fix(e2e): use button role for storage classes sidebar link in rook plugin

The storage classes sidebar entry is a button, not a link. Using getByRole('link')
caused the test to fail with 'element not found'. Switch to getByRole('button')
which matches the actual Headlamp sidebar structure.

Also increased timeout from 10s to 15s for consistency with other waits.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

.github/workflows/ci.yaml

@@ -2,218 +2,12 @@ name: CI
 
 on:
   push:
-    branches: ['**']
+    branches: [main, dev]
   pull_request:
-    branches: [main, dev, uat]
+    branches: [main, dev]
   workflow_dispatch:
   workflow_call:
-    inputs:
-      node-version:
-        description: 'Node.js version to use'
-        required: false
-        type: string
-        default: '22'
-
-permissions:
-  contents: read
 
 jobs:
   ci:
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    container: node:22-slim
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-
-      - name: Install Python
-        run: apt-get update && apt-get install -y --no-install-recommends python3 python3-yaml
-
-      - name: Validate artifacthub-pkg.yml
-        run: |
-          python3 - <<'EOF'
-          import sys, re
-          try:
-              import yaml
-          except ImportError:
-              print("::warning::PyYAML not available, skipping artifacthub-pkg.yml validation")
-              sys.exit(0)
-
-          try:
-              with open("artifacthub-pkg.yml") as f:
-                  pkg = yaml.safe_load(f)
-          except FileNotFoundError:
-              print("::error::artifacthub-pkg.yml not found")
-              sys.exit(1)
-          except yaml.YAMLError as e:
-              print(f"::error::artifacthub-pkg.yml is invalid YAML: {e}")
-              sys.exit(1)
-
-          errors = []
-
-          for field in ["version", "name", "description", "homeURL"]:
-              if not pkg.get(field):
-                  errors.append(f"Missing required field: {field}")
-
-          version = pkg.get("version", "")
-          if version and not re.match(r'^\d+\.\d+\.\d+$', str(version)):
-              errors.append(f"version '{version}' is not SemVer (expected X.Y.Z)")
-
-          annotations = pkg.get("annotations", {}) or {}
-          archive_url = annotations.get("headlamp/plugin/archive-url", "")
-          archive_checksum = annotations.get("headlamp/plugin/archive-checksum", "")
-
-          if not archive_url:
-              errors.append("Missing annotation: headlamp/plugin/archive-url")
-          if not archive_checksum:
-              errors.append("Missing annotation: headlamp/plugin/archive-checksum")
-          elif not re.match(r'^sha256:[0-9a-f]{64}$', str(archive_checksum)):
-              errors.append(f"archive-checksum has unexpected format: '{archive_checksum}' (expected sha256:<64 hex chars>)")
-
-          if errors:
-              for e in errors:
-                  print(f"::error::{e}")
-              sys.exit(1)
-
-          print(f"artifacthub-pkg.yml valid: name={pkg['name']} version={pkg['version']}")
-          EOF
-
-      - name: Detect package manager
-        id: pkg-manager
-        run: |
-          if [ -f "pnpm-lock.yaml" ]; then
-            echo "manager=pnpm" >> $GITHUB_OUTPUT
-            PM=$(python3 -c "import json,sys; d=json.load(open('package.json')); print('true' if d.get('packageManager','').startswith('pnpm@') else 'false')" 2>/dev/null || echo "false")
-            echo "has_package_manager=$PM" >> $GITHUB_OUTPUT
-          else
-            echo "manager=npm" >> $GITHUB_OUTPUT
-            echo "has_package_manager=false" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Setup Node
-        uses: actions/setup-node@v6
-        with:
-          node-version: ${{ inputs.node-version }}
-          cache: ${{ steps.pkg-manager.outputs.manager == 'npm' && 'npm' || '' }}
-
-      - name: Setup pnpm (via Corepack, reads version from packageManager field)
-        if: steps.pkg-manager.outputs.manager == 'pnpm' && steps.pkg-manager.outputs.has_package_manager == 'true'
-        run: |
-          npm install -g corepack
-          corepack enable pnpm
-          corepack install
-
-      - name: Setup pnpm (version latest)
-        if: steps.pkg-manager.outputs.manager == 'pnpm' && steps.pkg-manager.outputs.has_package_manager == 'false'
-        uses: pnpm/action-setup@v5
-        with:
-          run_install: false
-          version: latest
-
-      - name: Get pnpm store directory
-        id: pnpm-store
-        if: steps.pkg-manager.outputs.manager == 'pnpm'
-        run: echo "dir=$(pnpm store path --silent)" >> $GITHUB_OUTPUT
-
-      - name: Cache pnpm store
-        if: steps.pkg-manager.outputs.manager == 'pnpm'
-        uses: actions/cache@v5
-        with:
-          path: ${{ steps.pnpm-store.outputs.dir }}
-          key: ${{ runner.os }}-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }}
-          restore-keys: |
-            ${{ runner.os }}-pnpm-
-
-      - name: Validate pnpm lockfile freshness
-        if: steps.pkg-manager.outputs.manager == 'pnpm'
-        run: |
-          if [ ! -f "pnpm-lock.yaml" ]; then
-            echo "No pnpm-lock.yaml found, skipping lockfile freshness check"
-            exit 0
-          fi
-          if ! grep -q 'overrides:' pnpm-lock.yaml 2>/dev/null; then
-            echo "No overrides section in pnpm-lock.yaml, skipping lockfile freshness check"
-            exit 0
-          fi
-          echo "Detected pnpm-lock.yaml with overrides section. Checking lockfile freshness..."
-          ERR_FILE=$(mktemp)
-          if pnpm install --frozen-lockfile 2>&1 | tee "$ERR_FILE"; then
-            echo "Lockfile is fresh."
-          else
-            if grep -q "CONFIG_MISMATCH\|EBADLOCKFILE\|ERR_PNPM_LOCKFILE" "$ERR_FILE"; then
-              echo ""
-              echo "::error::pnpm-lock.yaml is out of sync with package.json overrides."
-              echo "::error::This typically happens when transitive dependencies change but the lockfile wasn't regenerated."
-              echo "::error::Run 'pnpm install' to regenerate the lockfile and commit the updated pnpm-lock.yaml."
-              rm -f "$ERR_FILE"
-              exit 1
-            fi
-            rm -f "$ERR_FILE"
-            echo "::warning::Install failed with a different error. Will retry in the Install dependencies step."
-          fi
-
-      - name: Install dependencies
-        run: |
-          max_attempts=3
-          attempt=1
-          while [ $attempt -le $max_attempts ]; do
-            echo "Attempt $attempt of $max_attempts"
-            if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
-              pnpm install --frozen-lockfile && break
-            else
-              npm ci && break
-            fi
-            if [ $attempt -lt $max_attempts ]; then
-              echo "::warning::Install step failed on attempt $attempt. Retrying in 5 seconds..."
-              sleep 5
-            fi
-            attempt=$((attempt + 1))
-          done
-          if [ $attempt -gt $max_attempts ]; then
-            echo "::error::Install step failed after $max_attempts attempts."
-            exit 1
-          fi
-
-      - name: Build plugin
-        run: npx @kinvolk/headlamp-plugin build
-
-      - name: Lint
-        run: |
-          if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
-            pnpm run lint
-          else
-            npm run lint
-          fi
-
-      - name: Type-check
-        run: |
-          if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
-            pnpm run tsc
-          else
-            npm run tsc
-          fi
-
-      - name: Format check
-        run: |
-          if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
-            pnpm run format:check
-          else
-            npm run format:check
-          fi
-
-      - name: Run tests
-        run: |
-          if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
-            pnpm test
-          else
-            npm test
-          fi
-
-      - name: Security audit
-        run: |
-          if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
-            npx audit-ci --pnpm --audit-level=high --config ./audit-ci.jsonc
-          else
-            npx audit-ci --npm --audit-level=high --config ./audit-ci.jsonc
-          fi
+    uses: privilegedescalation/.github/.github/workflows/plugin-ci.yaml@main

