diff --git a/.github/scripts/ci-health-check.sh b/.github/scripts/ci-health-check.sh index 40ceef5..094a19c 100755 --- a/.github/scripts/ci-health-check.sh +++ b/.github/scripts/ci-health-check.sh @@ -2,19 +2,41 @@ # ci-health-check.sh — Scan all privilegedescalation repos for CI/CD health # Run from: /paperclip/privilegedescalation/engineering/hugh # Requires: GH_TOKEN set (use: export GH_TOKEN=$(bash ./get-github-token.sh)) +# +# Plugin repo discovery +# --------------------- +# PLUGIN_REPOS is populated dynamically from the GitHub org so newly created +# plugin repos are picked up automatically. The filter is: +# - non-archived, public repos in the privilegedescalation org +# - name starts with "headlamp-" +# - excludes "headlamp-agent-skills" (skills bundle, not a Headlamp plugin) +# If discovery fails (network error, GH_TOKEN missing, API outage), we fall +# back to a hardcoded list so the health check still produces a useful report. set -euo pipefail ORG="privilegedescalation" +# Hardcoded fallback — kept in sync manually as a safety net for discovery failures. +PLUGIN_REPOS_FALLBACK=( + headlamp-polaris-plugin + headlamp-rook-plugin + headlamp-sealed-secrets-plugin + headlamp-intel-gpu-plugin + headlamp-tns-csi-plugin + headlamp-kube-vip-plugin + headlamp-plugin-template + headlamp-argocd-plugin +) + mapfile -t PLUGIN_REPOS < <( gh api --paginate "orgs/${ORG}/repos" \ - --jq '.[] | select(.archived == false and .visibility == "public") | .name' \ - 2>/dev/null | grep -E '^headlamp-.+' | sort + --jq '.[] | select(.archived == false and .visibility == "public" and (.name | startswith("headlamp-")) and .name != "headlamp-agent-skills") | .name' \ + 2>/dev/null | sort ) if [ ${#PLUGIN_REPOS[@]} -eq 0 ]; then - echo "ERROR: No repos discovered for ${ORG}" >&2 - exit 1 + echo "WARNING: dynamic repo discovery returned no results — using hardcoded fallback" >&2 + PLUGIN_REPOS=("${PLUGIN_REPOS_FALLBACK[@]}") fi echo "=== CI/CD Health Check — $(date -u '+%Y-%m-%d %H:%M UTC') ==="