" ]; then
+            RELEASE=$(curl -sf \
+              -H "Authorization: token ${{ github.token }}" \
+              "${API_URL}/releases/tags/${GITHUB_REF_NAME}")
+            RELEASE_ID=$(echo "$RELEASE" | node -e "process.stdin.resume();let d='';process.stdin.on('data',c=>d+=c);process.stdin.on('end',()=>console.log(JSON.parse(d).id))")
+          fi
+          echo "Gitea Release ID: $RELEASE_ID"
+          # Delete existing assets
+          ASSETS=$(curl -sf \
+            -H "Authorization: token ${{ github.token }}" \
+            "${API_URL}/releases/${RELEASE_ID}/assets")
+          echo "$ASSETS" | node -e "
+            process.stdin.resume();let d='';
+            process.stdin.on('data',c=>d+=c);
+            process.stdin.on('end',()=>{
+              JSON.parse(d).forEach(a=>console.log(a.id));
+            })" | while read -r ASSET_ID; do
+            curl -sf -X DELETE \
+              -H "Authorization: token ${{ github.token }}" \
+              "${API_URL}/releases/${RELEASE_ID}/assets/${ASSET_ID}"
+          done
+          # Upload tarball
+          curl -sf -X POST \
+            -H "Authorization: token ${{ github.token }}" \
+            -F "attachment=@${TARBALL}" \
+            "${API_URL}/releases/${RELEASE_ID}/assets?name=${TARBALL}"
+          echo "Gitea release updated"
+
+      - name: Create GitHub release
+        continue-on-error: true
+        run: |
+          [ "$SKIP_BUILD" = "true" ] && exit 0
+          GH_API="https://api.github.com/repos/cpfarhood/polaris-headlamp-plugin"
+          # Create release or fetch existing one
+          BODY=$(curl -s -X POST \
+            -H "Authorization: token ${{ secrets.GH_PAT }}" \
+            -H "Accept: application/vnd.github+json" \
+            "${GH_API}/releases" \
+            -d "{\"tag_name\":\"${GITHUB_REF_NAME}\",\"name\":\"${GITHUB_REF_NAME}\",\"generate_release_notes\":true}")
+          RELEASE_ID=$(echo "$BODY" | node -e "process.stdin.resume();let d='';process.stdin.on('data',c=>d+=c);process.stdin.on('end',()=>console.log(JSON.parse(d).id))")
+          if [ "$RELEASE_ID" = "undefined" ]; then
+            echo "Release already exists, fetching it..."
+            BODY=$(curl -sf \
+              -H "Authorization: token ${{ secrets.GH_PAT }}" \
+              -H "Accept: application/vnd.github+json" \
+              "${GH_API}/releases/tags/${GITHUB_REF_NAME}")
+            RELEASE_ID=$(echo "$BODY" | node -e "process.stdin.resume();let d='';process.stdin.on('data',c=>d+=c);process.stdin.on('end',()=>console.log(JSON.parse(d).id))")
+          fi
+          echo "GitHub Release ID: $RELEASE_ID"
+          # Delete existing assets with the same name
+          ASSETS=$(curl -sf \
+            -H "Authorization: token ${{ secrets.GH_PAT }}" \
+            -H "Accept: application/vnd.github+json" \
+            "${GH_API}/releases/${RELEASE_ID}/assets")
+          echo "$ASSETS" | node -e "
+            process.stdin.resume();let d='';
+            process.stdin.on('data',c=>d+=c);
+            process.stdin.on('end',()=>{
+              const assets=JSON.parse(d);
+              assets.filter(a=>a.name==='${TARBALL}').forEach(a=>console.log(a.id));
+            })" | while read -r ASSET_ID; do
+            echo "Deleting existing asset $ASSET_ID..."
+            curl -sf -X DELETE \
+              -H "Authorization: token ${{ secrets.GH_PAT }}" \
+              "${GH_API}/releases/assets/${ASSET_ID}"
+          done
+          # Upload tarball
+          curl -sf -X POST \
+            -H "Authorization: token ${{ secrets.GH_PAT }}" \
+            -H "Content-Type: application/gzip" \
+            "https://uploads.github.com/repos/cpfarhood/polaris-headlamp-plugin/releases/${RELEASE_ID}/assets?name=${TARBALL}" \
+            --data-binary "@${TARBALL}"
+          echo "GitHub release updated with same tarball"
+
+      - name: Update metadata and align tag
+        run: |
+          [ "$SKIP_BUILD" = "true" ] && exit 0
+          VERSION=${GITHUB_REF_NAME#v}
+          git checkout main
+          sed -i "s|headlamp/plugin/archive-checksum:.*|headlamp/plugin/archive-checksum: sha256:${CHECKSUM}|" artifacthub-pkg.yml
+          sed -i "s|headlamp/plugin/archive-url:.*|headlamp/plugin/archive-url: \"https://github.com/cpfarhood/polaris-headlamp-plugin/releases/download/${GITHUB_REF_NAME}/polaris-headlamp-plugin-${VERSION}.tar.gz\"|" artifacthub-pkg.yml
+          sed -i "s|^version:.*|version: ${VERSION}|" artifacthub-pkg.yml
+          git config user.name "gitea-actions[bot]"
+          git config user.email "gitea-actions[bot]@git.farh.net"
+          git add artifacthub-pkg.yml
+          git diff --cached --quiet || {
+            git commit -m "ci: update artifact hub metadata for ${GITHUB_REF_NAME}"
+            git push origin main
+          }
+          # Force-move tag to the commit with correct checksum.
+          # This triggers a new CI run, but the guard step will detect
+          # that the release checksum already matches and skip the build.
+          git tag -f ${GITHUB_REF_NAME}
+          git push -f origin ${GITHUB_REF_NAME}
+          # Also push to GitHub directly to avoid waiting for mirror sync
+          git remote add github https://x-access-token:${{ secrets.GH_PAT }}@github.com/cpfarhood/polaris-headlamp-plugin.git 2>/dev/null || true
+          git push github main 2>/dev/null || true
+          git push -f github ${GITHUB_REF_NAME} 2>/dev/null || true
+          echo "Tag ${GITHUB_REF_NAME} aligned with updated metadata"