.github/workflows/e2e.yaml

@@ -0,0 +1,23 @@
+name: E2E Tests
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: e2e-${{ github.repository }}
+  cancel-in-progress: false
+
+jobs:
+  e2e:
+    uses: privilegedescalation/.github/.github/workflows/plugin-e2e.yaml@hugh/add-pnpm-support-plugin-e2e
+    with:
+      node-version: '22'
+      headlamp-version: v0.40.1
+      e2e-namespace: headlamp-dev

.github/workflows/release.yaml

@@ -7,434 +7,19 @@ on:
         description: 'Release version (e.g. 1.0.0)'
         required: true
         type: string
-      node-version:
-        description: 'Node.js version to use'
-        required: false
-        type: string
-        default: '22'
-      upstream-repo:
-        description: 'Upstream repo to fetch appVersion from (e.g. fenio/tns-csi). Leave empty to skip.'
-        required: false
-        type: string
-        default: ''
   repository_dispatch:
     types: [release]
-  workflow_call:
-    inputs:
-      version:
-        description: 'Release version (e.g. 1.0.0)'
-        required: true
-        type: string
-      node-version:
-        description: 'Node.js version to use'
-        required: false
-        type: string
-        default: '22'
-      upstream-repo:
-        description: 'Upstream repo to fetch appVersion from (e.g. fenio/tns-csi). Leave empty to skip.'
-        required: false
-        type: string
-        default: ''
-    secrets:
-      GITEA_RELEASE_TOKEN:
-        description: 'Gitea token with write access to repos'
-        required: true
 
