privilegedescalation/headlamp-sealed-secrets-plugin
Archived
12
0
Fork 0
Code Issues 2 Pull Requests 2 Actions Packages Projects Releases 27 Wiki Activity

ci: standardize CI/CD workflows and add Renovate

Browse Source 
- CI: single sequential job, local-ubuntu-latest runner, Node 22, workflow_call trigger, npm run commands
- Release: CI gate via reusable workflow, concurrency protection, dynamic package name, tarball validation, gh CLI
- Delete test-runner.yaml (one-time runner diagnostic)
- Add renovate.json with recommended config

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
DevContainer User
2026-03-04 00:41:37 +00:00
parent af95c3795c
commit 8390aeb5df
4 changed files with 66 additions and 136 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/ci.yaml
+11 -21
View File
@@ -5,9 +5,10 @@ on:
branches: [main] branches: [main]
pull_request: pull_request:
branches: [main] branches: [main]
workflow_call:
jobs: jobs:
lint-and-test: ci:
runs-on: local-ubuntu-latest runs-on: local-ubuntu-latest
timeout-minutes: 10 timeout-minutes: 10
@@ -18,34 +19,23 @@ jobs:
- name: Setup Node.js - name: Setup Node.js
uses: actions/setup-node@v4 uses: actions/setup-node@v4
with: with:
node-version: '20' node-version: '22'
cache: 'npm' cache: 'npm'
- name: Install dependencies - name: Install dependencies
run: npm ci run: npm ci
- name: Type-check - name: Build plugin
run: npm run tsc run: npx @kinvolk/headlamp-plugin build
- name: Lint - name: Lint
run: npm run lint run: npm run lint
- name: Build plugin - name: Type-check
run: npx @kinvolk/headlamp-plugin build run: npm run tsc
- name: Verify build artifacts - name: Format check
run: | run: npm run format:check
if [ ! -d "dist" ] || [ -z "$(ls -A dist)" ]; then
echo "::error::dist directory is empty or missing"
exit 1
fi
echo "Build artifacts verified"
ls -lh dist/
- name: Upload build artifact (for inspection) - name: Run tests
uses: actions/upload-artifact@v4 run: npm test
if: always()
with:
name: plugin-dist
path: dist/
retention-days: 7
.github/workflows/release.yaml
+51 -92
View File
@@ -4,144 +4,103 @@ on:
workflow_dispatch: workflow_dispatch:
inputs: inputs:
version: version:
description: 'Version to release (without v prefix, e.g., 0.2.5)' description: 'Release version (e.g. 1.0.0)'
required: true required: true
type: string type: string
permissions:
contents: write
concurrency:
group: release
cancel-in-progress: false
jobs: jobs:
ci:
uses: ./.github/workflows/ci.yaml
release: release:
needs: ci
runs-on: local-ubuntu-latest runs-on: local-ubuntu-latest
permissions: timeout-minutes: 10
contents: write
steps: steps:
- name: Validate version format - name: Validate version format
run: | run: |
if ! echo "${{ inputs.version }}" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+$'; then if [[ ! "${{ inputs.version }}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "::error::Version must be in format X.Y.Z (e.g., 0.2.5)" echo "Error: Version must be in X.Y.Z format"
exit 1 exit 1
fi fi
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Get package name - name: Configure Git
id: package_name
run: |
PKG_NAME=$(jq -r '.name' package.json)
echo "name=${PKG_NAME}" >> $GITHUB_OUTPUT
echo "Package name: ${PKG_NAME}"
- name: Configure git
run: | run: |
git config user.name "github-actions[bot]" git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com" git config user.email "github-actions[bot]@users.noreply.github.com"
- name: Update package.json version - name: Update version in package.json
run: | run: npm version ${{ inputs.version }} --no-git-tag-version
jq --arg version "${{ inputs.version }}" '.version = $version' package.json > package.json.tmp
mv package.json.tmp package.json
- name: Update artifacthub-pkg.yml version - name: Update artifacthub-pkg.yml
run: | run: |
VERSION="${{ inputs.version }}" VERSION="${{ inputs.version }}"
RELEASE_URL="https://github.com/${{ github.repository }}/releases/download/v${VERSION}/${{ steps.package_name.outputs.name }}-${VERSION}.tar.gz" PKG_NAME=$(jq -r .name package.json)
RELEASE_URL="https://github.com/${{ github.repository }}/releases/download/v${VERSION}/${PKG_NAME}-${VERSION}.tar.gz"
sed -i "s|^version:.*|version: ${VERSION}|" artifacthub-pkg.yml sed -i "s/^version:.*/version: \"${VERSION}\"/" artifacthub-pkg.yml
sed -i "s|^appVersion:.*|appVersion: ${VERSION}|" artifacthub-pkg.yml
sed -i "s|headlamp/plugin/archive-url:.*|headlamp/plugin/archive-url: \"${RELEASE_URL}\"|" artifacthub-pkg.yml sed -i "s|headlamp/plugin/archive-url:.*|headlamp/plugin/archive-url: \"${RELEASE_URL}\"|" artifacthub-pkg.yml
- name: Setup Node.js - name: Setup Node.js
uses: actions/setup-node@v4 uses: actions/setup-node@v4
with: with:
