* fix(e2e): add E2E workflow for headlamp-sealed-secrets-plugin
Adds .github/workflows/e2e.yaml calling the shared plugin-e2e.yaml reusable workflow.
Fixes PRI-729: E2E DNS failure caused by missing E2E workflow in this repo.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix(e2e): reference @main workflow after .github merge
Update workflow_call ref from hugh/add-pnpm-support-plugin-e2e to main
now that .github#144 has merged.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix(e2e): use pnpm-capable workflow branch
Reference @hugh/add-pnpm-support-plugin-e2e which has pnpm support via corepack.
PRI-634
* fix(e2e): reference @main workflow after .github merge
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix(e2e): disable automount SA token to avoid kubelet fetch race
Kubelet tries to fetch SA token immediately after deployment creates the pod,
but the SA may not be propagated yet. Setting automountServiceAccountToken: false
avoids this race. The SA token is not needed since E2E tests authenticate
via HEADLAMP_TOKEN passed as env var.
---------
Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
The dual-approval workflow was not re-triggering on pull_request_review events because the shared workflow was using github.event.pull_request.number which is not available in workflow_call context.
This change explicitly passes the pr_number from the pull_request event to the reusable workflow.
Co-authored-by: Hugh Hackman <hugh@privilegedescalation.dev>
Co-authored-by: Paperclip <noreply@paperclip.ing>
Calls the shared privilegedescalation/.github dual-approval-check
reusable workflow to enforce CTO + QA approval as a GitHub status check.
Once privilegedescalation/.github#47 is merged, this status check can
be added to required_status_checks in branch protection.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The shared release workflow now requires RELEASE_APP_ID and
RELEASE_APP_PRIVATE_KEY secrets for PR creation, since the org
blocks GITHUB_TOKEN from creating PRs.
Depends on privilegedescalation/.github#31
Co-authored-by: privilegedescalation-paperclip[bot] <268365651+privilegedescalation-paperclip[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
The reusable release workflow declares pull-requests:write but the
caller didn't grant it, causing startup_failure on GitHub Actions.
Co-authored-by: Hugh Hackman [bot] <hugh-hackman[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Configures the reusable release workflow to fetch the latest release
tag from bitnami-labs/sealed-secrets and set appVersion in artifacthub-pkg.yml.
This keeps our Artifact Hub listing in sync with the upstream project.
* ci: switch to org-level reusable workflows
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* chore: retrigger CI after reusable workflows merged
* feat: add workflow_dispatch to CI workflow
---------
Co-authored-by: hugh-hackman[bot] <hugh-hackman[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: hugh-hackman[bot] <266376744+hugh-hackman[bot]@users.noreply.github.com>
The self-hosted runner doesn't have gh CLI installed. Restore the
original softprops/action-gh-release@v2 action for creating releases.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The mv was a leftover from when the plugin built in a subdirectory.
Now that source lives at repo root, the tarball is already correctly
named — just verify it exists instead.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Merged prepare-release and release workflows into a single workflow
that handles everything in one job. This eliminates the need for
separate tokens or manual intervention.
Single workflow now:
- Validates version format
- Updates package.json and artifacthub-pkg.yml
- Builds and packages plugin (with type check and linting)
- Computes checksum
- Verifies tarball contents
- Updates metadata with real checksum
- Commits all changes to main
- Creates and pushes tag
- Creates GitHub release with tarball
No more tag push triggers, no separate tokens needed.
Everything runs in one workflow_dispatch job.
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
Changed runs-on from 'local-ubuntu-latest' to '[self-hosted, local-ubuntu-latest]'
to properly match organization-level ARC runner scale sets.
For organization-level runners, GitHub Actions requires the self-hosted
label along with the runner scale set name.
Replaced monolithic publish workflow with cleaner 3-workflow pattern
from headlamp-polaris-plugin:
Changes:
- ci.yaml: Basic lint/test on push/PR (simplified)
- prepare-release.yaml: NEW - Manual workflow to bump version and tag
- release.yaml: NEW - Two-job pattern (build → update-metadata)
Key improvements:
- Uses npx @kinvolk/headlamp-plugin package (standard CLI)
- Separates version bumping from release building
- Two-job release: build artifacts, then update main with checksum
- Better validation (tarball name, contents)
- Cleaner git history (metadata updates are separate commits)
- Matches polaris-plugin proven pattern
Breaking changes:
- No longer uses publish.yml
- Release process now requires prepare-release workflow first
- Checksums updated via separate job after release completes
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
Changed both CI and publish workflows to target local self-hosted
runner instead of GitHub-hosted ubuntu-latest.
Changes:
- .github/workflows/ci.yml: runs-on: local-ubuntu-latest
- .github/workflows/publish.yml: runs-on: local-ubuntu-latest
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
Features:
- Complete SealedSecret CRD integration with Headlamp
- Client-side encryption using controller's public key
- Support for all three scoping modes (strict, namespace-wide, cluster-wide)
- List and detail views for SealedSecrets
- Encryption dialog for creating new SealedSecrets
- Decryption support with RBAC awareness
- Sealing keys management
- Settings page for controller configuration
- Integration with Secret detail view
Technical:
- Full TypeScript with strict mode
- ~1,345 lines of code
- Build size: 339.42 kB (93.21 kB gzipped)
- Compatible with Headlamp v0.13.0+
- Apache 2.0 license
Security:
- All encryption performed client-side
- RSA-OAEP + AES-256-GCM (kubeseal-compatible)
- Auto-hide decrypted values after 30 seconds
Closes: Initial implementation
privilegedescalation-engineer[bot]
Chris Farhood