 permissions:
   contents: write
   pull-requests: write
 
-concurrency:
-  group: release
-  cancel-in-progress: false
-
 jobs:
-  check-secrets:
-    runs-on: runners-privilegedescalation
-    outputs:
-      ready: ${{ steps.check.outputs.ready }}
-    steps:
-      - name: Verify GITEA_RELEASE_TOKEN is configured
-        id: check
-        env:
-          GITEA_RELEASE_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
-        run: |
-          if [ -z "$GITEA_RELEASE_TOKEN" ]; then
-            echo "::notice::GITEA_RELEASE_TOKEN org secret is not configured (see PRI-1533). Release skipped — no artifacts will be created."
-            echo "ready=false" >> $GITHUB_OUTPUT
-          else
-            echo "ready=true" >> $GITHUB_OUTPUT
-          fi
-
-  ci:
-    needs: check-secrets
-    if: needs.check-secrets.outputs.ready == 'true'
-    uses: ./.github/workflows/ci.yaml
-    with:
-      node-version: ${{ inputs.node-version }}
-    secrets: inherit
-
-  check-token-permissions:
-    needs: check-secrets
-    if: needs.check-secrets.outputs.ready == 'true'
-    runs-on: runners-privilegedescalation
-    outputs:
-      has_write: ${{ steps.check.outputs.has_write }}
-    steps:
-      - name: Check write permissions via API
-        id: check
-        env:
-          GITEA_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
-          REPO: ${{ github.repository }}
-        run: |
-          HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" \
-            -X POST \
-            -H "Authorization: token ${GITEA_TOKEN}" \
-            -H "Accept: application/json" \
-            "https://git.farh.net/api/v1/repos/${REPO}/git/refs" \
-            -d '{"ref":"refs/heads/_release_check","sha":"${{ github.sha }}"}')
-          if [ "$HTTP_CODE" = "201" ]; then
-            echo "::notice::Token has write permission — cleaning up test ref."
-            curl -sf -o /dev/null -w "%{http_code}" \
-              -X DELETE \
-              -H "Authorization: token ${GITEA_TOKEN}" \
-              "https://git.farh.net/api/v1/repos/${REPO}/git/refs/heads/_release_check"
-            echo "has_write=true" >> $GITHUB_OUTPUT
-          elif [ "$HTTP_CODE" = "403" ]; then
-            echo "::error::Token lacks write permission. Release cannot push tags or branches."
-            echo "has_write=false" >> $GITHUB_OUTPUT
-            exit 1
-          else
-            echo "::warning::Unexpected response ($HTTP_CODE) when checking write permission."
-            echo "has_write=false" >> $GITHUB_OUTPUT
-            exit 1
-          fi
-
-  check-tag:
-    needs: check-secrets
-    if: needs.check-secrets.outputs.ready == 'true'
-    runs-on: runners-privilegedescalation
-    env:
-      RESOLVED_VERSION: ${{ inputs.version || github.event.client_payload.version }}
-    outputs:
-      skip: ${{ steps.check.outputs.skip }}
-    steps:
-      - name: Check if tag already exists
-        id: check
-        env:
-          GITEA_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
-          REPO: ${{ github.repository }}
-        run: |
-          HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" \
-            -H "Authorization: token ${GITEA_TOKEN}" \
-            "https://git.farh.net/api/v1/repos/${REPO}/git/refs/tags/v${{ env.RESOLVED_VERSION }}")
-          if [ "$HTTP_CODE" = "200" ]; then
-            echo "::notice::Tag v${{ env.RESOLVED_VERSION }} already exists. Release skipped (not an error)."
-            echo "skip=true" >> $GITHUB_OUTPUT
-          else
-            echo "skip=false" >> $GITHUB_OUTPUT
-          fi
-
   release:
-    needs: [ci, check-tag, check-secrets, check-token-permissions]
-    if: needs.check-secrets.outputs.ready == 'true' && needs.check-tag.outputs.skip != 'true' && needs.check-token-permissions.outputs.has_write == 'true'
-    runs-on: runners-privilegedescalation
-    timeout-minutes: 10
-    env:
-      RESOLVED_VERSION: ${{ inputs.version || github.event.client_payload.version }}
+    uses: privilegedescalation/.github/.github/workflows/plugin-release.yaml@main
+    secrets:
+      RELEASE_APP_ID: ${{ secrets.RELEASE_APP_ID }}
+      RELEASE_APP_PRIVATE_KEY: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
+    with:
+      version: ${{ inputs.version || github.event.client_payload.version }}
 
