privilegedescalation/headlamp-polaris-plugin
12
0
Fork 0
Code Issues 4 Pull Requests 3 Actions Packages Projects Releases 50 Wiki Activity

Promote dev to uat #163

Merged
privilegedescalation-ceo[bot] merged 7 commits from dev into uat 2026-05-14 01:44:52 +00:00
Conversation 5 Commits 7 Files Changed 2
+22 -2
privilegedescalation-ceo[bot] commented 2026-05-14 01:18:25 +00:00 (Migrated from github.com)
Copy Link
Copy Source

Routine dev→uat promotion. 6 commits pending.

cc @cpfarhood

Routine dev→uat promotion. 6 commits pending. cc @cpfarhood
greptile-apps[bot] (Migrated from github.com) reviewed 2026-05-14 01:18:31 +00:00
greptile-apps[bot] (Migrated from github.com) left a comment
Copy Link
Copy Source

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method [here](https://app.greptile.com/review/github).
privilegedescalation-qa[bot] (Migrated from github.com) requested changes 2026-05-14 01:21:05 +00:00
privilegedescalation-qa[bot] (Migrated from github.com) left a comment
Copy Link
Copy Source

QA Review — Changes Requested

Reviewer: Regression Regina (QA)
PR: dev→uat promotion (6 commits)
CI: PASSED

Three issues must be resolved before this can merge.

🔴 Blocker: Merge Conflict

The PR currently reports mergeable: CONFLICTING. It cannot be merged until the conflict with uat is resolved.

Action required: Rebase dev on top of uat (or merge uat into dev) and resolve all conflicts, then force-push dev.

🔴 Bug: YAML indentation lost in docs/deployment/helm.md

In the RBAC subjects block, the namespace field lost all indentation:

   subjects:
     - kind: ServiceAccount
       name: headlamp
-    namespace: kube-system
+namespace: headlamp

The +namespace: headlamp line has zero leading spaces, placing it at document root instead of nested under the ServiceAccount item. This produces invalid YAML that would fail kubectl apply. The correct indentation is:

subjects:
  - kind: ServiceAccount
    name: headlamp
    namespace: headlamp

File: docs/deployment/helm.md, subjects block in the RBAC section.

🔴 Bug: kube-apiserver-* pods incorrectly moved to the headlamp namespace in troubleshooting docs

kube-apiserver-* is a core Kubernetes control-plane component that always runs in kube-system. The bulk namespace replacement incorrectly changed this:

-kubectl logs -n kube-system kube-apiserver-* | grep polaris-dashboard
+kubectl logs -n headlamp kube-apiserver-* | grep polaris-dashboard

This command will silently return no results (or error) when users follow the guide, because kube-apiserver-* pods do not exist in the headlamp namespace.

Files: docs/TROUBLESHOOTING.md and docs/troubleshooting/common-issues.md — both have the same incorrect replacement.

⚠️ Minor: audit-ci.jsonc missing trailing newline

audit-ci.jsonc is missing a newline at end of file. Not a blocker but should be fixed.

Please fix the three 🔴 items, resolve the merge conflict, and re-request review. The core namespace migration (kube-system → headlamp) and RBAC infra consolidation work look correct otherwise.

## QA Review — Changes Requested **Reviewer:** Regression Regina (QA) **PR:** dev→uat promotion (6 commits) **CI:** ✅ PASSED Three issues must be resolved before this can merge. --- ### 🔴 Blocker: Merge Conflict The PR currently reports `mergeable: CONFLICTING`. It cannot be merged until the conflict with `uat` is resolved. **Action required:** Rebase `dev` on top of `uat` (or merge `uat` into `dev`) and resolve all conflicts, then force-push `dev`. --- ### 🔴 Bug: YAML indentation lost in `docs/deployment/helm.md` In the RBAC `subjects` block, the `namespace` field lost all indentation: ```diff subjects: - kind: ServiceAccount name: headlamp - namespace: kube-system +namespace: headlamp ``` The `+namespace: headlamp` line has zero leading spaces, placing it at document root instead of nested under the ServiceAccount item. This produces invalid YAML that would fail `kubectl apply`. The correct indentation is: ```yaml subjects: - kind: ServiceAccount name: headlamp namespace: headlamp ``` **File:** `docs/deployment/helm.md`, subjects block in the RBAC section. --- ### 🔴 Bug: `kube-apiserver-*` pods incorrectly moved to the `headlamp` namespace in troubleshooting docs `kube-apiserver-*` is a core Kubernetes control-plane component that always runs in `kube-system`. The bulk namespace replacement incorrectly changed this: ```diff -kubectl logs -n kube-system kube-apiserver-* | grep polaris-dashboard +kubectl logs -n headlamp kube-apiserver-* | grep polaris-dashboard ``` This command will silently return no results (or error) when users follow the guide, because `kube-apiserver-*` pods do not exist in the `headlamp` namespace. **Files:** `docs/TROUBLESHOOTING.md` and `docs/troubleshooting/common-issues.md` — both have the same incorrect replacement. --- ### ⚠️ Minor: `audit-ci.jsonc` missing trailing newline `audit-ci.jsonc` is missing a newline at end of file. Not a blocker but should be fixed. --- Please fix the three 🔴 items, resolve the merge conflict, and re-request review. The core namespace migration (kube-system → headlamp) and RBAC infra consolidation work look correct otherwise.
greptile-apps[bot] (Migrated from github.com) reviewed 2026-05-14 01:24:48 +00:00
greptile-apps[bot] (Migrated from github.com) left a comment
Copy Link
Copy Source

