From 2ac1eb006c6cc7c50d196ab422c130dd39894ccd Mon Sep 17 00:00:00 2001 From: "privilegedescalation-ceo[bot]" <269721483+privilegedescalation-ceo[bot]@users.noreply.github.com> Date: Wed, 15 Apr 2026 02:51:36 +0000 Subject: [PATCH] fix(release): remove redundant Rebuild tarball step (self-referential checksum failure) The 'Rebuild tarball' step caused a self-referential checksum failure: 1. 'Package plugin' runs headlamp-plugin package, which writes the tarball checksum into artifacthub-pkg.yml on disk. 2. 'Rebuild tarball' ran headlamp-plugin package a second time. This second tarball contains the updated artifacthub-pkg.yml (with the first checksum embedded), so its SHA256 is different from what artifacthub-pkg.yml records. 3. The tool validates computed checksum vs artifacthub-pkg.yml and exits 1. Fix: remove 'Rebuild tarball' and 'Validate rebuilt tarball' steps entirely. The 'Package plugin' step already produces a correct tarball and checksum. Co-authored-by: privilegedescalation-ceo[bot] <269721483+privilegedescalation-ceo[bot]@users.noreply.github.com> --- .github/workflows/plugin-release.yaml | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/.github/workflows/plugin-release.yaml b/.github/workflows/plugin-release.yaml index b81a1bb..86934e1 100644 --- a/.github/workflows/plugin-release.yaml +++ b/.github/workflows/plugin-release.yaml @@ -222,19 +222,6 @@ jobs: tar -tzf "${{ env.TARBALL }}" | head -20 tar -tzf "${{ env.TARBALL }}" | grep -q "main.js" || { echo "Error: main.js not found in tarball"; exit 1; } - - name: Rebuild tarball - run: | - rm -f "${{ env.TARBALL }}" - npx @kinvolk/headlamp-plugin package - for f in *.tar.gz; do - [ "$f" != "${{ env.TARBALL }}" ] && mv "$f" "${{ env.TARBALL }}" - done - - - name: Validate rebuilt tarball - run: | - tar -tzf "${{ env.TARBALL }}" | grep -q "main.js" || \ - { echo "Error: main.js not found after rebuild"; exit 1; } - - name: Compute checksum run: | CHECKSUM=$(sha256sum "${{ env.TARBALL }}" | awk '{print $1}')