-    steps:
-      - name: Validate version format
-        run: |
-          if [[ ! "${{ env.RESOLVED_VERSION }}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
-            echo "Error: Version must be in X.Y.Z format"
-            exit 1
-          fi
-
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-
-      - name: Detect package manager
-        id: pkg-manager
-        run: |
-          if [ -f "pnpm-lock.yaml" ]; then
-            echo "manager=pnpm" >> $GITHUB_OUTPUT
-            echo "lockfile=pnpm-lock.yaml" >> $GITHUB_OUTPUT
-            PM=$(python3 -c "import json,sys; d=json.load(open('package.json')); print('true' if d.get('packageManager','').startswith('pnpm@') else 'false')" 2>/dev/null || echo "false")
-            echo "has_package_manager=$PM" >> $GITHUB_OUTPUT
-          else
-            echo "manager=npm" >> $GITHUB_OUTPUT
-            echo "lockfile=package-lock.json" >> $GITHUB_OUTPUT
-            echo "has_package_manager=false" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Setup Node
-        uses: actions/setup-node@v6
-        with:
-          node-version: ${{ inputs.node-version }}
-          cache: ${{ steps.pkg-manager.outputs.manager == 'npm' && 'npm' || '' }}
-
-      - name: Setup pnpm (via Corepack)
-        if: steps.pkg-manager.outputs.manager == 'pnpm' && steps.pkg-manager.outputs.has_package_manager == 'true'
-        run: |
-          npm install -g corepack
-          corepack enable pnpm
-          corepack install
-
-      - name: Setup pnpm (version latest)
-        if: steps.pkg-manager.outputs.manager == 'pnpm' && steps.pkg-manager.outputs.has_package_manager == 'false'
-        uses: pnpm/action-setup@v5
-        with:
-          run_install: false
-          version: latest
-
-      - name: Get pnpm store directory
-        id: pnpm-store
-        if: steps.pkg-manager.outputs.manager == 'pnpm'
-        run: echo "dir=$(pnpm store path --silent)" >> $GITHUB_OUTPUT
-
-      - name: Cache pnpm store
-        if: steps.pkg-manager.outputs.manager == 'pnpm'
-        uses: actions/cache@v5
-        with:
-          path: ${{ steps.pnpm-store.outputs.dir }}
-          key: ${{ runner.os }}-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }}
-          restore-keys: |
-            ${{ runner.os }}-pnpm-
-
-      - name: Configure Git
-        env:
-          GITEA_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
-        run: |
-          git config --global user.name "github-actions[bot]"
-          git config --global user.email "github-actions[bot]@users.noreply.github.com"
-          git config --global --add safe.directory "$GITHUB_WORKSPACE"
-          git remote set-url origin "https://x-access-token:${GITEA_TOKEN}@git.farh.net/${{ github.repository }}.git"
-
-      - name: Update version in package.json
-        run: |
-          if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
-            pnpm version ${{ env.RESOLVED_VERSION }} --no-git-tag-version --allow-same-version
-          else
-            npm version ${{ env.RESOLVED_VERSION }} --no-git-tag-version --allow-same-version
-          fi
-
-      - name: Update artifacthub-pkg.yml
-        env:
-          REPO: ${{ github.repository }}
-        run: |
-          VERSION="${{ env.RESOLVED_VERSION }}"
-          if [ -f artifacthub-pkg.yml ]; then
-            PKG_NAME=$(grep '^name:' artifacthub-pkg.yml | cut -d: -f2 | tr -d ' "')
-          else
-            PKG_NAME=$(jq -r .name package.json | sed 's|^@[^/]*/||')
-          fi
-          RELEASE_URL="https://git.farh.net/${REPO}/releases/download/v${VERSION}/${PKG_NAME}-${VERSION}.tar.gz"
-          sed -i "s/^version:.*/version: \"${VERSION}\"/" artifacthub-pkg.yml
-          sed -i "s|headlamp/plugin/archive-url:.*|headlamp/plugin/archive-url: \"${RELEASE_URL}\"|" artifacthub-pkg.yml
-
-      - name: Update appVersion from upstream release
-        if: inputs.upstream-repo != ''
-        env:
-          GITEA_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
-        run: |
-          APP_VERSION=$(curl -sf \
-            -H "Authorization: token ${GITEA_TOKEN}" \
-            "https://git.farh.net/api/v1/repos/${{ inputs.upstream-repo }}/releases/latest" | jq -r '.tag_name | ltrimstr("v")')
-          if [ -z "$APP_VERSION" ] || [ "$APP_VERSION" = "null" ]; then
-            echo "::warning::Could not fetch latest upstream release, skipping appVersion update"
-          else
-            sed -i "s|^appVersion:.*|appVersion: \"${APP_VERSION}\"|" artifacthub-pkg.yml
-            echo "appVersion set to ${APP_VERSION}"
-          fi
-
-      - name: Install dependencies
-        run: |
-          max_attempts=3
-          attempt=1
-          while [ $attempt -le $max_attempts ]; do
-            echo "Attempt $attempt of $max_attempts"
-            if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
-              pnpm install --frozen-lockfile && break
-            else
-              npm ci && break
-            fi
-            if [ $attempt -lt $max_attempts ]; then
-              echo "::warning::Install step failed on attempt $attempt. Retrying in 5 seconds..."
-              sleep 5
-            fi
-            attempt=$((attempt + 1))
-          done
-          if [ $attempt -gt $max_attempts ]; then
-            echo "::error::Install step failed after $max_attempts attempts."
-            exit 1
-          fi
-
-      - name: Build plugin
-        run: npx @kinvolk/headlamp-plugin build
-
-      - name: Package plugin
-        run: npx @kinvolk/headlamp-plugin package
-
-      - name: Prepare release tarball
-        run: |
-          VERSION="${{ env.RESOLVED_VERSION }}"
-          if [ -f artifacthub-pkg.yml ]; then
-            PKG_NAME=$(grep '^name:' artifacthub-pkg.yml | cut -d: -f2 | tr -d ' "')
-          else
-            PKG_NAME=$(jq -r .name package.json | sed 's|^@[^/]*/||')
-          fi
-          TARBALL="${PKG_NAME}-${VERSION}.tar.gz"
-          for f in *.tar.gz; do
-            [ "$f" != "$TARBALL" ] && mv "$f" "$TARBALL"
-          done
-          if [ ! -f "$TARBALL" ]; then
-            echo "Error: Expected tarball $TARBALL not found"
-            ls -la *.tar.gz 2>/dev/null || echo "No .tar.gz files found"
-            exit 1
-          fi
-          echo "TARBALL=$TARBALL" >> $GITHUB_ENV
-          echo "PKG_NAME=$PKG_NAME" >> $GITHUB_ENV
-
-      - name: Validate tarball
-        run: |
-          echo "Tarball: ${{ env.TARBALL }}"
