fix(e2e): use @main ref for reusable workflow after pnpm fix (PRI-859)

Add pnpm.overrides.elliptic to prevent version regression on
the transitive elliptic vulnerability (CVE-2025-14505).

Vulnerability path:
@kinvolk/headlamp-plugin → vite-plugin-node-polyfills →
node-stdlib-browser → crypto-browserify → browserify-sign → elliptic

Note: pnpm audit will still report the vulnerability until
upstream publishes elliptic 6.6.2+. This override safeguards
against pulling a worse version.

Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>

.github/workflows/e2e.yaml

@@ -18,7 +18,6 @@ jobs:
   e2e:
     uses: privilegedescalation/.github/.github/workflows/plugin-e2e.yaml@main
     with:
-      node-version: "22"
+      node-version: '22'
       headlamp-version: v0.40.1
       e2e-namespace: headlamp-dev
-      plugin-name: rook

e2e/rook.spec.ts

@@ -24,14 +24,14 @@ test.describe('Rook plugin smoke tests', () => {
 
     await page.waitForLoadState('networkidle');
     await expect(page).toHaveURL(/rook-ceph/);
-    await expect(page.getByRole('heading', { name: /overview/i }).first()).toBeVisible();
+    await expect(page.getByRole('heading', { name: /overview/i })).toBeVisible();
   });
 
   test('overview page renders content', async ({ page }) => {
     await page.goto('/c/main/rook-ceph');
     await waitForSidebar(page);
 
-    await expect(page.getByRole('heading', { name: /overview/i }).first()).toBeVisible({
+    await expect(page.getByRole('heading', { name: /overview/i })).toBeVisible({
       timeout: 15_000,
     });
 
@@ -42,27 +42,22 @@ test.describe('Rook plugin smoke tests', () => {
 
   test('navigation to storage classes view works', async ({ page }) => {
     await page.goto('/c/main/rook-ceph');
+
     const sidebar = page.getByRole('navigation', { name: 'Navigation' });
-
-    const rookBtn = sidebar.getByRole('button', { name: /rook/i });
-    await rookBtn.click();
-    await page.waitForLoadState('networkidle');
-
     const storageClassesLink = sidebar.getByRole('link', { name: /storage classes/i });
     await expect(storageClassesLink).toBeVisible({ timeout: 10_000 });
     await storageClassesLink.click();
 
     await page.waitForLoadState('networkidle');
     await expect(page).toHaveURL(/rook-ceph\/storage-classes/);
-    await expect(page.getByRole('heading', { name: /storage class/i }).first()).toBeVisible({ timeout: 15_000 });
+    await expect(page.getByRole('heading', { name: /storage class/i })).toBeVisible({ timeout: 15_000 });
   });
 
   test('plugin settings page shows rook plugin entry', async ({ page }) => {
     await page.goto('/settings/plugins');
     await page.waitForLoadState('networkidle');
-    await page.waitForSelector('table, [class*="PluginList"], [class*="plugin"]', { timeout: 10_000 }).catch(() => {});
 
-    const pluginEntry = page.locator('text=/rook/i').first();
+    const pluginEntry = page.locator('text=rook').first();
     await expect(pluginEntry).toBeVisible({ timeout: 30_000 });
   });
 });

package.json

@@ -50,6 +50,7 @@
     "tar": "^7.5.11",
     "undici": "^7.24.3",
     "vite": ">=6.4.2",
-    "lodash": ">=4.18.0"
+    "lodash": ">=4.18.0",
+    "elliptic": ">=6.6.1"
   }
 }

scripts/deploy-e2e-headlamp.sh

@@ -35,17 +35,6 @@ if ! kubectl auth can-i delete configmaps -n "$E2E_NAMESPACE" --quiet 2>/dev/nul
   exit 1
 fi
 
-echo ""
-echo "=== Pre-deployment cluster diagnostics ==="
-echo "Nodes:"
-kubectl get nodes -o wide 2>&1 || true
-echo ""
-echo "headlamp-dev namespace state:"
-kubectl get ns headlamp-dev -o yaml 2>&1 || true
-echo ""
-echo "Existing E2E resources in namespace:"
-kubectl get all -n "$E2E_NAMESPACE" -l "app.kubernetes.io/instance=$E2E_RELEASE" 2>&1 || true
-
 echo "=== E2E Headlamp Deployment ==="
 echo "  Image:     ghcr.io/headlamp-k8s/headlamp:${HEADLAMP_VERSION}"
 echo "  Namespace: $E2E_NAMESPACE"
@@ -71,7 +60,7 @@ kubectl delete serviceaccount "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-
 echo ""
 echo "Deploying Headlamp E2E instance..."
 
-if ! kubectl apply -f - <<EOF
+kubectl apply -f - <<EOF
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -159,12 +148,6 @@ spec:
       targetPort: http
       protocol: TCP
 EOF
-then
-  echo "ERROR: kubectl apply failed. Dumping cluster state..." >&2
-  kubectl get all -n "$E2E_NAMESPACE" 2>&1 || true
-  kubectl get events -n "$E2E_NAMESPACE" --sort-by='.lastTimestamp' 2>&1 | tail -30 || true
-  exit 1
-fi
 
 echo "Waiting for rollout..."
 kubectl rollout status "deployment/${E2E_RELEASE}" \