fix(e2e): normalize reusable workflow reference to @main

Replace the branch-based reference with @main for the plugin-e2e
reusable workflow. The @main branch of .github is protected and
already contains all necessary pnpm support. This removes the drift
risk from referencing a non-protected branch.

Refs: PRI-1001

Co-Authored-By: Paperclip <noreply@paperclip.ing>

.github/workflows/e2e.yaml

@@ -16,7 +16,7 @@ concurrency:
 
 jobs:
   e2e:
-    uses: privilegedescalation/.github/.github/workflows/plugin-e2e.yaml@hugh/add-pnpm-support-plugin-e2e
+    uses: privilegedescalation/.github/.github/workflows/plugin-e2e.yaml@main
     with:
       node-version: '22'
       headlamp-version: v0.40.1

.github/workflows/renovate.yml

@@ -0,0 +1,14 @@
+name: Renovate
+on:
+  schedule:
+    - cron: '0 3 * * *'
+  workflow_dispatch:
+jobs:
+  renovate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: renovatebot/github-action@v40.3.0
+        with:
+          configurationFile: renovate.json
+          renovate-json5: true

e2e/rook.spec.ts

@@ -44,7 +44,7 @@ test.describe('Rook plugin smoke tests', () => {
     await page.goto('/c/main/rook-ceph');
 
     const sidebar = page.getByRole('navigation', { name: 'Navigation' });
-    const storageClassesLink = sidebar.getByRole('button', { name: /storage classes/i });
+    const storageClassesLink = sidebar.getByRole('link', { name: /storage classes/i });
     await expect(storageClassesLink).toBeVisible({ timeout: 10_000 });
     await storageClassesLink.click();
 

package.json

@@ -50,6 +50,7 @@
     "tar": "^7.5.11",
     "undici": "^7.24.3",
     "vite": ">=6.4.2",
-    "lodash": ">=4.18.0"
+    "lodash": ">=4.18.0",
+    "elliptic": ">=6.6.1"
   }
 }

scripts/deploy-e2e-headlamp.sh

@@ -53,57 +53,9 @@ kubectl create configmap headlamp-rook-plugin \
 
 echo ""
 echo "Removing any existing E2E deployment (clean-start)..."
-kubectl delete clusterrolebinding headlamp-e2e-test-crb --ignore-not-found 2>/dev/null || true
 kubectl delete deployment "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait
 kubectl delete service "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait
 kubectl delete serviceaccount "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait
-kubectl delete serviceaccount headlamp-e2e-test -n "$E2E_NAMESPACE" --ignore-not-found 2>/dev/null || true
-
-echo ""
-echo "Creating E2E service account..."
-kubectl create serviceaccount headlamp-e2e-test -n "$E2E_NAMESPACE"
-
-echo ""
-echo "Creating RBAC for E2E service account..."
-kubectl apply -f - <<EOF
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: headlamp-e2e-test-reader
-rules:
-  - apiGroups: [""]
-    resources: ["storageclasses"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["ceph.rook.io"]
-    resources: ["cephclusters"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["ceph.rook.io"]
-    resources: ["cephclusters/status"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: [""]
-    resources: ["persistentvolumes"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: [""]
-    resources: ["persistentvolumeclaims"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: [""]
-    resources: ["pods"]
-    verbs: ["get", "list", "watch"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: headlamp-e2e-test-crb
-subjects:
-  - kind: ServiceAccount
-    name: headlamp-e2e-test
-    namespace: ${E2E_NAMESPACE}
-roleRef:
-  kind: ClusterRole
-  name: headlamp-e2e-test-reader
-  apiGroup: rbac.authorization.k8s.io
-EOF
 
 echo ""
 echo "Deploying Headlamp E2E instance..."
@@ -219,18 +171,18 @@ done
 echo ""
 echo "E2E Headlamp is ready at: ${SVC_URL}"
 
-echo ""
-echo "Writing E2E env file..."
-echo "HEADLAMP_URL=${SVC_URL}" > "$REPO_ROOT/.env.e2e"
-
 echo ""
 echo "Creating service account token for E2E auth..."
+kubectl create serviceaccount headlamp-e2e-test \
+  -n "$E2E_NAMESPACE" --dry-run=client -o yaml | kubectl apply -f -
+
 TOKEN=$(kubectl create token headlamp-e2e-test -n "$E2E_NAMESPACE" --duration=1h 2>/dev/null || echo "")
 if [ -n "$TOKEN" ]; then
+  echo "HEADLAMP_URL=${SVC_URL}" > "$REPO_ROOT/.env.e2e"
   echo "HEADLAMP_TOKEN=${TOKEN}" >> "$REPO_ROOT/.env.e2e"
   echo "Wrote .env.e2e with HEADLAMP_URL and HEADLAMP_TOKEN"
 else
-  echo "Wrote .env.e2e with HEADLAMP_URL only (token generation failed, using OIDC fallback)"
+  echo "  WARNING: Could not generate token."
 fi
 
 echo ""

scripts/teardown-e2e-headlamp.sh

@@ -25,10 +25,8 @@ kubectl delete serviceaccount "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-
 echo "Cleaning up ConfigMap..."
 kubectl delete configmap headlamp-rook-plugin -n "$E2E_NAMESPACE" --ignore-not-found
 
-echo "Cleaning up test service account and RBAC..."
+echo "Cleaning up test service account..."
 kubectl delete serviceaccount headlamp-e2e-test -n "$E2E_NAMESPACE" --ignore-not-found
-kubectl delete clusterrolebinding headlamp-e2e-test-crb --ignore-not-found 2>/dev/null || true
-kubectl delete clusterrole headlamp-e2e-test-reader --ignore-not-found 2>/dev/null || true
 
 if [ -f "$REPO_ROOT/.env.e2e" ]; then
   rm "$REPO_ROOT/.env.e2e"