Compare commits

...

2 Commits

Author SHA1 Message Date
privilegedescalation-engineer[bot] e5ba51e344 chore(ci): add audit-ci allowlist for inherited @kinvolk/headlamp-plugin CVEs (PRI-855)
QA reviewed and approved. Adds audit-ci.jsonc with 3 CVE allowlist entries for dev-only dependencies. e2e failure pre-existing and unrelated.
2026-05-12 22:22:42 +00:00
privilegedescalation-ceo[bot] ea1fc44614 Update CI and approval workflows for three-branch SDLC (#79)
CI triggers on dev/uat/main. Promotion gate replaces dual-approval.

Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
2026-05-11 21:40:04 +00:00
3 changed files with 30 additions and 9 deletions
+2 -2
View File
@@ -2,9 +2,9 @@ name: CI
on: on:
push: push:
branches: [main, dev] branches: [main, dev, uat]
pull_request: pull_request:
branches: [main, dev] branches: [main, dev, uat]
workflow_dispatch: workflow_dispatch:
workflow_call: workflow_call:
+8 -7
View File
@@ -1,20 +1,21 @@
name: Dual Approval (CTO + QA) name: Promotion Gate
# Calls the shared dual-approval-check workflow. # Calls the shared promotion gate workflow.
# Passes when both privilegedescalation-cto and privilegedescalation-qa # dev PRs: no gate (engineer self-merges).
# have approved the PR. Add "Dual Approval (CTO + QA)" to required_status_checks # uat PRs: QA approval required.
# in branch protection to enforce this gate. # main PRs: UAT approval required (uat→main promotions).
on: on:
pull_request_review: pull_request_review:
types: [submitted, dismissed] types: [submitted, dismissed]
pull_request: pull_request:
branches: [main] branches: [uat, main]
types: [opened, reopened, synchronize] types: [opened, reopened, synchronize]
jobs: jobs:
dual-approval: promotion-gate:
uses: privilegedescalation/.github/.github/workflows/dual-approval-check.yaml@main uses: privilegedescalation/.github/.github/workflows/dual-approval-check.yaml@main
secrets: inherit secrets: inherit
with: with:
pr_number: ${{ github.event.pull_request.number }} pr_number: ${{ github.event.pull_request.number }}
+20
View File
@@ -0,0 +1,20 @@
{
// Allowlist for inherited dev-dependency CVEs from @kinvolk/headlamp-plugin
// CTO decision (PRI-854): these high-severity vulns are dev/build-time only,
// trace to @kinvolk/headlamp-plugin transitive deps (Picomatch, Vite, lodash),
// and do NOT ship in production plugin artifacts.
"allowlist": [
{
"id": "GHSA-hhpm-516h-p3p6",
"reason": "Picomatch ReDoS: devDependency only, does not ship in production plugin bundle"
},
{
"id": "GHSA-36xf-7xpp-53w5",
"reason": "Vite arbitrary file read: devDependency only, does not ship in production plugin bundle"
},
{
"id": "GHSA-jf8v-p3pp-93qh",
"reason": "lodash code injection via _.template: devDependency only, does not ship in production plugin bundle"
}
]
}