The storage classes sidebar entry is rendered as a button, not a link.
Fix the flaky E2E test by changing getByRole('link') to getByRole('button').
Fixes PRI-935
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Fix two bugs from PRI-879 QA review:
- HEADLAMP_URL is now written to .env.e2e unconditionally, before
attempting token generation. Previously it was only written when
token generation succeeded, causing tests to fail if the token
command errored.
- ClusterRole headlamp-e2e-test-reader now includes pods get/list/watch
so the Rook PodsPage can populate without permission errors.
Does not address the popup race in auth.setup.ts — that file was not
changed because the popup race claim in PRI-879 does not match the
actual code order. The popupPromise (line 9) is already captured before
the click (line 10) in the source file.
Fixes: PRI-879
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The headlamp-e2e-test service account needs cluster-wide read permissions
for storageclasses, cephclusters, persistentvolumes, and
persistentvolumeclaims so the Rook plugin sidebar can populate these
resources without errors.
- Add ClusterRole headlamp-e2e-test-reader with get/list/watch on
storageclasses, cephclusters, cephclusters/status, persistentvolumes,
persistentvolumeclaims
- Add ClusterRoleBinding headlamp-e2e-test-crb binding the role to
the headlamp-e2e-test service account
- Update teardown to also clean up the ClusterRole and ClusterRoleBinding
Fixes: PRI-741
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Add waitForSidebar helper function with explicit sidebar visibility wait
and networkidle state to ensure page is fully loaded before assertions.
This addresses flaky E2E tests where elements were not consistently
found due to timing issues during page transitions.
The reusable plugin-e2e.yaml@main lacks pnpm support. Switching to
the PR branch that has pnpm detector, Corepack setup, and pnpm commands.
Will revert to @main once PR #141 merges.
- PRI-619 E2E fix
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix: override lodash >=4.18.0 to patch code injection vulnerability
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* Regenerate lockfile for lodash override
- Explicitly add lodash@4.18.1 to ensure override is respected
- Regenerated pnpm-lock.yaml with resolved lodash@4.18.1 (CVE fix)
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* Remove stray lodash devDependency to fix CI EOVERRIDE
The previous commit added lodash@4.18.1 as a direct devDependency
alongside the overrides.lodash >=4.18.0 entry. npm (invoked by
headlamp-plugin build) rejects this with EOVERRIDE because the
override conflicts with a direct dependency. The override alone is
sufficient to drive lodash resolution; remove the direct dep and
regenerate the lockfile.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
---------
Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
Vite versions >=6.0.0 <=6.4.1 are vulnerable to arbitrary file read via
the Vite Dev Server WebSocket (server.fs.deny bypass with queries).
CVE: GHSA-p9ff-h696-f583
Co-authored-by: Gandalf the Greybeard <gandalf@privilegedescalation.dev>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
pnpm/action-setup@v5 requires either a version key in the action config
or a packageManager field in package.json. Add the field to unblock the
release workflow.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Add eslint@^8.57.0, @headlamp-k8s/eslint-config@^0.6.0, prettier@^2.8.8,
typescript@~5.6.2 as explicit devDependencies. pnpm strict hoisting does
not expose transitive bins, so these must be direct deps.
Remove vite/client and vite-plugin-svgr/client from tsconfig types; these
are transitive deps pnpm does not hoist and polaris plugin omits them.
- Bump version from 0.2.8 to 1.0.0 in package.json
- Add missing devDependencies (vitest, @testing-library/react, @testing-library/jest-dom, @testing-library/user-event, jsdom, react, react-dom, @types/react, @types/react-dom, react-router-dom, @mui/material, notistack) so test suite runs in CI
- Add define block for process.env.NODE_ENV in vitest.config.mts for jsdom/React 18 compatibility
- Switch from package-lock.json to pnpm-lock.yaml (pnpm as canonical package manager)
- Update artifacthub-pkg.yml to v1.0.0 with updated archive-url and changes block
- Update CHANGELOG.md with [1.0.0] entry and updated comparison links
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Replaces the duplicated Renovate config with a simple extend from the
org-level preset (privilegedescalation/.github:renovate-config). All
rules (schedule, pinDigests, npm/github-actions minor+patch+major groups)
are now inherited from the org config, which was updated in PR #66 to add
major-version update rules for GitHub Actions.
This eliminates config drift between repos and reduces maintenance toil —
future rule changes only need to be made in one place.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The org renovate-config.json (PR #63) adds pinDigests: true at the org level,
but this repo extends config:recommended directly. Adding pinDigests: true here
ensures GitHub Actions are pinned to full commit SHAs regardless of whether the
org config is extended.
Related: privilegedescalation/.github#63, PRI-757
Calls the shared privilegedescalation/.github dual-approval-check
reusable workflow to enforce CTO + QA approval as a GitHub status check.
Once privilegedescalation/.github#47 is merged, this status check can
be added to required_status_checks in branch protection.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The shared release workflow now requires RELEASE_APP_ID and
RELEASE_APP_PRIVATE_KEY secrets for PR creation, since the org
blocks GITHUB_TOKEN from creating PRs.
Depends on privilegedescalation/.github#31
Co-authored-by: privilegedescalation-paperclip[bot] <268365651+privilegedescalation-paperclip[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
The reusable release workflow declares pull-requests:write but the
caller didn't grant it, causing startup_failure on GitHub Actions.
Co-authored-by: Hugh Hackman [bot] <hugh-hackman[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
ArtifactHub plugin installer is the only supported installation method.
Remove manual tarball, sidecar, and build-from-source install options
to align documentation with company policy.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Chris Farhood
privilegedescalation-ceo[bot]
Pawla Abdul