.github/workflows/release.yml

@@ -1,37 +0,0 @@
-name: GitHub Release
-
-on:
-  push:
-    tags:
-      - 'v*'
-
-permissions:
-  contents: write
-
-jobs:
-  release:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: '20'
-          cache: 'npm'
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Build plugin
-        run: npx @kinvolk/headlamp-plugin build
-
-      - name: Package tarball
-        run: npx @kinvolk/headlamp-plugin package
-
-      - name: Create GitHub Release
-        uses: softprops/action-gh-release@v2
-        with:
-          files: "*.tar.gz"
-          generate_release_notes: true

README.md

@@ -1,5 +1,7 @@
 # polaris-headlamp-plugin
 
+[![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/polaris-headlamp-plugin)](https://artifacthub.io/packages/headlamp/polaris-headlamp-plugin/polaris-headlamp-plugin)
+
 A [Headlamp](https://headlamp.dev/) plugin that surfaces [Fairwinds Polaris](https://polaris.docs.fairwinds.com/) audit results directly in the Headlamp UI.
 
 ## What It Does
@@ -22,12 +24,95 @@ Error states are handled explicitly: RBAC denied (403), Polaris not installed (4
 - **Polaris** installed via the [official Helm chart](https://github.com/FairwindsOps/polaris) with the dashboard component enabled
 - The Headlamp service account must have RBAC permission to `get` ConfigMaps in the `polaris` namespace
 
+## Installing
+
+### Option 1: Artifact Hub + Headlamp plugin manager (recommended)
+
+The plugin is published on [Artifact Hub](https://artifacthub.io/packages/headlamp/polaris-headlamp-plugin/polaris-headlamp-plugin). Configure Headlamp's `pluginsManager` in your Helm values to install it automatically:
+
+```yaml
+pluginsManager:
+  sources:
+    - url: https://artifacthub.io/packages/headlamp/polaris-headlamp-plugin/polaris-headlamp-plugin
+```
+
+Headlamp will fetch and install the plugin on startup.
+
+### Option 2: Docker init container
+
+The plugin ships as a container image at `git.farh.net/farhoodliquor/polaris-headlamp-plugin`.
+
+Add it as an init container in your Headlamp Helm values:
+
+```yaml
+initContainers:
+  - name: polaris-plugin
+    image: git.farh.net/farhoodliquor/polaris-headlamp-plugin:v0.0.1
+    command: ["sh", "-c", "cp -r /plugins/* /headlamp/plugins/"]
+    volumeMounts:
+      - name: plugins
+        mountPath: /headlamp/plugins
+
+volumes:
+  - name: plugins
+    emptyDir: {}
+
+volumeMounts:
+  - name: plugins
+    mountPath: /headlamp/plugins
+```
+
+### Option 3: Manual tarball install
+
+Download the `.tar.gz` from the [GitHub releases page](https://github.com/cpfarhood/polaris-headlamp-plugin/releases) or the [Gitea releases page](https://git.farh.net/farhoodliquor/polaris-headlamp-plugin/releases), then extract into Headlamp's plugin directory:
+
+```bash
+tar xzf polaris-headlamp-plugin-0.0.1.tar.gz -C /headlamp/plugins/
+```
+
+### Option 4: Build from source
+
+```bash
+npm install
+npm run build
+npx @kinvolk/headlamp-plugin extract . /headlamp/plugins
+```
+
+## RBAC
+
+The plugin reads a single ConfigMap. Minimum RBAC required for the Headlamp service account:
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: headlamp-polaris-reader
+rules:
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    resourceNames: ["polaris-dashboard"]
+    verbs: ["get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: headlamp-polaris-reader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: headlamp-polaris-reader
+subjects:
+  - kind: ServiceAccount
+    name: headlamp
+    namespace: headlamp
+```
+
 ## Development
 