-          ls -lh "${{ env.TARBALL }}"
-          tar -tzf "${{ env.TARBALL }}" | head -20
-          tar -tzf "${{ env.TARBALL }}" | grep -q "main.js" || { echo "Error: main.js not found in tarball"; exit 1; }
-
-      - name: Compute checksum
-        run: |
-          CHECKSUM=$(sha256sum "${{ env.TARBALL }}" | awk '{print $1}')
-          echo "CHECKSUM=$CHECKSUM" >> $GITHUB_ENV
-          sed -i "s|headlamp/plugin/archive-checksum:.*|headlamp/plugin/archive-checksum: sha256:${CHECKSUM}|" artifacthub-pkg.yml
-
-      - name: Commit and tag
-        env:
-          GITEA_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
-        run: |
-          VERSION="${{ env.RESOLVED_VERSION }}"
-          BRANCH="release/v${VERSION}"
-          if git ls-remote --exit-code origin "refs/heads/$BRANCH" 2>/dev/null; then
-            echo "::notice::Branch $BRANCH already exists — deleting for clean re-trigger."
-            git push origin --delete "$BRANCH"
-          fi
-          git checkout -b "$BRANCH"
-          git add package.json "${{ steps.pkg-manager.outputs.lockfile }}" artifacthub-pkg.yml
-          git commit -m "release: v${VERSION}"
-          git tag "v${VERSION}"
-          git push origin "$BRANCH"
-          git push origin "refs/tags/v${VERSION}"
-
-      - name: Create Gitea Release
-        env:
-          GITEA_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
-          REPO: ${{ github.repository }}
-        run: |
-          VERSION="${{ env.RESOLVED_VERSION }}"
-          TARBALL="${{ env.TARBALL }}"
-          RESPONSE=$(curl -sf -X POST \
-            -H "Authorization: token ${GITEA_TOKEN}" \
-            -H "Content-Type: application/json" \
-            "https://git.farh.net/api/v1/repos/${REPO}/releases" \
-            -d "{
-              \"tag_name\": \"v${VERSION}\",
-              \"name\": \"Release v${VERSION}\",
-              \"draft\": false,
-              \"prerelease\": false
-            }")
-          if [ -z "$RESPONSE" ]; then
-            echo "::warning::Release creation returned empty response (may already exist)"
-          else
-            echo "::notice::Release v${VERSION} created successfully"
-          fi
-          UPLOAD_URL=$(echo "$RESPONSE" | jq -r '.upload_url' 2>/dev/null || echo "")
-          if [ -n "$UPLOAD_URL" ] && [ "$UPLOAD_URL" != "null" ]; then
-            UPLOAD_URL="${UPLOAD_URL%%\{*}"
-            curl -sf -X POST \
-              -H "Authorization: token ${GITEA_TOKEN}" \
-              -H "Content-Type: application/octet-stream" \
-              "${UPLOAD_URL}?name=${TARBALL}" \
-              --data-binary "@${TARBALL}"
-            echo "::notice::Tarball uploaded successfully"
-          fi
-
-      - name: Create PR for version bump
-        env:
-          GITEA_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
-          REPO: ${{ github.repository }}
-        run: |
-          set -o pipefail
-          VERSION="${{ env.RESOLVED_VERSION }}"
-          BODY=$(printf "Automated version bump and checksum update for v%s.\n\ncc @cpfarhood" "${VERSION}")
-          RESPONSE=$(curl -sf -X POST \
-            -H "Authorization: token ${GITEA_TOKEN}" \
-            -H "Content-Type: application/json" \
-            "https://git.farh.net/api/v1/repos/${REPO}/pulls" \
-            -d "{
-              \"title\": \"release: v${VERSION}\",
-              \"body\": \"$BODY\",
-              \"base\": \"main\",
-              \"head\": \"release/v${VERSION}\"
-            }")
-          PR_NUMBER=$(echo "$RESPONSE" | jq -r '.number' 2>/dev/null || echo "")
-          if [ -z "$PR_NUMBER" ] || [ "$PR_NUMBER" = "null" ]; then
-            EXISTING=$(curl -sf \
-              -H "Authorization: token ${GITEA_TOKEN}" \
-              "https://git.farh.net/api/v1/repos/${REPO}/pulls?state=open&base=main&head=release/v${VERSION}" \
-              | jq -r '.[0].number' 2>/dev/null || echo "")
-            if [ -n "$EXISTING" ] && [ "$EXISTING" != "null" ]; then
-              PR_NUMBER="$EXISTING"
-              echo "::notice::Open PR #${PR_NUMBER} for release/v${VERSION} already exists — skipping creation."
-            else
-              echo "::error::Could not determine PR number for release/v${VERSION}."
-              exit 1
-            fi
-          fi
-          echo "::notice::Working with PR #${PR_NUMBER}"
-
-          PR_STATE=$(curl -sf \
-            -H "Authorization: token ${GITEA_TOKEN}" \
-            "https://git.farh.net/api/v1/repos/${REPO}/pulls/${PR_NUMBER}" \
-            | jq -r '.state' 2>/dev/null || echo "")
-          if [ "$PR_STATE" = "merged" ]; then
-            echo "::notice::PR #${PR_NUMBER} was already merged. Nothing to do."
-            exit 0
-          fi
-
-          MERGE_RESULT=$(curl -sf -X POST \
-            -H "Authorization: token ${GITEA_TOKEN}" \
-            -H "Content-Type: application/json" \
-            "https://git.farh.net/api/v1/repos/${REPO}/pulls/${PR_NUMBER}/merge" \
-            -d '{"do": "squash"}')
-          if echo "$MERGE_RESULT" | jq -e '.merged' 2>/dev/null; then
-            echo "PR merged successfully."
-          else
-            if [ "$PR_STATE" = "merged" ]; then
-              echo "PR was already merged."
-            else
-              echo "::warning::Merge response: $MERGE_RESULT"
-            fi
-          fi
-
-      - name: Verify checksums are consistent (main == tag == tarball)
-        env:
-          GITEA_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
-          REPO: ${{ github.repository }}
-        run: |
-          VERSION="${{ env.RESOLVED_VERSION }}"
-          TARBALL_CS=$(sha256sum "${{ env.TARBALL }}" | awk '{print $1}')
-          TAG_CS=$(git show "v${VERSION}:artifacthub-pkg.yml" 2>/dev/null \
-            | grep "archive-checksum" | awk '{print $2}' | sed 's/sha256://')
-          MAIN_CS=$(git fetch origin main 2>/dev/null; git show "origin/main:artifacthub-pkg.yml" \
-            | grep "archive-checksum" | awk '{print $2}' | sed 's/sha256://')
-          echo "Tarball SHA256 : $TARBALL_CS"
-          echo "Tag artifacthub: $TAG_CS"
-          echo "Main artifacthub: $MAIN_CS"
-          FAIL=0
-          [ "$TARBALL_CS" != "$TAG_CS"  ] && echo "ERROR: tag checksum mismatch!"  && FAIL=1
-          [ "$TARBALL_CS" != "$MAIN_CS" ] && echo "ERROR: main checksum mismatch!" && FAIL=1
-          [ "$FAIL" = "1" ] && exit 1
-          echo "All checksums consistent — ArtifactHub will index correctly."

