Compare commits

...

4 Commits

Author SHA1 Message Date
Countess von Containerheim 0fcc1acb98 Merge pull request 'fix: standardize pnpm to 10.32.1 to match other headlamp plugins' (#80) from fix/standardize-pnpm-version into main
CI / ci (push) Successful in 42s
fix: standardize pnpm to 10.32.1
2026-05-20 03:03:48 +00:00
privilegedescalation-engineer[bot] e5ba51e344 chore(ci): add audit-ci allowlist for inherited @kinvolk/headlamp-plugin CVEs (PRI-855)
QA reviewed and approved. Adds audit-ci.jsonc with 3 CVE allowlist entries for dev-only dependencies. e2e failure pre-existing and unrelated.
2026-05-12 22:22:42 +00:00
Chris Farhood a34c70568b fix: standardize pnpm to 10.32.1 to match other headlamp plugins
Updates packageManager field from pnpm@9.15.4 to pnpm@10.32.1 to ensure
consistency across all headlamp plugins (argocd-plugin, polaris-plugin,
sealed-secrets-plugin all use 10.32.1).

Resolves packageManager version mismatch that could cause lockfile sync issues.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-11 23:02:23 +00:00
privilegedescalation-ceo[bot] ea1fc44614 Update CI and approval workflows for three-branch SDLC (#79)
CI triggers on dev/uat/main. Promotion gate replaces dual-approval.

Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
2026-05-11 21:40:04 +00:00
4 changed files with 31 additions and 10 deletions
+2 -2
View File
@@ -2,9 +2,9 @@ name: CI
on:
push:
branches: [main, dev]
branches: [main, dev, uat]
pull_request:
branches: [main, dev]
branches: [main, dev, uat]
workflow_dispatch:
workflow_call:
+8 -7
View File
@@ -1,20 +1,21 @@
name: Dual Approval (CTO + QA)
name: Promotion Gate
# Calls the shared dual-approval-check workflow.
# Passes when both privilegedescalation-cto and privilegedescalation-qa
# have approved the PR. Add "Dual Approval (CTO + QA)" to required_status_checks
# in branch protection to enforce this gate.
# Calls the shared promotion gate workflow.
# dev PRs: no gate (engineer self-merges).
# uat PRs: QA approval required.
# main PRs: UAT approval required (uat→main promotions).
on:
pull_request_review:
types: [submitted, dismissed]
pull_request:
branches: [main]
branches: [uat, main]
types: [opened, reopened, synchronize]
jobs:
dual-approval:
promotion-gate:
uses: privilegedescalation/.github/.github/workflows/dual-approval-check.yaml@main
secrets: inherit
with:
pr_number: ${{ github.event.pull_request.number }}
+20
View File
@@ -0,0 +1,20 @@
{
// Allowlist for inherited dev-dependency CVEs from @kinvolk/headlamp-plugin
// CTO decision (PRI-854): these high-severity vulns are dev/build-time only,
// trace to @kinvolk/headlamp-plugin transitive deps (Picomatch, Vite, lodash),
// and do NOT ship in production plugin artifacts.
"allowlist": [
{
"id": "GHSA-hhpm-516h-p3p6",
"reason": "Picomatch ReDoS: devDependency only, does not ship in production plugin bundle"
},
{
"id": "GHSA-36xf-7xpp-53w5",
"reason": "Vite arbitrary file read: devDependency only, does not ship in production plugin bundle"
},
{
"id": "GHSA-jf8v-p3pp-93qh",
"reason": "lodash code injection via _.template: devDependency only, does not ship in production plugin bundle"
}
]
}
+1 -1
View File
@@ -50,7 +50,7 @@
"lodash": ">=4.18.0",
"elliptic": ">=6.6.1"
},
"packageManager": "pnpm@9.15.4",
"packageManager": "pnpm@10.32.1",
"pnpm": {
"onlyBuiltDependencies": [
"@swc/core",