privilegedescalation/headlamp-sealed-secrets-plugin
12
0
Fork 0
Code Issues 2 Pull Requests 2 Actions Packages Projects Releases 27 Wiki Activity
Files
2d6fc15fde4ff2290f7a2f20d044183cadfa8ecd
headlamp-sealed-secrets-plugin/GITHUB_SETUP_CHECKLIST.md
T
Chris Farhood 78f5074818 chore: optimize Git workflow and CI/CD for Headlamp plugin releases 
Implements comprehensive workflow redesign addressing:
- Non-deterministic builds → Fixed with consistent Node version and npm ci
- Manual checksum management → Automated in publish workflow
- Multiple artifact locations → Single source of truth (GitHub releases)
- Individual file releases → Single tarball artifact
- Artifact Hub mismatches → No rebuild risk, use released tarball

Key improvements:
- CI workflow: faster builds with npm cache, artifact verification
- Publish workflow: deterministic builds, automatic checksum calculation,
  auto-commit of metadata updates, single tarball release
- Branch protection: require PR review and passing CI before merge
- Release process: simplified from manual to 5-minute automated workflow

Documentation:
- GIT_WORKFLOW.md: branching strategy, commit conventions, release process
- RELEASE_GUIDE.md: detailed step-by-step release instructions
- RELEASE_QUICK_REFERENCE.md: copy-paste commands for quick releases
- CI_CD_DESIGN.md: technical architecture and design decisions
- GITHUB_SETUP_CHECKLIST.md: repository configuration guide
- WORKFLOW_OPTIMIZATION_SUMMARY.md: executive summary of changes