.github/workflows/renovate.yml

@@ -1,14 +0,0 @@
-name: Renovate
-on:
-  schedule:
-    - cron: '0 3 * * *'
-  workflow_dispatch:
-jobs:
-  renovate:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: renovatebot/github-action@v40.3.0
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          configurationFile: renovate.json

README.md

@@ -90,7 +90,7 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: headlamp
-    namespace: <your-namespace>
+    namespace: headlamp
 ```
 
 ## Troubleshooting

e2e/auth.setup.ts

@@ -0,0 +1,69 @@
+import { test as setup, expect, Page } from '@playwright/test';
+
+const AUTH_STATE_PATH = 'e2e/.auth/state.json';
+
+async function authenticateWithOIDC(page: Page, username: string, password: string): Promise<void> {
+  await page.goto('/');
+  await page.waitForURL('**/login');
+
+  const popupPromise = page.waitForEvent('popup');
+  await page.getByRole('button', { name: /sign in/i }).click();
+  const popup = await popupPromise;
+
+  await popup.waitForLoadState('domcontentloaded');
+  await popup.waitForLoadState('networkidle');
+
+  const usernameField = popup.getByRole('textbox', { name: /email or username/i });
+  await usernameField.waitFor({ state: 'visible', timeout: 15_000 });
+  await usernameField.fill(username);
+  await popup.getByRole('button', { name: /log in/i }).click();
+
+  await popup.waitForLoadState('networkidle');
+  const passwordField = popup.getByRole('textbox', { name: /password/i });
+  await passwordField.waitFor({ state: 'visible', timeout: 15_000 });
+  await passwordField.fill(password);
+  await popup.getByRole('button', { name: /continue|log in/i }).click();
+
+  await popup.waitForEvent('close', { timeout: 15_000 });
+
+  await expect(page.getByRole('navigation', { name: 'Navigation' })).toBeVisible({
+    timeout: 15_000,
+  });
+}
+
+async function authenticateWithToken(page: Page, token: string): Promise<void> {
+  await page.goto('/');
+  await page.waitForURL(/\/(login|token)$/);
+
+  if (page.url().includes('/login')) {
+    const useTokenBtn = page.getByRole('button', { name: /use a token/i });
+    await useTokenBtn.waitFor({ state: 'visible', timeout: 15_000 });
+    await useTokenBtn.click();
+    await page.waitForURL('**/token');
+  }
+
+  await page.getByRole('textbox', { name: /id token/i }).fill(token);
+  await page.getByRole('button', { name: /authenticate/i }).click();
+
+  await expect(page.getByRole('navigation', { name: 'Navigation' })).toBeVisible({
+    timeout: 15_000,
+  });
+}
+
+setup('authenticate with Headlamp', async ({ page }) => {
+  const username = process.env.AUTHENTIK_USERNAME;
+  const password = process.env.AUTHENTIK_PASSWORD;
+  const token = process.env.HEADLAMP_TOKEN;
+
+  if (username && password) {
+    await authenticateWithOIDC(page, username, password);
+  } else if (token) {
+    await authenticateWithToken(page, token);
+  } else {
+    throw new Error(
+      'Set AUTHENTIK_USERNAME + AUTHENTIK_PASSWORD for OIDC auth, or HEADLAMP_TOKEN for token auth'
+    );
+  }
+
+  await page.context().storageState({ path: AUTH_STATE_PATH });
+});

e2e/rook.spec.ts

@@ -0,0 +1,67 @@
+import { test, expect } from '@playwright/test';
+
+async function waitForSidebar(page: import('@playwright/test').Page) {
+  const sidebar = page.getByRole('navigation', { name: 'Navigation' });
+  await expect(sidebar).toBeVisible({ timeout: 15_000 });
+  await page.waitForLoadState('networkidle');
+  return sidebar;
+}
+
+test.describe('Rook plugin smoke tests', () => {
+  test('sidebar contains Rook entry', async ({ page }) => {
+    await page.goto('/');
+    const sidebar = await waitForSidebar(page);
+    await expect(sidebar.getByRole('button', { name: /rook/i })).toBeVisible();
+  });
+
+  test('Rook sidebar entry navigates to overview', async ({ page }) => {
+    await page.goto('/');
+    const sidebar = await waitForSidebar(page);
+
+    const rookEntry = sidebar.getByRole('button', { name: /rook/i });
+    await expect(rookEntry).toBeVisible();
+    await rookEntry.click();
+
+    await page.waitForLoadState('networkidle');
+    await expect(page).toHaveURL(/rook-ceph/);
+    await expect(page.getByRole('heading', { name: /overview/i })).toBeVisible();
+  });
+
+  test('overview page renders content', async ({ page }) => {
+    await page.goto('/c/main/rook-ceph');
+    await waitForSidebar(page);
+
+    await expect(page.getByRole('heading', { name: /overview/i })).toBeVisible({
+      timeout: 15_000,
+    });
+
+    const hasContent = await page.locator('text=/cluster|ceph|status/i').first().isVisible().catch(() => false);
+    const hasDashboard = await page.locator('[class*="Mui"]').first().isVisible().catch(() => false);
+    expect(hasContent || hasDashboard).toBe(true);
+  });
+
+  test('navigation to storage classes view works', async ({ page }) => {