node-version: '20' node-version: '22'
cache: 'npm' cache: 'npm'
- name: Install dependencies - name: Install dependencies
run: npm ci run: npm ci
- name: Run type check
run: npm run tsc
- name: Run linter
run: npm run lint
- name: Build plugin - name: Build plugin
run: npx @kinvolk/headlamp-plugin build run: npx @kinvolk/headlamp-plugin build
- name: Package plugin - name: Package plugin
run: npx @kinvolk/headlamp-plugin package run: npx @kinvolk/headlamp-plugin package
- name: Validate tarball name - name: Prepare release tarball
run: | run: |
EXPECTED="${{ steps.package_name.outputs.name }}-${{ inputs.version }}.tar.gz" VERSION="${{ inputs.version }}"
ACTUAL=$(ls *.tar.gz) PKG_NAME=$(jq -r .name package.json)
if [ "$EXPECTED" != "$ACTUAL" ]; then TARBALL="${PKG_NAME}-${VERSION}.tar.gz"
echo "::error::Tarball name mismatch! Expected: $EXPECTED, Got: $ACTUAL" mv *.tar.gz "$TARBALL"
exit 1 echo "TARBALL=$TARBALL" >> $GITHUB_ENV
fi echo "PKG_NAME=$PKG_NAME" >> $GITHUB_ENV
echo "Tarball name validated: $ACTUAL"
- name: Validate tarball
run: |
echo "Tarball: ${{ env.TARBALL }}"
ls -lh "${{ env.TARBALL }}"
tar -tzf "${{ env.TARBALL }}" | head -20
tar -tzf "${{ env.TARBALL }}" | grep -q "main.js" || { echo "Error: main.js not found in tarball"; exit 1; }
- name: Compute checksum - name: Compute checksum
id: compute_checksum
run: | run: |
TARBALL="${{ steps.package_name.outputs.name }}-${{ inputs.version }}.tar.gz" CHECKSUM=$(sha256sum "${{ env.TARBALL }}" | awk '{print $1}')
CHECKSUM=$(sha256sum "$TARBALL" | awk '{print $1}') echo "CHECKSUM=$CHECKSUM" >> $GITHUB_ENV
echo "checksum=${CHECKSUM}" >> $GITHUB_OUTPUT
echo "Checksum: sha256:${CHECKSUM}"
- name: Verify tarball contents
run: |
TARBALL="${{ steps.package_name.outputs.name }}-${{ inputs.version }}.tar.gz"
echo "Tarball contents:"
tar -tzf "${TARBALL}" | head -20
# Verify main.js exists (structure is <package-name>/main.js)
if ! tar -tzf "${TARBALL}" | grep -q "${{ steps.package_name.outputs.name }}/main.js"; then
echo "::error::main.js not found in tarball"
exit 1
fi
echo "Tarball contents validated"
- name: Update checksum in metadata
run: |
CHECKSUM="${{ steps.compute_checksum.outputs.checksum }}"
sed -i "s|headlamp/plugin/archive-checksum:.*|headlamp/plugin/archive-checksum: sha256:${CHECKSUM}|" artifacthub-pkg.yml sed -i "s|headlamp/plugin/archive-checksum:.*|headlamp/plugin/archive-checksum: sha256:${CHECKSUM}|" artifacthub-pkg.yml
- name: Commit version bump and metadata - name: Commit and tag
run: | run: |
git add package.json artifacthub-pkg.yml VERSION="${{ inputs.version }}"
git commit -m "chore: release v${{ inputs.version }}" git add package.json package-lock.json artifacthub-pkg.yml
git push origin main git commit -m "release: v${VERSION}"
git tag "v${VERSION}"
- name: Create and push tag git push origin main --tags
run: |
git tag "v${{ inputs.version }}"
git push origin "v${{ inputs.version }}"
- name: Create GitHub Release - name: Create GitHub Release
uses: softprops/action-gh-release@v2
with:
tag_name: "v${{ inputs.version }}"
files: ${{ steps.package_name.outputs.name }}-${{ inputs.version }}.tar.gz
fail_on_unmatched_files: true
draft: false
prerelease: false
generate_release_notes: true
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GH_TOKEN: ${{ github.token }}
- name: Summary
run: | run: |
echo "Release Summary:" VERSION="${{ inputs.version }}"
echo "==================" gh release create "v${VERSION}" "${{ env.TARBALL }}" \
echo "Version: v${{ inputs.version }}" --title "v${VERSION}" \
echo "Tarball: ${{ steps.package_name.outputs.name }}-${{ inputs.version }}.tar.gz" --generate-notes
echo "Checksum: sha256:${{ steps.compute_checksum.outputs.checksum }}"
echo "Archive URL: https://github.com/${{ github.repository }}/releases/download/v${{ inputs.version }}/${{ steps.package_name.outputs.name }}-${{ inputs.version }}.tar.gz"
echo ""
echo "Version bumped to ${{ inputs.version }}"
echo "Metadata updated with checksum"
echo "Tag v${{ inputs.version }} created"
echo "GitHub release published with tarball"
echo ""
echo "Artifact Hub will sync within 5-10 minutes."
.github/workflows/test-runner.yaml
-23
View File
@@ -1,23 +0,0 @@
name: Test Runner
on:
workflow_dispatch:
jobs:
test:
runs-on: local-ubuntu-latest
timeout-minutes: 5
steps:
- name: Echo test
run: |
echo "Runner is working!"
echo "Hostname: $(hostname)"
echo "User: $(whoami)"
echo "PWD: $(pwd)"
echo "Node version: $(node --version)"
echo "NPM version: $(npm --version)"
- name: List runner labels
run: |
echo "This job ran on a runner with labels: self-hosted, local-ubuntu-latest"
renovate.json
+4
View File
@@ -0,0 +1,4 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["config:recommended"]
}