The reusable release workflow declares pull-requests:write but the
caller didn't grant it, causing startup_failure on GitHub Actions.
Co-authored-by: Hugh Hackman [bot] <hugh-hackman[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Configures the reusable release workflow to fetch the latest release
tag from bitnami-labs/sealed-secrets and set appVersion in artifacthub-pkg.yml.
This keeps our Artifact Hub listing in sync with the upstream project.
* ci: switch to org-level reusable workflows
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* chore: retrigger CI after reusable workflows merged
* feat: add workflow_dispatch to CI workflow
---------
Co-authored-by: hugh-hackman[bot] <hugh-hackman[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: hugh-hackman[bot] <266376744+hugh-hackman[bot]@users.noreply.github.com>
The self-hosted runner doesn't have gh CLI installed. Restore the
original softprops/action-gh-release@v2 action for creating releases.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The mv was a leftover from when the plugin built in a subdirectory.
Now that source lives at repo root, the tarball is already correctly
named — just verify it exists instead.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Merged prepare-release and release workflows into a single workflow
that handles everything in one job. This eliminates the need for
separate tokens or manual intervention.
Single workflow now:
- Validates version format
- Updates package.json and artifacthub-pkg.yml
- Builds and packages plugin (with type check and linting)
- Computes checksum
- Verifies tarball contents
- Updates metadata with real checksum
- Commits all changes to main
- Creates and pushes tag
- Creates GitHub release with tarball
No more tag push triggers, no separate tokens needed.
Everything runs in one workflow_dispatch job.
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
Changed runs-on from 'local-ubuntu-latest' to '[self-hosted, local-ubuntu-latest]'
to properly match organization-level ARC runner scale sets.
For organization-level runners, GitHub Actions requires the self-hosted
label along with the runner scale set name.
Replaced monolithic publish workflow with cleaner 3-workflow pattern
from headlamp-polaris-plugin:
Changes:
- ci.yaml: Basic lint/test on push/PR (simplified)
- prepare-release.yaml: NEW - Manual workflow to bump version and tag
- release.yaml: NEW - Two-job pattern (build → update-metadata)
Key improvements:
- Uses npx @kinvolk/headlamp-plugin package (standard CLI)
- Separates version bumping from release building
- Two-job release: build artifacts, then update main with checksum
- Better validation (tarball name, contents)
- Cleaner git history (metadata updates are separate commits)
- Matches polaris-plugin proven pattern
Breaking changes:
- No longer uses publish.yml
- Release process now requires prepare-release workflow first
- Checksums updated via separate job after release completes
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
Changed both CI and publish workflows to target local self-hosted
runner instead of GitHub-hosted ubuntu-latest.
Changes:
- .github/workflows/ci.yml: runs-on: local-ubuntu-latest
- .github/workflows/publish.yml: runs-on: local-ubuntu-latest
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
Features:
- Complete SealedSecret CRD integration with Headlamp
- Client-side encryption using controller's public key
- Support for all three scoping modes (strict, namespace-wide, cluster-wide)
- List and detail views for SealedSecrets
- Encryption dialog for creating new SealedSecrets
- Decryption support with RBAC awareness
- Sealing keys management
- Settings page for controller configuration
- Integration with Secret detail view
Technical:
- Full TypeScript with strict mode
- ~1,345 lines of code
- Build size: 339.42 kB (93.21 kB gzipped)
- Compatible with Headlamp v0.13.0+
- Apache 2.0 license
Security:
- All encryption performed client-side
- RSA-OAEP + AES-256-GCM (kubeseal-compatible)
- Auto-hide decrypted values after 30 seconds
Closes: Initial implementation
privilegedescalation-paperclip[bot]
Chris Farhood