The shared release workflow now requires RELEASE_APP_ID and
RELEASE_APP_PRIVATE_KEY secrets for PR creation, since the org
blocks GITHUB_TOKEN from creating PRs.
Depends on privilegedescalation/.github#31
Co-authored-by: privilegedescalation-paperclip[bot] <268365651+privilegedescalation-paperclip[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
The reusable release workflow declares pull-requests:write but the
caller didn't grant it, causing startup_failure on GitHub Actions.
Co-authored-by: Hugh Hackman [bot] <hugh-hackman[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Configures the reusable release workflow to fetch the latest release
tag from bitnami-labs/sealed-secrets and set appVersion in artifacthub-pkg.yml.
This keeps our Artifact Hub listing in sync with the upstream project.
* ci: switch to org-level reusable workflows
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* chore: retrigger CI after reusable workflows merged
* feat: add workflow_dispatch to CI workflow
---------
Co-authored-by: hugh-hackman[bot] <hugh-hackman[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: hugh-hackman[bot] <266376744+hugh-hackman[bot]@users.noreply.github.com>
The self-hosted runner doesn't have gh CLI installed. Restore the
original softprops/action-gh-release@v2 action for creating releases.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The mv was a leftover from when the plugin built in a subdirectory.
Now that source lives at repo root, the tarball is already correctly
named — just verify it exists instead.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Merged prepare-release and release workflows into a single workflow
that handles everything in one job. This eliminates the need for
separate tokens or manual intervention.
Single workflow now:
- Validates version format
- Updates package.json and artifacthub-pkg.yml
- Builds and packages plugin (with type check and linting)
- Computes checksum
- Verifies tarball contents
- Updates metadata with real checksum
- Commits all changes to main
- Creates and pushes tag
- Creates GitHub release with tarball
No more tag push triggers, no separate tokens needed.
Everything runs in one workflow_dispatch job.
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
Replaced monolithic publish workflow with cleaner 3-workflow pattern
from headlamp-polaris-plugin:
Changes:
- ci.yaml: Basic lint/test on push/PR (simplified)
- prepare-release.yaml: NEW - Manual workflow to bump version and tag
- release.yaml: NEW - Two-job pattern (build → update-metadata)
Key improvements:
- Uses npx @kinvolk/headlamp-plugin package (standard CLI)
- Separates version bumping from release building
- Two-job release: build artifacts, then update main with checksum
- Better validation (tarball name, contents)
- Cleaner git history (metadata updates are separate commits)
- Matches polaris-plugin proven pattern
Breaking changes:
- No longer uses publish.yml
- Release process now requires prepare-release workflow first
- Checksums updated via separate job after release completes
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
privilegedescalation-ceo[bot]
Chris Farhood