From 5680e942ad6e4ef3446b503e9e131b5a9ac56e0d Mon Sep 17 00:00:00 2001
From: Hugh Hackman <hugh@privilegedescalation>
Date: Wed, 25 Mar 2026 12:23:56 +0000
Subject: [PATCH 1/2] fix(plugin-release): rebuild tarball after checksum
 update

The tarball was being created BEFORE the checksum was computed and
updated in artifacthub-pkg.yml. This meant the released tarball
contained a placeholder checksum instead of the actual SHA256 hash.

This change adds a step to rebuild the tarball after the checksum
is computed, ensuring the released artifact has the correct checksum.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 .github/workflows/plugin-release.yaml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/.github/workflows/plugin-release.yaml b/.github/workflows/plugin-release.yaml
index eba33be..d5092a1 100644
--- a/.github/workflows/plugin-release.yaml
+++ b/.github/workflows/plugin-release.yaml
@@ -211,6 +211,18 @@ jobs:
           echo "CHECKSUM=$CHECKSUM" >> $GITHUB_ENV
           sed -i "s|headlamp/plugin/archive-checksum:.*|headlamp/plugin/archive-checksum: sha256:${CHECKSUM}|" artifacthub-pkg.yml
 
+      - name: Rebuild tarball with correct checksum
+        run: |
+          rm -f "${{ env.TARBALL }}"
+          npx @kinvolk/headlamp-plugin package
+          VERSION="${{ inputs.version }}"
+          PKG_NAME="${{ env.PKG_NAME }}"
+          TARBALL="${PKG_NAME}-${VERSION}.tar.gz"
+          for f in *.tar.gz; do
+            [ "$f" != "$TARBALL" ] && mv "$f" "$TARBALL"
+          done
+          echo "TARBALL=$TARBALL" >> $GITHUB_ENV
+
       - name: Commit and tag
         run: |
           VERSION="${{ inputs.version }}"

From bb043914ef82edae36aabfdd07954c52ba696118 Mon Sep 17 00:00:00 2001
From: Hugh Hackman <hugh@privilegedescalation.dev>
Date: Sat, 11 Apr 2026 17:00:04 +0000
Subject: [PATCH 2/2] fix: reverse checksum/rebuild ordering per QA feedback

- Move rebuild step BEFORE checksum computation
- Add validation step after rebuild
- Remove redundant VERSION/PKG_NAME variable reassignments
- Checksum now computed from rebuilt tarball, not original
---
 .github/workflows/plugin-release.yaml | 25 +++++++++++++------------
 1 file changed, 13 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/plugin-release.yaml b/.github/workflows/plugin-release.yaml
index d5092a1..0a0f15d 100644
--- a/.github/workflows/plugin-release.yaml
+++ b/.github/workflows/plugin-release.yaml
@@ -205,24 +205,25 @@ jobs:
           tar -tzf "${{ env.TARBALL }}" | head -20
           tar -tzf "${{ env.TARBALL }}" | grep -q "main.js" || { echo "Error: main.js not found in tarball"; exit 1; }
 
+      - name: Rebuild tarball
+        run: |
+          rm -f "${{ env.TARBALL }}"
+          npx @kinvolk/headlamp-plugin package
+          for f in *.tar.gz; do
+            [ "$f" != "${{ env.TARBALL }}" ] && mv "$f" "${{ env.TARBALL }}"
+          done
+
+      - name: Validate rebuilt tarball
+        run: |
+          tar -tzf "${{ env.TARBALL }}" | grep -q "main.js" || \
+            { echo "Error: main.js not found after rebuild"; exit 1; }
+
       - name: Compute checksum
         run: |
           CHECKSUM=$(sha256sum "${{ env.TARBALL }}" | awk '{print $1}')
           echo "CHECKSUM=$CHECKSUM" >> $GITHUB_ENV
           sed -i "s|headlamp/plugin/archive-checksum:.*|headlamp/plugin/archive-checksum: sha256:${CHECKSUM}|" artifacthub-pkg.yml
 
-      - name: Rebuild tarball with correct checksum
-        run: |
-          rm -f "${{ env.TARBALL }}"
-          npx @kinvolk/headlamp-plugin package
-          VERSION="${{ inputs.version }}"
-          PKG_NAME="${{ env.PKG_NAME }}"
-          TARBALL="${PKG_NAME}-${VERSION}.tar.gz"
-          for f in *.tar.gz; do
-            [ "$f" != "$TARBALL" ] && mv "$f" "$TARBALL"
-          done
-          echo "TARBALL=$TARBALL" >> $GITHUB_ENV
-
       - name: Commit and tag
         run: |
           VERSION="${{ inputs.version }}"