From 5680e942ad6e4ef3446b503e9e131b5a9ac56e0d Mon Sep 17 00:00:00 2001 From: Hugh Hackman Date: Wed, 25 Mar 2026 12:23:56 +0000 Subject: [PATCH 1/4] fix(plugin-release): rebuild tarball after checksum update The tarball was being created BEFORE the checksum was computed and updated in artifacthub-pkg.yml. This meant the released tarball contained a placeholder checksum instead of the actual SHA256 hash. This change adds a step to rebuild the tarball after the checksum is computed, ensuring the released artifact has the correct checksum. Co-Authored-By: Paperclip --- .github/workflows/plugin-release.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.github/workflows/plugin-release.yaml b/.github/workflows/plugin-release.yaml index eba33be..d5092a1 100644 --- a/.github/workflows/plugin-release.yaml +++ b/.github/workflows/plugin-release.yaml @@ -211,6 +211,18 @@ jobs: echo "CHECKSUM=$CHECKSUM" >> $GITHUB_ENV sed -i "s|headlamp/plugin/archive-checksum:.*|headlamp/plugin/archive-checksum: sha256:${CHECKSUM}|" artifacthub-pkg.yml + - name: Rebuild tarball with correct checksum + run: | + rm -f "${{ env.TARBALL }}" + npx @kinvolk/headlamp-plugin package + VERSION="${{ inputs.version }}" + PKG_NAME="${{ env.PKG_NAME }}" + TARBALL="${PKG_NAME}-${VERSION}.tar.gz" + for f in *.tar.gz; do + [ "$f" != "$TARBALL" ] && mv "$f" "$TARBALL" + done + echo "TARBALL=$TARBALL" >> $GITHUB_ENV + - name: Commit and tag run: | VERSION="${{ inputs.version }}" From bb043914ef82edae36aabfdd07954c52ba696118 Mon Sep 17 00:00:00 2001 From: Hugh Hackman Date: Sat, 11 Apr 2026 17:00:04 +0000 Subject: [PATCH 2/4] fix: reverse checksum/rebuild ordering per QA feedback - Move rebuild step BEFORE checksum computation - Add validation step after rebuild - Remove redundant VERSION/PKG_NAME variable reassignments - Checksum now computed from rebuilt tarball, not original --- .github/workflows/plugin-release.yaml | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/.github/workflows/plugin-release.yaml b/.github/workflows/plugin-release.yaml index d5092a1..0a0f15d 100644 --- a/.github/workflows/plugin-release.yaml +++ b/.github/workflows/plugin-release.yaml @@ -205,24 +205,25 @@ jobs: tar -tzf "${{ env.TARBALL }}" | head -20 tar -tzf "${{ env.TARBALL }}" | grep -q "main.js" || { echo "Error: main.js not found in tarball"; exit 1; } + - name: Rebuild tarball + run: | + rm -f "${{ env.TARBALL }}" + npx @kinvolk/headlamp-plugin package + for f in *.tar.gz; do + [ "$f" != "${{ env.TARBALL }}" ] && mv "$f" "${{ env.TARBALL }}" + done + + - name: Validate rebuilt tarball + run: | + tar -tzf "${{ env.TARBALL }}" | grep -q "main.js" || \ + { echo "Error: main.js not found after rebuild"; exit 1; } + - name: Compute checksum run: | CHECKSUM=$(sha256sum "${{ env.TARBALL }}" | awk '{print $1}') echo "CHECKSUM=$CHECKSUM" >> $GITHUB_ENV sed -i "s|headlamp/plugin/archive-checksum:.*|headlamp/plugin/archive-checksum: sha256:${CHECKSUM}|" artifacthub-pkg.yml - - name: Rebuild tarball with correct checksum - run: | - rm -f "${{ env.TARBALL }}" - npx @kinvolk/headlamp-plugin package - VERSION="${{ inputs.version }}" - PKG_NAME="${{ env.PKG_NAME }}" - TARBALL="${PKG_NAME}-${VERSION}.tar.gz" - for f in *.tar.gz; do - [ "$f" != "$TARBALL" ] && mv "$f" "$TARBALL" - done - echo "TARBALL=$TARBALL" >> $GITHUB_ENV - - name: Commit and tag run: | VERSION="${{ inputs.version }}" From 9c723655c4e7572469d1579fa58c1e5bb386a6f3 Mon Sep 17 00:00:00 2001 From: Paperclip Date: Tue, 14 Apr 2026 23:55:11 +0000 Subject: [PATCH 3/4] fix: install corepack before enabling pnpm on self-hosted runners Corepack is not pre-installed on runs-on: runners-privilegedescalation, causing 'corepack: command not found' errors. Install it via 'npm install -g corepack' before using corepack commands. Fixes PRI-51. --- .github/workflows/plugin-ci.yaml | 1 + .github/workflows/plugin-release.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/workflows/plugin-ci.yaml b/.github/workflows/plugin-ci.yaml index 07e8947..f719498 100644 --- a/.github/workflows/plugin-ci.yaml +++ b/.github/workflows/plugin-ci.yaml @@ -99,6 +99,7 @@ jobs: - name: Setup pnpm (via Corepack, reads version from packageManager field) if: steps.pkg-manager.outputs.manager == 'pnpm' && steps.pkg-manager.outputs.has_package_manager == 'true' run: | + npm install -g corepack corepack enable pnpm corepack install diff --git a/.github/workflows/plugin-release.yaml b/.github/workflows/plugin-release.yaml index 0a0f15d..f133766 100644 --- a/.github/workflows/plugin-release.yaml +++ b/.github/workflows/plugin-release.yaml @@ -118,6 +118,7 @@ jobs: - name: Setup pnpm (via Corepack, reads version from packageManager field) if: steps.pkg-manager.outputs.manager == 'pnpm' && steps.pkg-manager.outputs.has_package_manager == 'true' run: | + npm install -g corepack corepack enable pnpm corepack install From 04acf4a278c73d9ccd012edd53c467b5010e914e Mon Sep 17 00:00:00 2001 From: Hugh Hackman Date: Wed, 15 Apr 2026 00:20:34 +0000 Subject: [PATCH 4/4] fix: use npm audit for both package managers (retired pnpm endpoint) --- .github/workflows/plugin-ci.yaml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/.github/workflows/plugin-ci.yaml b/.github/workflows/plugin-ci.yaml index 07e8947..919d1d1 100644 --- a/.github/workflows/plugin-ci.yaml +++ b/.github/workflows/plugin-ci.yaml @@ -168,8 +168,6 @@ jobs: - name: Security audit run: | - if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then - pnpm audit --prod - else - npm audit --omit=dev - fi + # npm retired the audit endpoint pnpm uses. Use npm's audit for both + # package managers to avoid 410 errors. + npm audit --omit=dev