 ### Setup
 
 ```bash
-git clone https://git.farh.net/farhoodliquor/polaris-headlamp-plugin.git
+git clone https://github.com/cpfarhood/polaris-headlamp-plugin.git
 cd polaris-headlamp-plugin
 npm install
 ```
@@ -67,104 +152,6 @@ src/
                                 cluster info, error states, refresh interval selector.
 ```
 
-## Deploying to Headlamp
-
-### Option 1: Docker init container (recommended for Kubernetes)
-
-The plugin ships as a container image at `git.farh.net/farhoodliquor/polaris-headlamp-plugin`.
-
-Add it as an init container in your Headlamp Helm values:
-
-```yaml
-initContainers:
-  - name: polaris-plugin
-    image: git.farh.net/farhoodliquor/polaris-headlamp-plugin:v0.0.1
-    command: ["sh", "-c", "cp -r /plugins/* /headlamp/plugins/"]
-    volumeMounts:
-      - name: plugins
-        mountPath: /headlamp/plugins
-
-volumes:
-  - name: plugins
-    emptyDir: {}
-
-volumeMounts:
-  - name: plugins
-    mountPath: /headlamp/plugins
-```
-
-### Option 2: Manual tarball install
-
-Download the `.tar.gz` from the [releases page](https://git.farh.net/farhoodliquor/polaris-headlamp-plugin/releases), then extract into Headlamp's plugin directory:
-
-```bash
-tar xzf polaris-headlamp-plugin-0.0.1.tar.gz -C /headlamp/plugins/
-```
-
-### Option 3: Build from source
-
-```bash
-npm install
-npm run build
-npx @kinvolk/headlamp-plugin extract . /headlamp/plugins
-```
-
-## Releasing
-
-Releases are automated via Gitea Actions. To cut a release:
-
-```bash
-# Bump version in package.json, then:
-git add package.json package-lock.json
-git commit -m "chore: bump version to 0.0.2"
-git tag v0.0.2
-git push origin main v0.0.2
-```
-
-The CI pipeline (`.gitea/workflows/release.yaml`) will:
-
-1. Build the plugin in a `node:20` container
-2. Package a `.tar.gz` tarball
-3. Build and push a Docker image to `git.farh.net/farhoodliquor/polaris-headlamp-plugin:{tag}` and `:latest`
-4. Create a Gitea release with the tarball attached
-
-### CI secrets
-
-| Secret | Purpose |
-|---|---|
-| `REGISTRY_TOKEN` | Gitea personal access token with `package:write` scope, used to push Docker images to the container registry |
-
-The release creation itself uses the built-in `github.token` -- no extra secret needed for that.
-
-## RBAC
-
-The plugin reads a single ConfigMap. Minimum RBAC required for the Headlamp service account:
-
-```yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: headlamp-polaris-reader
-rules:
-  - apiGroups: [""]
-    resources: ["configmaps"]
-    resourceNames: ["polaris-dashboard"]
-    verbs: ["get"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: headlamp-polaris-reader
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: headlamp-polaris-reader
-subjects:
-  - kind: ServiceAccount
-    name: headlamp
-    namespace: headlamp
-```
-
 ## Data Source
 
 The plugin reads from:
@@ -189,6 +176,55 @@ AuditData
 
 Each check in a `ResultSet` has `Success` (bool) and `Severity` (`"warning"` or `"danger"`).
 
+## Releasing
+
+Releases are automated via CI. To cut a release:
+
+```bash
+# Bump version in package.json and artifacthub-pkg.yml, then:
+git add package.json package-lock.json artifacthub-pkg.yml
+git commit -m "chore: bump version to 0.0.2"
+git tag v0.0.2
+git push origin main v0.0.2
+```
+
+This triggers two CI pipelines:
+
+**Gitea Actions** (`.gitea/workflows/release.yaml`):
+1. Build the plugin in a `node:20` container
+2. Package a `.tar.gz` tarball
+3. Build and push a Docker image to `git.farh.net/farhoodliquor/polaris-headlamp-plugin:{tag}` and `:latest`
+4. Create a Gitea release with the tarball attached
+
+**GitHub Actions** (`.github/workflows/release.yml`):
+1. Build and package the plugin
+2. Create a GitHub release with the tarball attached (required for Artifact Hub)
+
+The Gitea repo push-mirrors to GitHub automatically, so both pipelines trigger from a single `git push`.
+
+### CI secrets
+
+| Secret | Where | Purpose |
+|---|---|---|
+| `REGISTRY_TOKEN` | Gitea | Personal access token with `package:write` scope for Docker image push |
+
+The Gitea release uses the built-in `github.token`. The GitHub release uses the default `GITHUB_TOKEN` with `contents: write` permission.
+
+### Updating Artifact Hub
+
+When releasing a new version, update `artifacthub-pkg.yml`:
+- `version` field
+- `headlamp/plugin/archive-url` annotation (update the version in the download URL)
+- `headlamp/plugin/archive-checksum` annotation (SHA256 of the new tarball, printed by the CI build)
+
+## Links
+
+- [Artifact Hub](https://artifacthub.io/packages/headlamp/polaris-headlamp-plugin/polaris-headlamp-plugin)
+- [GitHub (mirror)](https://github.com/cpfarhood/polaris-headlamp-plugin)
+- [Gitea (source of truth)](https://git.farh.net/farhoodliquor/polaris-headlamp-plugin)
+- [Headlamp](https://headlamp.dev/)
+- [Fairwinds Polaris](https://polaris.docs.fairwinds.com/)
+
 ## License
 
 MIT

artifacthub-pkg.yml

@@ -1,4 +1,4 @@
-version: 0.0.1
+version: 0.0.3
 name: polaris-headlamp-plugin
 displayName: Polaris
 createdAt: "2026-02-05T19:00:00Z"
@@ -20,9 +20,9 @@ links:
     url: "https://polaris.docs.fairwinds.com/"
 maintainers:
   - name: cpfarhood
-    email: ""
+    email: "chris@farhood.org"
 annotations:
-  headlamp/plugin/archive-url: "https://github.com/cpfarhood/polaris-headlamp-plugin/releases/download/v0.0.1/polaris-headlamp-plugin-0.0.1.tar.gz"
+  headlamp/plugin/archive-url: "https://github.com/cpfarhood/polaris-headlamp-plugin/releases/download/v0.0.3/polaris-headlamp-plugin-0.0.3.tar.gz"
   headlamp/plugin/version-compat: ">=0.26"
-  headlamp/plugin/archive-checksum: sha256:456f09cf8b126816b80c723b6c6f300b2af0c2e1288ee67da13f435b0e35c04d
+  headlamp/plugin/archive-checksum: sha256:4997063bd44fbdd3610727f58616bd1fb2920b78c8e955b5279e0e017e718773
   headlamp/plugin/distro-compat: in-cluster

artifacthub-repo.yml

@@ -1,4 +1,4 @@
-repositoryID: polaris-headlamp-plugin
+repositoryID: fb4c3789-de2b-4667-8fff-34f22e5648da
 owners:
   - name: cpfarhood
-    email: ""
+    email: "chris@farhood.org"

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "polaris-headlamp-plugin",
-  "version": "0.0.1",
+  "version": "0.0.3",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "polaris-headlamp-plugin",
-      "version": "0.0.1",
+      "version": "0.0.3",
       "devDependencies": {
         "@kinvolk/headlamp-plugin": "^0.13.0"
       }

package.json

@@ -1,6 +1,6 @@
 {
   "name": "polaris-headlamp-plugin",
-  "version": "0.0.1",
+  "version": "0.0.3",
   "description": "Headlamp plugin for Fairwinds Polaris audit results",
   "scripts": {
     "start": "headlamp-plugin start",