Compare commits
4 Commits
uat
...
0fcc1acb98
| Author | SHA1 | Date | |
|---|---|---|---|
| 0fcc1acb98 | |||
| e5ba51e344 | |||
| a34c70568b | |||
| ea1fc44614 |
@@ -2,9 +2,9 @@ name: CI
|
|||||||
|
|
||||||
on:
|
on:
|
||||||
push:
|
push:
|
||||||
branches: [main, dev]
|
branches: [main, dev, uat]
|
||||||
pull_request:
|
pull_request:
|
||||||
branches: [main, dev]
|
branches: [main, dev, uat]
|
||||||
workflow_dispatch:
|
workflow_dispatch:
|
||||||
workflow_call:
|
workflow_call:
|
||||||
|
|
||||||
|
|||||||
@@ -1,20 +1,21 @@
|
|||||||
name: Dual Approval (CTO + QA)
|
name: Promotion Gate
|
||||||
|
|
||||||
# Calls the shared dual-approval-check workflow.
|
# Calls the shared promotion gate workflow.
|
||||||
# Passes when both privilegedescalation-cto and privilegedescalation-qa
|
# dev PRs: no gate (engineer self-merges).
|
||||||
# have approved the PR. Add "Dual Approval (CTO + QA)" to required_status_checks
|
# uat PRs: QA approval required.
|
||||||
# in branch protection to enforce this gate.
|
# main PRs: UAT approval required (uat→main promotions).
|
||||||
|
|
||||||
on:
|
on:
|
||||||
pull_request_review:
|
pull_request_review:
|
||||||
types: [submitted, dismissed]
|
types: [submitted, dismissed]
|
||||||
pull_request:
|
pull_request:
|
||||||
branches: [main]
|
branches: [uat, main]
|
||||||
types: [opened, reopened, synchronize]
|
types: [opened, reopened, synchronize]
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
dual-approval:
|
promotion-gate:
|
||||||
uses: privilegedescalation/.github/.github/workflows/dual-approval-check.yaml@main
|
uses: privilegedescalation/.github/.github/workflows/dual-approval-check.yaml@main
|
||||||
secrets: inherit
|
secrets: inherit
|
||||||
with:
|
with:
|
||||||
pr_number: ${{ github.event.pull_request.number }}
|
pr_number: ${{ github.event.pull_request.number }}
|
||||||
|
|
||||||
|
|||||||
@@ -0,0 +1,20 @@
|
|||||||
|
{
|
||||||
|
// Allowlist for inherited dev-dependency CVEs from @kinvolk/headlamp-plugin
|
||||||
|
// CTO decision (PRI-854): these high-severity vulns are dev/build-time only,
|
||||||
|
// trace to @kinvolk/headlamp-plugin transitive deps (Picomatch, Vite, lodash),
|
||||||
|
// and do NOT ship in production plugin artifacts.
|
||||||
|
"allowlist": [
|
||||||
|
{
|
||||||
|
"id": "GHSA-hhpm-516h-p3p6",
|
||||||
|
"reason": "Picomatch ReDoS: devDependency only, does not ship in production plugin bundle"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"id": "GHSA-36xf-7xpp-53w5",
|
||||||
|
"reason": "Vite arbitrary file read: devDependency only, does not ship in production plugin bundle"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"id": "GHSA-jf8v-p3pp-93qh",
|
||||||
|
"reason": "lodash code injection via _.template: devDependency only, does not ship in production plugin bundle"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
+1
-1
@@ -50,7 +50,7 @@
|
|||||||
"lodash": ">=4.18.0",
|
"lodash": ">=4.18.0",
|
||||||
"elliptic": ">=6.6.1"
|
"elliptic": ">=6.6.1"
|
||||||
},
|
},
|
||||||
"packageManager": "pnpm@9.15.4",
|
"packageManager": "pnpm@10.32.1",
|
||||||
"pnpm": {
|
"pnpm": {
|
||||||
"onlyBuiltDependencies": [
|
"onlyBuiltDependencies": [
|
||||||
"@swc/core",
|
"@swc/core",
|
||||||
|
|||||||
Reference in New Issue
Block a user