Users choose their own namespace for Headlamp. Replace the hardcoded
`headlamp` namespace in installation docs with <your-namespace> so
users substitute their own value.
Refs: PRI-435
Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
Add pnpm.overrides.elliptic to prevent version regression on
the transitive elliptic vulnerability (CVE-2025-14505).
Vulnerability path:
@kinvolk/headlamp-plugin → vite-plugin-node-polyfills →
node-stdlib-browser → crypto-browserify → browserify-sign → elliptic
Note: pnpm audit will still report the vulnerability until
upstream publishes elliptic 6.6.2+. This override safeguards
against pulling a worse version.
Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
* Regenerate lockfile for lodash+vite overrides
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix: add markdownlint config to resolve CI failures
- Add .markdownlint-cli2.jsonc with 18 rule disables appropriate for plugin docs
- Add .markdownlintignore to skip generated API reference docs
- Fix remaining errors with --fix
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* Reference shared infra RBAC in deployment scripts
PRI-750: update plugin repos to reference shared infra RBAC (PRI-695 follow-up)
- scripts/deploy-e2e-headlamp.sh: updated RBAC preflight comment and error
message to reference privilegedescalation/infra/base/rbac/e2e-ci-runner-headlamp-rbac.yaml
- scripts/teardown-e2e-headlamp.sh: added RBAC reference comment
Infra RBAC is the source of truth managed by Flux GitOps. No E2E workflow
exists yet for this plugin.
---------
Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
* fix(e2e): add E2E workflow for headlamp-sealed-secrets-plugin
Adds .github/workflows/e2e.yaml calling the shared plugin-e2e.yaml reusable workflow.
Fixes PRI-729: E2E DNS failure caused by missing E2E workflow in this repo.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix(e2e): reference @main workflow after .github merge
Update workflow_call ref from hugh/add-pnpm-support-plugin-e2e to main
now that .github#144 has merged.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix(e2e): use pnpm-capable workflow branch
Reference @hugh/add-pnpm-support-plugin-e2e which has pnpm support via corepack.
PRI-634
* fix(e2e): reference @main workflow after .github merge
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix(e2e): disable automount SA token to avoid kubelet fetch race
Kubelet tries to fetch SA token immediately after deployment creates the pod,
but the SA may not be propagated yet. Setting automountServiceAccountToken: false
avoids this race. The SA token is not needed since E2E tests authenticate
via HEADLAMP_TOKEN passed as env var.
---------
Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
Vite versions >=6.0.0 <=6.4.1 are vulnerable to arbitrary file read via
the Vite Dev Server WebSocket (server.fs.deny bypass with queries).
CVE: GHSA-p9ff-h696-f583
Co-authored-by: Gandalf the Greybeard <gandalf@privilegedescalation.dev>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
The dual-approval workflow was not re-triggering on pull_request_review events because the shared workflow was using github.event.pull_request.number which is not available in workflow_call context.
This change explicitly passes the pr_number from the pull_request event to the reusable workflow.
Co-authored-by: Hugh Hackman <hugh@privilegedescalation.dev>
Co-authored-by: Paperclip <noreply@paperclip.ing>
Bumps version to 1.0.1 and updates artifacthub-pkg.yml with the
correct archive URL for v1.0.1. The archive-checksum is intentionally
left blank so the release workflow can compute it after rebuilding the
tarball (fixes the v1.0.0 ordering bug fixed in PR #80).
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Follows the pattern established in headlamp-intel-gpu-plugin (PR #25):
- e2e/sealed-secrets.spec.ts: 5 smoke tests covering sidebar navigation,
list view, sealing keys view, cross-view navigation, and plugin settings
- e2e/auth.setup.ts: shared OIDC + token auth setup
- playwright.config.ts: fail-fast if HEADLAMP_URL not set (no prod URL fallback)
- scripts/deploy-e2e-headlamp.sh: ConfigMap-based plugin injection to privilegedescalation-dev
- scripts/teardown-e2e-headlamp.sh: clean teardown of all E2E resources
pnpm/action-setup@v5 requires either a version key in the action config
or a packageManager field in package.json. Add the field to unblock the
release workflow.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
npm/pnpm rejects a package.json that specifies the same package in both
overrides and devDependencies (EOVERRIDE). Since typescript is now a
direct devDependency pinned at ~5.6.2, remove it from overrides.
pnpm strict hoisting means only direct deps are on PATH. The overrides
entry pins the version but does not install tsc as a binary. Without an
explicit devDependency entry pnpm run tsc fails with "tsc: not found".
- Add eslint@^8.57.0, @headlamp-k8s/eslint-config@^0.6.0, prettier@^2.8.8
as explicit devDependencies — without these the lint and format:check CI
steps fail with "eslint: not found" / "prettier: not found"
- Remove vite/client and vite-plugin-svgr/client from tsconfig types — these
are transitive deps that pnpm does not hoist; polaris plugin omits them too
and tsc passes cleanly without them
- Update pnpm-lock.yaml to reflect new direct deps
- Bump version to 1.0.0 in package.json and artifacthub-pkg.yml
- Add explicit devDependencies: vitest, @testing-library/react,
@testing-library/jest-dom, @testing-library/user-event, jsdom,
react, react-dom, @types/react, @types/react-dom, react-router-dom,
@mui/material, notistack — resolves phantom-dep test failures
- Add process.env.NODE_ENV define to vitest.config.mts (fixes
"act() not supported in production builds" failures)
- Switch to pnpm lockfile (pnpm-lock.yaml), drop package-lock.json
- Remove install-plugin.sh (violates ArtifactHub-only install policy)
- Fill in CHANGELOG entries for v0.2.22, v0.2.23, v0.2.24
- Update CHANGELOG [1.0.0] and version comparison links
- All 233 tests pass
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Replaces the duplicated Renovate config with a simple extend from the
org-level preset (privilegedescalation/.github:renovate-config). All
rules (schedule, pinDigests, npm/github-actions minor+patch+major groups)
are now inherited from the org config, which was updated in PR #66 to add
major-version update rules for GitHub Actions.
This eliminates config drift between repos and reduces maintenance toil —
future rule changes only need to be made in one place.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The org renovate-config.json (PR #63) adds pinDigests: true at the org level,
but this repo extends config:recommended directly. Adding pinDigests: true here
ensures GitHub Actions are pinned to full commit SHAs regardless of whether the
org config is extended.
Related: privilegedescalation/.github#63, PRI-757
Calls the shared privilegedescalation/.github dual-approval-check
reusable workflow to enforce CTO + QA approval as a GitHub status check.
Once privilegedescalation/.github#47 is merged, this status check can
be added to required_status_checks in branch protection.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The shared release workflow now requires RELEASE_APP_ID and
RELEASE_APP_PRIVATE_KEY secrets for PR creation, since the org
blocks GITHUB_TOKEN from creating PRs.
Depends on privilegedescalation/.github#31
Co-authored-by: privilegedescalation-paperclip[bot] <268365651+privilegedescalation-paperclip[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
The reusable release workflow declares pull-requests:write but the
caller didn't grant it, causing startup_failure on GitHub Actions.
Co-authored-by: Hugh Hackman [bot] <hugh-hackman[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
privilegedescalation-ceo[bot]
Chris Farhood
Gandalf the Greybeard