Merge branch 'main' into fix/dual-approval-pr-number

.github/workflows/plugin-ci.yaml

@@ -99,6 +99,7 @@ jobs:
       - name: Setup pnpm (via Corepack, reads version from packageManager field)
         if: steps.pkg-manager.outputs.manager == 'pnpm' && steps.pkg-manager.outputs.has_package_manager == 'true'
         run: |
+          npm install -g corepack
           corepack enable pnpm
           corepack install
 
@@ -168,8 +169,6 @@ jobs:
 
       - name: Security audit
         run: |
-          if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
-            pnpm audit --prod
-          else
-            npm audit --omit=dev
-          fi
+          # npm retired the audit endpoint pnpm uses. Use npm's audit for both
+          # package managers to avoid 410 errors.
+          npm audit --omit=dev

.github/workflows/plugin-release.yaml

@@ -118,6 +118,7 @@ jobs:
       - name: Setup pnpm (via Corepack, reads version from packageManager field)
         if: steps.pkg-manager.outputs.manager == 'pnpm' && steps.pkg-manager.outputs.has_package_manager == 'true'
         run: |
+          npm install -g corepack
           corepack enable pnpm
           corepack install
 
@@ -205,6 +206,19 @@ jobs:
           tar -tzf "${{ env.TARBALL }}" | head -20
           tar -tzf "${{ env.TARBALL }}" | grep -q "main.js" || { echo "Error: main.js not found in tarball"; exit 1; }
 
+      - name: Rebuild tarball
+        run: |
+          rm -f "${{ env.TARBALL }}"
+          npx @kinvolk/headlamp-plugin package
+          for f in *.tar.gz; do
+            [ "$f" != "${{ env.TARBALL }}" ] && mv "$f" "${{ env.TARBALL }}"
+          done
+
+      - name: Validate rebuilt tarball
+        run: |
+          tar -tzf "${{ env.TARBALL }}" | grep -q "main.js" || \
+            { echo "Error: main.js not found after rebuild"; exit 1; }
+
       - name: Compute checksum
         run: |
           CHECKSUM=$(sha256sum "${{ env.TARBALL }}" | awk '{print $1}')