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-12 13:43:39 -05:00

411 lines
10 KiB
Markdown
Raw Blame History

# GitHub Setup Checklist
This document provides step-by-step instructions to configure the repository for the optimized CI/CD workflow.
## Quick Setup (15 minutes)
### 1. Enable Actions
```
Settings → Actions → General
- Allow all actions and reusable workflows: [x] CHECKED
- Fork pull request workflows from outside collaborators: "Run workflows from fork pull requests"
```
### 2. Configure Runners
```
Settings → Actions → Runners
- Ensure "local-ubuntu-latest" runner is available
(Or configure your self-hosted runner)
```
### 3. Create Secrets (Optional)
```
Settings → Secrets and variables → Actions
If publishing to NPM:
Add secret "NPM_TOKEN"
- Value: Get from https://www.npmjs.com/settings/[USERNAME]/tokens
- Type: "Automation" token recommended
GITHUB_TOKEN is automatic (no setup needed)
```
### 4. Protect Main Branch
```
Settings → Branches → Branch protection rules
CREATE NEW RULE:
Pattern: main
Require pull request reviews before merging:
[x] Required number of approvals: 1
[x] Dismiss stale pull request approvals when new commits are pushed
[ ] Require code review from owner before merge (unless required)
Require status checks to pass before merging:
[x] Require branches to be up to date before merging
[x] Status checks that must pass: "test" (from CI workflow)
Additional settings:
[ ] Include administrators
[x] Allow force pushes (only for admins if needed)
[ ] Allow deletions
```
## Detailed Configuration
### Step 1: Repository Settings
Visit: https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/settings
#### Basic Settings
```
Repository name: headlamp-sealed-secrets-plugin
Description: Headlamp plugin for Bitnami Sealed Secrets - manage encrypted Kubernetes secrets
Website: https://artifacthub.io/packages/headlamp-sealed-secrets
Visibility: Public
```
#### Features
```
[x] Discussions
[ ] Projects
[ ] Wiki
[ ] Sponsorships
```
### Step 2: Actions Settings
Visit: https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/settings/actions
#### General
```
Actions permissions: "Allow all actions and reusable workflows"
Fork pull request workflows from outside collaborators:
"Run workflows from fork pull requests"
```
#### Runners
```
Check: Settings → Actions → Runners
Ensure runner is available:
- Name: local-ubuntu-latest
- Status: Idle or Online
- Labels: local-ubuntu-latest
```
If self-hosted runner not available:
1. Contact infrastructure team
2. Or use GitHub-hosted: `ubuntu-latest`
3. Update workflow YAML: `runs-on: ubuntu-latest`
### Step 3: Secrets Configuration
Visit: https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/settings/secrets/actions
#### Optional: NPM Token (Only if publishing to NPM)
```
Name: NPM_TOKEN
Value: [Get from npm.js]
To get token:
1. Go to https://www.npmjs.com/settings/YOUR_USERNAME/tokens
2. Create new token: Type "Automation"
3. Copy token
4. Paste in GitHub secret
```
#### GITHUB_TOKEN (Automatic)
No setup needed. Pre-installed and automatically available.
### Step 4: Branch Protection
Visit: https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/settings/branches
#### Protect Main Branch
**Step 4.1**: Click "Add rule" (or edit existing main rule)
**Step 4.2**: Enter pattern
```
Pattern: main
```
**Step 4.3**: Require pull requests
```
[x] Require a pull request before merging
[x] Require approvals: 1
[x] Dismiss stale pull request approvals when new commits are pushed
[ ] Require review from Code Owners
```
**Step 4.4**: Require status checks
```
[x] Require status checks to pass before merging
[x] Require branches to be up to date before merging
Status checks that must pass:
- Search and select: "test"
(This is from CI workflow in .github/workflows/ci.yml)
```
**Step 4.5**: Additional settings
```
[ ] Include administrators
[x] Allow force pushes → "Allow force pushes by administrators"
[ ] Allow deletions
[x] Lock branch: Do not lock
```
**Step 4.6**: Click "Create" or "Save changes"
## Verification
### Verify CI Workflow Works
```bash
# Create test branch and push
git checkout -b test/workflow-verify
git push origin test/workflow-verify
# Open pull request
# https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/pull/new/test/workflow-verify
# Verify:
# - CI workflow appears in PR checks
# - Lint passes
# - Build passes
# - Workflow completes in 2-3 minutes
# Clean up
git checkout main
git branch -D test/workflow-verify
git push origin -d test/workflow-verify
```
### Verify Branch Protection
```bash
# Try to push directly to main (should fail)
git checkout main
git commit --allow-empty -m "test"
git push origin main
# Expected: Rejected by remote (can't push directly)
# Correct way: Create PR
git checkout -b fix/test
git commit --allow-empty -m "test commit"
git push origin fix/test
# Open PR: https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/compare/main...fix/test
# - Check that PR cannot be merged without approval
# - Check that PR cannot be merged until CI passes
# Clean up after testing
```
### Verify Release Workflow
```bash
# Manually trigger or wait for next release
git tag -a v0.2.5 -m "Test release"
