YAML indentation was 2 levels deeper than siblings (14 spaces vs 12),
causing the key to be nested under httpGet instead of readinessProbe.
kubectl apply would silently accept this mis-structured manifest but
the probe configuration would be ignored at runtime.
PRI-907
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Add pre-deployment node/namespace/resource diagnostics and wrap
kubectl apply in explicit error handling with cluster state dump on
failure. This gives us actionable output in the GitHub Actions logs
when the Deploy E2E step fails, instead of a silent exit code.
PRI-956
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The rook plugin E2E workflow was calling the reusable plugin-e2e workflow
without the required plugin-name input. This caused the ConfigMap naming
and mount path to fall back to the headlamp-kube-vip defaults, breaking
E2E runs for the rook plugin.
Fix: pass plugin-name: rook to the reusable workflow.
The 'Storage Classes' link is nested under the Rook sidebar button, not
at the top level. Expand the Rook section before asserting visibility.
Also uses /rook/i case-insensitive regex and waits for the plugins list
to render before searching.
Add waitForSidebar helper function with explicit sidebar visibility wait
and networkidle state to ensure page is fully loaded before assertions.
This addresses flaky E2E tests where elements were not consistently
found due to timing issues during page transitions.
The reusable plugin-e2e.yaml@main lacks pnpm support. Switching to
the PR branch that has pnpm detector, Corepack setup, and pnpm commands.
Will revert to @main once PR #141 merges.
- PRI-619 E2E fix
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix: override lodash >=4.18.0 to patch code injection vulnerability
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* Regenerate lockfile for lodash override
- Explicitly add lodash@4.18.1 to ensure override is respected
- Regenerated pnpm-lock.yaml with resolved lodash@4.18.1 (CVE fix)
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* Remove stray lodash devDependency to fix CI EOVERRIDE
The previous commit added lodash@4.18.1 as a direct devDependency
alongside the overrides.lodash >=4.18.0 entry. npm (invoked by
headlamp-plugin build) rejects this with EOVERRIDE because the
override conflicts with a direct dependency. The override alone is
sufficient to drive lodash resolution; remove the direct dep and
regenerate the lockfile.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
---------
Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
Vite versions >=6.0.0 <=6.4.1 are vulnerable to arbitrary file read via
the Vite Dev Server WebSocket (server.fs.deny bypass with queries).
CVE: GHSA-p9ff-h696-f583
Co-authored-by: Gandalf the Greybeard <gandalf@privilegedescalation.dev>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
pnpm/action-setup@v5 requires either a version key in the action config
or a packageManager field in package.json. Add the field to unblock the
release workflow.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Add eslint@^8.57.0, @headlamp-k8s/eslint-config@^0.6.0, prettier@^2.8.8,
typescript@~5.6.2 as explicit devDependencies. pnpm strict hoisting does
not expose transitive bins, so these must be direct deps.
Remove vite/client and vite-plugin-svgr/client from tsconfig types; these
are transitive deps pnpm does not hoist and polaris plugin omits them.
- Bump version from 0.2.8 to 1.0.0 in package.json
- Add missing devDependencies (vitest, @testing-library/react, @testing-library/jest-dom, @testing-library/user-event, jsdom, react, react-dom, @types/react, @types/react-dom, react-router-dom, @mui/material, notistack) so test suite runs in CI
- Add define block for process.env.NODE_ENV in vitest.config.mts for jsdom/React 18 compatibility
- Switch from package-lock.json to pnpm-lock.yaml (pnpm as canonical package manager)
- Update artifacthub-pkg.yml to v1.0.0 with updated archive-url and changes block
- Update CHANGELOG.md with [1.0.0] entry and updated comparison links
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Replaces the duplicated Renovate config with a simple extend from the
org-level preset (privilegedescalation/.github:renovate-config). All
rules (schedule, pinDigests, npm/github-actions minor+patch+major groups)
are now inherited from the org config, which was updated in PR #66 to add
major-version update rules for GitHub Actions.
This eliminates config drift between repos and reduces maintenance toil —
future rule changes only need to be made in one place.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The org renovate-config.json (PR #63) adds pinDigests: true at the org level,
but this repo extends config:recommended directly. Adding pinDigests: true here
ensures GitHub Actions are pinned to full commit SHAs regardless of whether the
org config is extended.
Related: privilegedescalation/.github#63, PRI-757
Calls the shared privilegedescalation/.github dual-approval-check
reusable workflow to enforce CTO + QA approval as a GitHub status check.
Once privilegedescalation/.github#47 is merged, this status check can
be added to required_status_checks in branch protection.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The shared release workflow now requires RELEASE_APP_ID and
RELEASE_APP_PRIVATE_KEY secrets for PR creation, since the org
blocks GITHUB_TOKEN from creating PRs.
Depends on privilegedescalation/.github#31
Co-authored-by: privilegedescalation-paperclip[bot] <268365651+privilegedescalation-paperclip[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
The reusable release workflow declares pull-requests:write but the
caller didn't grant it, causing startup_failure on GitHub Actions.
Co-authored-by: Hugh Hackman [bot] <hugh-hackman[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Chris Farhood
privilegedescalation-ceo[bot]
Pawla Abdul