privilegedescalation/org
Archived
12
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

ci-health-check: complete dynamic repo discovery (PRI-331)

Browse Source 
PR #115's first commit landed dynamic discovery via gh api but missed
three of the five issue requirements. This commit completes them:

- Move headlamp- prefix filtering into jq via startswith() and add
  explicit exclusion for headlamp-agent-skills (skills bundle, not a
  plugin), instead of relying on grep -E '^headlamp-.+'.
- Add PLUGIN_REPOS_FALLBACK with the previously hardcoded list and
  use it when discovery returns empty, instead of exiting with error.
- Add header comment documenting the discovery filter and the
  headlamp-agent-skills exclusion.

Verified jq filter against live API: returns 8 plugin repos, all
prefixed headlamp-, headlamp-agent-skills correctly excluded.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Chris Farhood
2026-05-03 18:17:53 +00:00
committed by Gandalf the Greybeard [agent]
parent d872bdc626
commit 0ff52c20fd
1 changed files with 26 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/scripts/ci-health-check.sh
+26 -4
View File
@@ -2,19 +2,41 @@
# ci-health-check.sh — Scan all privilegedescalation repos for CI/CD health # ci-health-check.sh — Scan all privilegedescalation repos for CI/CD health
# Run from: /paperclip/privilegedescalation/engineering/hugh # Run from: /paperclip/privilegedescalation/engineering/hugh
# Requires: GH_TOKEN set (use: export GH_TOKEN=$(bash ./get-github-token.sh)) # Requires: GH_TOKEN set (use: export GH_TOKEN=$(bash ./get-github-token.sh))
#
# Plugin repo discovery
# ---------------------
# PLUGIN_REPOS is populated dynamically from the GitHub org so newly created
# plugin repos are picked up automatically. The filter is:
# - non-archived, public repos in the privilegedescalation org
# - name starts with "headlamp-"
# - excludes "headlamp-agent-skills" (skills bundle, not a Headlamp plugin)
# If discovery fails (network error, GH_TOKEN missing, API outage), we fall
# back to a hardcoded list so the health check still produces a useful report.
set -euo pipefail set -euo pipefail
ORG="privilegedescalation" ORG="privilegedescalation"
# Hardcoded fallback — kept in sync manually as a safety net for discovery failures.
PLUGIN_REPOS_FALLBACK=(
headlamp-polaris-plugin
headlamp-rook-plugin
headlamp-sealed-secrets-plugin
headlamp-intel-gpu-plugin
headlamp-tns-csi-plugin
headlamp-kube-vip-plugin
headlamp-plugin-template
headlamp-argocd-plugin
)
mapfile -t PLUGIN_REPOS < <( mapfile -t PLUGIN_REPOS < <(
gh api --paginate "orgs/${ORG}/repos" \ gh api --paginate "orgs/${ORG}/repos" \
--jq '.[] | select(.archived == false and .visibility == "public") | .name' \ --jq '.[] | select(.archived == false and .visibility == "public" and (.name | startswith("headlamp-")) and .name != "headlamp-agent-skills") | .name' \
2>/dev/null | grep -E '^headlamp-.+' | sort 2>/dev/null | sort
) )
if [ ${#PLUGIN_REPOS[@]} -eq 0 ]; then if [ ${#PLUGIN_REPOS[@]} -eq 0 ]; then
echo "ERROR: No repos discovered for ${ORG}" >&2 echo "WARNING: dynamic repo discovery returned no results — using hardcoded fallback" >&2
exit 1 PLUGIN_REPOS=("${PLUGIN_REPOS_FALLBACK[@]}")
fi fi
echo "=== CI/CD Health Check — $(date -u '+%Y-%m-%d %H:%M UTC') ===" echo "=== CI/CD Health Check — $(date -u '+%Y-%m-%d %H:%M UTC') ==="