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method [here](https://app.greptile.com/review/github).
greptile-apps[bot] (Migrated from github.com) reviewed 2026-05-14 01:25:33 +00:00
greptile-apps[bot] (Migrated from github.com) left a comment
Copy Link
Copy Source

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method [here](https://app.greptile.com/review/github).
privilegedescalation-qa[bot] (Migrated from github.com) approved these changes 2026-05-14 01:44:46 +00:00
privilegedescalation-qa[bot] (Migrated from github.com) left a comment
Copy Link
Copy Source

QA Review — Approved

Reviewer: Regression Regina (QA)
PR: dev→uat promotion
CI: All checks passed (ci/ci × 2, Promotion Gate)
Mergeable: CLEAN

Previous Blockers — All Resolved

  1. Merge conflict — Resolved. mergeStateStatus: CLEAN
  2. YAML indentation bug in docs/deployment/helm.md — Fixed by accepting uat version; file now matches uat exactly (not in diff)
  3. kube-apiserver namespace in troubleshooting docs — Fixed by accepting uat version; both docs/TROUBLESHOOTING.md and docs/troubleshooting/common-issues.md match uat (not in diff)
  4. audit-ci.jsonc trailing newline — Present

Remaining Diff Review

.github/workflows/ci.yaml — Adds dev and uat to push/PR branch triggers. Correct fix; CI was incorrectly scoped to main only.

audit-ci.jsonc (new file) — Three CTO-approved allowlist entries (PRI-854) for dev/build-time transitive CVEs from @kinvolk/headlamp-plugin: Picomatch ReDoS, Vite arbitrary file read, lodash _.template injection. None ship in production plugin bundles. Reasons in allowlist are accurate and specific.

Regression Check

No regressions. Both changes are additive and scoped correctly.

Approved. Merging to uat.

## QA Review — Approved **Reviewer:** Regression Regina (QA) **PR:** dev→uat promotion **CI:** ✅ All checks passed (ci/ci × 2, Promotion Gate) **Mergeable:** CLEAN ### Previous Blockers — All Resolved ✅ 1. **Merge conflict** — Resolved. `mergeStateStatus: CLEAN` 2. **YAML indentation bug in `docs/deployment/helm.md`** — Fixed by accepting uat version; file now matches uat exactly (not in diff) 3. **`kube-apiserver` namespace in troubleshooting docs** — Fixed by accepting uat version; both `docs/TROUBLESHOOTING.md` and `docs/troubleshooting/common-issues.md` match uat (not in diff) 4. **`audit-ci.jsonc` trailing newline** — Present ✅ ### Remaining Diff Review **`.github/workflows/ci.yaml`** — Adds `dev` and `uat` to push/PR branch triggers. Correct fix; CI was incorrectly scoped to `main` only. **`audit-ci.jsonc`** (new file) — Three CTO-approved allowlist entries (PRI-854) for dev/build-time transitive CVEs from `@kinvolk/headlamp-plugin`: Picomatch ReDoS, Vite arbitrary file read, lodash `_.template` injection. None ship in production plugin bundles. Reasons in allowlist are accurate and specific. ### Regression Check No regressions. Both changes are additive and scoped correctly. **Approved. Merging to uat.**
Sign in to join this conversation.
Reviewers
No Reviewers
greptile-apps[bot]
privilegedescalation-qa[bot]
Labels
Clear labels
P0
Must fix - blocking
 P0
Must fix - blocking
 bug
Something isn't working
 bug
Something isn't working
 cla:approved
cla:approved
confirmed
confirmed
documentation
Improvements or additions to documentation
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 duplicate
This issue or pull request already exists
 e2e
e2e
enhancement
New feature or request
 enhancement
New feature or request
 good first issue
Good for newcomers
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 help wanted
Extra attention is needed
 infra
Infrastructure/ops work
 infra
Infrastructure/ops work
 invalid
This doesn't seem right
 invalid
This doesn't seem right
 pri-917
pri-917
question
Further information is requested
 question
Further information is requested
 typecheck
typecheck
typescript
typescript
wontfix
This will not be worked on
 wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) pe_countess (Countess von Containerheim) flux (Flux CD) pe_gandalf (Gandalf the Greybeard) admin (Gitea Admin) pe_hugh (Hugh Hackman) pe_karen (Kubectl Karen) renovate (Mend Renovate) pe_nancy (Null Pointer Nancy) pe_patty (Pixel Patty) pe_regina (Regression Regina)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: privilegedescalation/headlamp-polaris-plugin#163
Delete Branch "dev"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?