Prior --depth=1 fetch of $HEAD_REF fails because shallow clone
doesn't bring in the PR head branch as a ref.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The act runner container runs as root and apt-get may not be available
or require sudo. Download the pre-built binary tarball directly instead.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Three-dot diff (A...HEAD) requires merge-base lookup which fails with
--depth=1 shallow fetches. Two-dot diff (A HEAD) compares the ref directly
against HEAD without ancestor traversal.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Problem: --depth=1 fetch does not bring in the PR head branch name
as a ref, causing 'origin/gandalf/pri-1593-fix-main' to be unknown.
Fix: fetch all PR head refs with full refspec and diff against HEAD
instead of a non-existent remote branch ref.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The shallow fetch (--depth=1) does not bring the PR head branch name
as a ref, causing: fatal: ambiguous argument 'origin/gandalf/pri-1593-fix-main'.
Fix: git diff origin/$BASE_REF HEAD (already checked out at github.sha)
instead of git diff origin/$BASE_REF origin/$HEAD_REF
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The act runner container runs as root and does not have sudo
installed, causing CI job 187 to fail with "sudo: command not found".
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- pr-validation.yaml: Use env block to avoid github.head_ref/github.base_ref
as shell expressions in run block (actionlint error)
- plugin-release.yaml: Replace remaining 6x secrets.GITEA_TOKEN with
secrets.GITEA_RELEASE_TOKEN (lines 186, 218, 293, 310, 343, 401)
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Add env vars for HEAD_REF and BASE_REF in detect-pr-pipeline.yaml to avoid
using github.head_ref/github.base_ref directly in inline scripts (actionlint rule)
- Fix plugin-release.yaml to use secrets.GITEA_RELEASE_TOKEN instead of
undefined secrets.GITEA_TOKEN (3 occurrences)
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Install wget via apt-get before using it for actionlint download.
The act runner ubuntu-latest image may not have wget pre-installed.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The act runner container does not have curl in PATH.
Using wget instead fixes the CI validate check.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Merges PR #197 with conflict resolution. The PR adds a missing
`git fetch origin head_ref` step so the PR head SHA is available
before checkout. Conflict arose because PR 195 also touched this file
(changed runs-on label). Both changes are preserved.
Admin-merge authorized by PRI-1590 — bootstrap CI fix bypasses
branch-protection CI requirement by board policy.
The checkout step was missing git fetch for github.head_ref,
causing "unable to read tree" errors on PRs since the PR head SHA
is not on main.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Phase 4 Gitea migration — Renovate CLI needs the endpoint URL to
connect to the self-hosted git.farh.net instance.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
BASE_REF is empty on pull_request_review events since github.base_ref
is only populated on pull_request events. The empty string hit the
case * wildcard and silently passed the promotion gate.
Add a fallback that fetches .base.ref from the PR API when BASE_REF
is empty but a PR_NUMBER is available.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Adds .github/workflows/renovate.yaml — scheduled Renovate run every Saturday at 02:00 UTC using create-github-app-token with RELEASE_APP_ID/RELEASE_APP_PRIVATE_KEY. Runs renovatebot/github-action@v41.0.0 with autodiscover and renovate-config.json. Includes workflow_dispatch for manual triggering.
Pipeline B infrastructure change reviewed by CTO and QA (Regression Regina).
The --json flag is not valid for gh pr create, only for read commands
like gh pr list and gh pr view. This was causing the release workflow
to fail with 'unknown flag: --json' in the Create PR step.
The PR number is correctly retrieved on the line after via gh pr list,
so no other change was needed.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Adds 'infra' to PLUGIN_REPOS after the discovery/fallback logic so the
private infra repo is always included in CI/CD health checks regardless
of which path populated PLUGIN_REPOS.
Fixes: PRI-906
Fixes: PRI-488
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Both the Update artifacthub-pkg.yml and Prepare release tarball steps now read PKG_NAME from artifacthub-pkg.yml when present, falling back to package.json with correct @org/ prefix stripping. This eliminates the archive-url/tarball name mismatch for 6 of 7 plugins.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
When pnpm-lock.yaml has overrides section, validate that lockfile is fresh before install. If stale (detected via CONFIG_MISMATCH/EBADLOCKFILE/ERR_PNPM_LOCKFILE), fail with clear error message suggesting 'pnpm install' to regenerate.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
When pnpm-lock.yaml has overrides section, validate that lockfile is fresh
before install. If stale (detected via CONFIG_MISMATCH), fail with clear
error message suggesting 'pnpm install' to regenerate.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The detection script was missing infra/, org/, Dockerfile,
docker-compose*, and Makefile patterns required by the SDLC spec.
Added 11 new test cases covering these patterns.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Fix subdirectory matching: use prefix match for .github/* paths
instead of exact dirname match (fixes .github/workflows/ not matching)
- Upgrade tj-actions/changed-files from v44 to v47 (Node 24 support)
- Extract detection logic into scripts/detect-pipeline.sh for testability
- Add 22 automated tests in scripts/test-detect-pipeline.sh covering
infra-only, plugin code, mixed, and edge cases
- Add test-detection-logic CI job to run tests on every PR
- Update README.md to reference v47
cc @cpfarhood
Co-Authored-By: Paperclip <noreply@paperclip.ing>
New model: no review for dev PRs, QA gates uat, UAT gates main.
Replaces the old CTO+QA dual-approval check.
Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
When MERGE_STATE is BLOCKED or UNKNOWN, the workflow attempts --auto
first. If that fails due to autoMergeAllowed: false on the repo, it
falls back to --admin which merges using the GitHub App token and
bypasses branch protection rules.
Resolves: PRI-497
Co-authored-by: Chris Farhood <chris@farhood.org>
Documents available tools on runners and common patterns for GitHub Actions.
Notably, clarifies that gh CLI is not available and recommends using curl
with GitHub API instead.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Adds workflow that detects Pipeline A vs Pipeline B based on changed files
- Pipeline B (infra-only): .github/, *.md, .eslintrc*, .prettierrc*, renovate.json*, .gitignore, .editorconfig, LICENSE
- Pipeline A (default): any other file changes
- