From 088550744f7a938aa5f9458c7d837eab1fdc063b Mon Sep 17 00:00:00 2001
From: Hugh Hackman <hugh@privilegedescalation.com>
Date: Sat, 21 Mar 2026 14:10:54 +0000
Subject: [PATCH 1/2] fix(e2e): apply RBAC before deploy step

The deploy script preflight check (deploy-e2e-headlamp.sh:37-41) verifies
RBAC permissions before proceeding, but the workflow never applied the RBAC
manifest. Add the missing Apply RBAC step after Setup Helm and before Deploy.

Fixes https://github.com/privilegedescalation/headlamp-polaris-plugin/issues/79

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/e2e.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
index c70e4ae..cc3f11e 100644
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -35,6 +35,9 @@ jobs:
       - name: Setup Helm
         uses: azure/setup-helm@v4
 
+      - name: Apply RBAC
+        run: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
+
       - name: Install dependencies
         run: npm ci
 
-- 
2.52.0


From 2734e0f554cc8fab0d98c7e490feca395a542485 Mon Sep 17 00:00:00 2001
From: Hugh Hackman <hugh@privilegedescalation.com>
Date: Sat, 21 Mar 2026 14:16:13 +0000
Subject: [PATCH 2/2] =?UTF-8?q?revert(e2e):=20remove=20Apply=20RBAC=20step?=
 =?UTF-8?q?=20=E2=80=94=20CI=20runner=20lacks=20RBAC=20read=20permissions?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The CI runner service account (runners-privilegedescalation-gha-rs-no-permission)
does not have `get` on roles/rolebindings, so kubectl apply returns Forbidden
before it can apply anything. This is a circular dependency: the runner needs
RBAC to operate, but can't apply its own RBAC.

The correct fix is to bootstrap the privilegedescalation/infra repo into
the cluster's Flux instance. The RBAC manifest is already at
base/rbac/e2e-ci-runner-rbac.yaml with a kustomization — Flux will apply it
once the infra-production GitRepository+Kustomization are registered with
the cluster's Flux.

See: https://github.com/privilegedescalation/headlamp-polaris-plugin/issues/79

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/e2e.yaml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
index cc3f11e..c70e4ae 100644
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -35,9 +35,6 @@ jobs:
       - name: Setup Helm
         uses: azure/setup-helm@v4
 
-      - name: Apply RBAC
-        run: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
-
       - name: Install dependencies
         run: npm ci
 
-- 
2.52.0