git push origin v0.2.5
# Verify in GitHub Actions:
# https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/actions
# Expected:
# - "Publish Release" workflow starts
# - Completes in 3-5 minutes
# - Creates GitHub release with tarball
# - Updates artifacthub-pkg.yml with checksum
# Verify release created:
# https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/releases/tag/v0.2.5
# Clean up test tag
git tag -d v0.2.5
git push origin -d v0.2.5
```
## Troubleshooting Setup
### "Actions not enabled"
```
Go to: Settings → Actions
Select: "Allow all actions and reusable workflows"
Save
```
### "Status checks don't appear in PR"
```
1. Verify CI workflow has correct syntax
2. Push to any branch to trigger workflow
3. Check: Actions tab → See if workflow runs
4. If workflow runs:
- Wait 2-3 minutes for checks to appear in PR
- Refresh PR page
5. If workflow doesn't run:
- Check workflow file for syntax errors
- Check trigger conditions (on: push, on: pull_request)
```
### "Can't create branch protection"
```
1. Verify you're repository admin
2. Verify main branch exists
3. Try again with pattern "main" (exact match)
4. Check if rule already exists (edit instead of create new)
```
### "Runner not available"
```
If "local-ubuntu-latest" not available:
Option 1: Use GitHub-hosted runner
- Edit .github/workflows/ci.yml
- Change: runs-on: ubuntu-latest
- Change: .github/workflows/publish.yml to ubuntu-latest
Option 2: Set up self-hosted runner
- Settings → Actions → Runners
- Follow GitHub instructions to install runner
- Register with label: local-ubuntu-latest
```
### "Push rejected (branch protected)"
```
This is expected! Do not force push.
Correct workflow:
1. Create feature branch: git checkout -b fix/my-fix
2. Make changes and commit
3. Push to feature branch: git push origin fix/my-fix
4. Open PR on GitHub
5. Get approval from code reviewer
6. Merge via GitHub UI (not git push)
```
## Workflow Summary
After setup, development flow is:
```
┌─ Feature Branch (develop/feature)
│ └─ git push origin develop
│ └─ CI workflow runs (lint, build, test)
├─ Open Pull Request to main
│ └─ CI workflow runs again
│ └─ Requires 1 approval to merge
├─ Code Review → Approve → Merge to main
│ └─ CI workflow runs (final check)
│ └─ Auto-merge or manual merge
└─ Create release tag
└─ git tag -a v0.2.5
└─ git push origin v0.2.5
└─ Publish workflow runs
└─ Creates GitHub release
└─ Updates Artifact Hub metadata
```
## Artifact Hub Integration
### Prerequisites
Repository must be registered:
- Repository ID: 5574d37c-c4ae-45ab-a378-ef24aaba5b4c
- Metadata file: artifacthub-pkg.yml
### Verification
```
1. Go to: https://artifacthub.io/packages/headlamp-sealed-secrets
2. Check: Version displays correctly
3. Check: Archive URL is correct
4. Check: Checksum matches released tarball
5. Check: Installation instructions display
```
### Sync Manually
If version not appearing after 10 minutes:
```
1. Go to: https://artifacthub.io/control-panel/repositories
2. Find: headlamp-sealed-secrets-plugin
3. Click: "Trigger sync"
4. Wait: 5-10 minutes
5. Refresh: artifacthub.io package page
```
## Final Verification Checklist
```
Repository Settings:
- [ ] Repository is public
- [ ] Description is set
- [ ] Website/Homepage is set
- [ ] Topics include: headlamp, kubernetes, sealed-secrets
Actions:
- [ ] Actions are enabled
- [ ] local-ubuntu-latest runner available
- [ ] CI workflow (.github/workflows/ci.yml) exists
- [ ] Publish workflow (.github/workflows/publish.yml) exists
Secrets:
- [ ] NPM_TOKEN created (optional, only if publishing to NPM)
- [ ] GITHUB_TOKEN is automatic
Branch Protection (main):
- [ ] Require 1 PR approval before merge
- [ ] Require CI workflow to pass
- [ ] Require branches up to date
- [ ] Stale reviews dismissed on push
Testing:
- [ ] Push to PR triggers CI workflow
- [ ] CI workflow completes successfully
- [ ] Cannot merge without approval
- [ ] Cannot merge without passing CI
- [ ] Direct push to main is rejected
Release:
- [ ] Tag push triggers Publish workflow
- [ ] Publish workflow creates GitHub release
- [ ] Tarball is uploaded to release
- [ ] artifacthub-pkg.yml is updated with checksum
- [ ] Artifact Hub shows new version within 10 minutes
```
## Support
- GitHub Actions Docs: https://docs.github.com/en/actions
- GitHub Branch Protection: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches
- Artifact Hub: https://artifacthub.io/docs
- Headlamp Plugin Publishing: https://headlamp.dev/docs/latest/development/plugins/publishing/
## Related Documents
- [GIT_WORKFLOW.md](/Users/cpfarhood/Documents/Repositories/headlamp-sealed-secrets-plugin/GIT_WORKFLOW.md) - Branching and commit strategy
- [RELEASE_GUIDE.md](/Users/cpfarhood/Documents/Repositories/headlamp-sealed-secrets-plugin/RELEASE_GUIDE.md) - How to cut releases
- [CI_CD_DESIGN.md](/Users/cpfarhood/Documents/Repositories/headlamp-sealed-secrets-plugin/CI_CD_DESIGN.md) - Technical design
- [RELEASE_QUICK_REFERENCE.md](/Users/cpfarhood/Documents/Repositories/headlamp-sealed-secrets-plugin/RELEASE_QUICK_REFERENCE.md) - Copy-paste commands
Reference in New Issue View Git Blame Copy Permalink