+    await page.goto('/c/main/rook-ceph');
+
+    const sidebar = page.getByRole('navigation', { name: 'Navigation' });
+    const rookBtn = sidebar.getByRole('button', { name: /rook/i });
+    await rookBtn.click();
+    await page.waitForLoadState('networkidle');
+
+    const storageClassesLink = sidebar.getByRole('button', { name: /storage classes/i });
+    await expect(storageClassesLink).toBeVisible({ timeout: 15_000 });
+    await storageClassesLink.click();
+
+    await page.waitForLoadState('networkidle');
+    await expect(page).toHaveURL(/rook-ceph\/storage-classes/);
+    await expect(page.getByRole('heading', { name: /storage class/i })).toBeVisible({ timeout: 15_000 });
+  });
+
+  test('plugin settings page shows rook plugin entry', async ({ page }) => {
+    await page.goto('/settings/plugins');
+    await page.waitForLoadState('networkidle');
+
+    const pluginEntry = page.locator('text=rook').first();
+    await expect(pluginEntry).toBeVisible({ timeout: 30_000 });
+  });
+});

package.json

@@ -22,12 +22,15 @@
     "format": "prettier --write src/",
     "format:check": "prettier --check src/",
     "test": "vitest run",
-    "test:watch": "vitest"
+    "test:watch": "vitest",
+    "e2e": "playwright test",
+    "e2e:headed": "playwright test --headed"
   },
   "devDependencies": {
     "@headlamp-k8s/eslint-config": "^0.6.0",
     "@kinvolk/headlamp-plugin": "^0.13.0",
     "@mui/material": "^5.15.14",
+    "@playwright/test": "^1.58.2",
     "@testing-library/jest-dom": "^6.4.8",
     "@testing-library/react": "^16.0.0",
     "@testing-library/user-event": "^14.5.2",
@@ -49,13 +52,5 @@
     "vite": ">=6.4.2",
     "lodash": ">=4.18.0",
     "elliptic": ">=6.6.1"
-  },
-  "packageManager": "pnpm@9.15.4",
-  "pnpm": {
-    "onlyBuiltDependencies": [
-      "@swc/core",
-      "esbuild",
-      "msw"
-    ]
   }
 }

playwright.config.ts

@@ -0,0 +1,27 @@
+import { defineConfig, devices } from '@playwright/test';
+
+export default defineConfig({
+  testDir: './e2e',
+  timeout: 30_000,
+  expect: { timeout: 10_000 },
+  fullyParallel: false,
+  forbidOnly: !!process.env.CI,
+  retries: process.env.CI ? 1 : 0,
+  reporter: 'list',
+  use: {
+    baseURL: process.env.HEADLAMP_URL || (() => { throw new Error('HEADLAMP_URL is required — run scripts/deploy-e2e-headlamp.sh first'); })(),
+    trace: 'on-first-retry',
+    screenshot: 'only-on-failure',
+  },
+  projects: [
+    { name: 'setup', testMatch: /auth\.setup\.ts/, timeout: 60_000 },
+    {
+      name: 'chromium',
+      use: {
+        ...devices['Desktop Chrome'],
+        storageState: 'e2e/.auth/state.json',
+      },
+      dependencies: ['setup'],
+    },
+  ],
+});

scripts/deploy-e2e-headlamp.sh

@@ -0,0 +1,189 @@
+#!/usr/bin/env bash
+# deploy-e2e-headlamp.sh
+#
+# Deploys a stock Headlamp instance with the rook plugin loaded via
+# a ConfigMap volume mount.
+#
+# E2E resources are deployed to the `headlamp-dev` namespace. Nothing
+# persists beyond the test run — teardown cleans up all created resources.
+#
+# Prerequisites:
+#   - Plugin built (dist/ exists with plugin-main.js + package.json)
+#   - kubectl configured with cluster access
+#
+# Environment:
+#   E2E_NAMESPACE     — namespace for E2E Headlamp (default: headlamp-dev)
+#   E2E_RELEASE       — release/resource name prefix (default: headlamp-e2e)
+#   HEADLAMP_VERSION  — Headlamp image tag (default: latest)
+set -euo pipefail
+
+REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+DIST_DIR="$REPO_ROOT/dist"
+
+E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-dev}"
+E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}"
+HEADLAMP_VERSION="${HEADLAMP_VERSION:-latest}"
+
+if [ ! -d "$DIST_DIR" ]; then
+  echo "ERROR: dist/ not found. Run 'pnpm build' first." >&2
+  exit 1
+fi
+
+echo "Checking RBAC permissions in namespace '${E2E_NAMESPACE}'..."
+if ! kubectl auth can-i delete configmaps -n "$E2E_NAMESPACE" --quiet 2>/dev/null; then
+  echo "ERROR: Missing RBAC — cannot delete configmaps in namespace '${E2E_NAMESPACE}'." >&2
+  exit 1
+fi
+
+echo "=== E2E Headlamp Deployment ==="
+echo "  Image:     ghcr.io/headlamp-k8s/headlamp:${HEADLAMP_VERSION}"
+echo "  Namespace: $E2E_NAMESPACE"
+echo "  Release:   $E2E_RELEASE"
+
+echo ""
+echo "Creating ConfigMap with plugin files..."
+
+kubectl delete configmap headlamp-rook-plugin \
+  -n "$E2E_NAMESPACE" --ignore-not-found
+
+kubectl create configmap headlamp-rook-plugin \
+  -n "$E2E_NAMESPACE" \
+  --from-file="$DIST_DIR" \
+  --from-file=package.json="$REPO_ROOT/package.json"
+
+echo ""
+echo "Removing any existing E2E deployment (clean-start)..."
+kubectl delete deployment "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait
+kubectl delete service "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait
+kubectl delete serviceaccount "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait
+
+echo ""
+echo "Deploying Headlamp E2E instance..."
+
+kubectl apply -f - <<EOF
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ${E2E_RELEASE}
+  namespace: ${E2E_NAMESPACE}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ${E2E_RELEASE}
+  namespace: ${E2E_NAMESPACE}
+  labels:
+    app.kubernetes.io/name: headlamp
+    app.kubernetes.io/instance: ${E2E_RELEASE}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: headlamp
+      app.kubernetes.io/instance: ${E2E_RELEASE}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: headlamp
+        app.kubernetes.io/instance: ${E2E_RELEASE}
+    spec:
+      serviceAccountName: ${E2E_RELEASE}
+      automountServiceAccountToken: true
+      securityContext: {}
+      containers:
+        - name: headlamp
+          image: ghcr.io/headlamp-k8s/headlamp:${HEADLAMP_VERSION}
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            runAsNonRoot: true
+            privileged: false
+            runAsUser: 100
+            runAsGroup: 101
+          args:
+            - "-in-cluster"
+            - "-in-cluster-context-name=main"
+            - "-plugins-dir=/headlamp/plugins"
+          ports:
+            - name: http
+              containerPort: 4466
+              protocol: TCP
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 5
+            failureThreshold: 6
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+            initialDelaySeconds: 10
+            periodSeconds: 10
+          volumeMounts:
+            - name: rook-plugin
+              mountPath: /headlamp/plugins/headlamp-rook
+              readOnly: true
+      volumes:
+        - name: rook-plugin
+          configMap:
+            name: headlamp-rook-plugin
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: ${E2E_RELEASE}
+  namespace: ${E2E_NAMESPACE}
+  labels:
+    app.kubernetes.io/name: headlamp
+    app.kubernetes.io/instance: ${E2E_RELEASE}
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: headlamp
+    app.kubernetes.io/instance: ${E2E_RELEASE}
+  ports:
+    - name: http
+      port: 80
+      targetPort: http
+      protocol: TCP
+EOF
+
+echo "Waiting for rollout..."
+kubectl rollout status "deployment/${E2E_RELEASE}" \
+  -n "$E2E_NAMESPACE" --timeout=120s
+
+SVC_URL="http://${E2E_RELEASE}.${E2E_NAMESPACE}.svc.cluster.local"
+
+echo ""
+echo "Waiting for ${SVC_URL} to be reachable..."
+ATTEMPTS=0
+MAX_ATTEMPTS=24
+until curl -sf --max-time 5 "${SVC_URL}" -o /dev/null 2>/dev/null; do
+  ATTEMPTS=$((ATTEMPTS + 1))
+  if [ "$ATTEMPTS" -ge "$MAX_ATTEMPTS" ]; then
+    echo "ERROR: ${SVC_URL} not reachable after $((MAX_ATTEMPTS * 5))s" >&2
+    exit 1
+  fi
+  echo "  [${ATTEMPTS}/${MAX_ATTEMPTS}] not yet reachable, retrying in 5s..."
+  sleep 5
+done
+echo ""
+echo "E2E Headlamp is ready at: ${SVC_URL}"
+
+echo ""
+echo "Creating service account token for E2E auth..."
+kubectl create serviceaccount headlamp-e2e-test \
+  -n "$E2E_NAMESPACE" --dry-run=client -o yaml | kubectl apply -f -
+
+TOKEN=$(kubectl create token headlamp-e2e-test -n "$E2E_NAMESPACE" --duration=1h 2>/dev/null || echo "")
+if [ -n "$TOKEN" ]; then
+  echo "HEADLAMP_URL=${SVC_URL}" > "$REPO_ROOT/.env.e2e"
+  echo "HEADLAMP_TOKEN=${TOKEN}" >> "$REPO_ROOT/.env.e2e"
+  echo "Wrote .env.e2e with HEADLAMP_URL and HEADLAMP_TOKEN"
+else
+  echo "  WARNING: Could not generate token."
+fi
+
+echo ""
+echo "E2E deployment complete."

scripts/teardown-e2e-headlamp.sh

@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+# teardown-e2e-headlamp.sh
+#
+# Tears down the dedicated E2E Headlamp instance deployed by deploy-e2e-headlamp.sh.
+#
+# Environment:
+#   E2E_NAMESPACE  — namespace to clean up (default: headlamp-dev)
+#   E2E_RELEASE    — release/resource name prefix (default: headlamp-e2e)
+set -euo pipefail
+
+REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+
+E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-dev}"
+E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}"
+
+echo "=== E2E Headlamp Teardown ==="
+echo "  Namespace: $E2E_NAMESPACE"
+echo "  Release:   $E2E_RELEASE"
+
+echo "Removing Headlamp Deployment, Service, and ServiceAccount..."
+kubectl delete deployment "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found
+kubectl delete service "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found
+kubectl delete serviceaccount "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found
+
+echo "Cleaning up ConfigMap..."
+kubectl delete configmap headlamp-rook-plugin -n "$E2E_NAMESPACE" --ignore-not-found
+
+echo "Cleaning up test service account..."
+kubectl delete serviceaccount headlamp-e2e-test -n "$E2E_NAMESPACE" --ignore-not-found
+
+if [ -f "$REPO_ROOT/.env.e2e" ]; then
+  rm "$REPO_ROOT/.env.e2e"
+  echo "Removed .env.e2e"
+fi
+
+echo ""
+echo "E2E teardown complete."