GHSA-r5fr-rjxr-66jc is a code injection vulnerability in lodash
below 4.18.0. The vulnerable transitive dependency comes through
@kinvolk/headlamp-plugin.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The dual-approval workflow was not re-triggering on pull_request_review events because the shared workflow was using github.event.pull_request.number which is not available in workflow_call context.
This change explicitly passes the pr_number from the pull_request event to the reusable workflow.
Co-authored-by: Hugh Hackman <hugh@privilegedescalation.dev>
Co-authored-by: Paperclip <noreply@paperclip.ing>
Bumps version to 1.0.1 and updates artifacthub-pkg.yml with the
correct archive URL for v1.0.1. The archive-checksum is intentionally
left blank so the release workflow can compute it after rebuilding the
tarball (fixes the v1.0.0 ordering bug fixed in PR #80).
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Follows the pattern established in headlamp-intel-gpu-plugin (PR #25):
- e2e/sealed-secrets.spec.ts: 5 smoke tests covering sidebar navigation,
list view, sealing keys view, cross-view navigation, and plugin settings
- e2e/auth.setup.ts: shared OIDC + token auth setup
- playwright.config.ts: fail-fast if HEADLAMP_URL not set (no prod URL fallback)
- scripts/deploy-e2e-headlamp.sh: ConfigMap-based plugin injection to privilegedescalation-dev
- scripts/teardown-e2e-headlamp.sh: clean teardown of all E2E resources
pnpm/action-setup@v5 requires either a version key in the action config
or a packageManager field in package.json. Add the field to unblock the
release workflow.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
npm/pnpm rejects a package.json that specifies the same package in both
overrides and devDependencies (EOVERRIDE). Since typescript is now a
direct devDependency pinned at ~5.6.2, remove it from overrides.
pnpm strict hoisting means only direct deps are on PATH. The overrides
entry pins the version but does not install tsc as a binary. Without an
explicit devDependency entry pnpm run tsc fails with "tsc: not found".
- Add eslint@^8.57.0, @headlamp-k8s/eslint-config@^0.6.0, prettier@^2.8.8
as explicit devDependencies — without these the lint and format:check CI
steps fail with "eslint: not found" / "prettier: not found"
- Remove vite/client and vite-plugin-svgr/client from tsconfig types — these
are transitive deps that pnpm does not hoist; polaris plugin omits them too
and tsc passes cleanly without them
- Update pnpm-lock.yaml to reflect new direct deps
- Bump version to 1.0.0 in package.json and artifacthub-pkg.yml
- Add explicit devDependencies: vitest, @testing-library/react,
@testing-library/jest-dom, @testing-library/user-event, jsdom,
react, react-dom, @types/react, @types/react-dom, react-router-dom,
@mui/material, notistack — resolves phantom-dep test failures
- Add process.env.NODE_ENV define to vitest.config.mts (fixes
"act() not supported in production builds" failures)
- Switch to pnpm lockfile (pnpm-lock.yaml), drop package-lock.json
- Remove install-plugin.sh (violates ArtifactHub-only install policy)
- Fill in CHANGELOG entries for v0.2.22, v0.2.23, v0.2.24
- Update CHANGELOG [1.0.0] and version comparison links
- All 233 tests pass
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Replaces the duplicated Renovate config with a simple extend from the
org-level preset (privilegedescalation/.github:renovate-config). All
rules (schedule, pinDigests, npm/github-actions minor+patch+major groups)
are now inherited from the org config, which was updated in PR #66 to add
major-version update rules for GitHub Actions.
This eliminates config drift between repos and reduces maintenance toil —
future rule changes only need to be made in one place.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The org renovate-config.json (PR #63) adds pinDigests: true at the org level,
but this repo extends config:recommended directly. Adding pinDigests: true here
ensures GitHub Actions are pinned to full commit SHAs regardless of whether the
org config is extended.
Related: privilegedescalation/.github#63, PRI-757
Calls the shared privilegedescalation/.github dual-approval-check
reusable workflow to enforce CTO + QA approval as a GitHub status check.
Once privilegedescalation/.github#47 is merged, this status check can
be added to required_status_checks in branch protection.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The shared release workflow now requires RELEASE_APP_ID and
RELEASE_APP_PRIVATE_KEY secrets for PR creation, since the org
blocks GITHUB_TOKEN from creating PRs.
Depends on privilegedescalation/.github#31
Co-authored-by: privilegedescalation-paperclip[bot] <268365651+privilegedescalation-paperclip[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
The reusable release workflow declares pull-requests:write but the
caller didn't grant it, causing startup_failure on GitHub Actions.
Co-authored-by: Hugh Hackman [bot] <hugh-hackman[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Chris Farhood
Gandalf the Greybeard
Gandalf the Greybeard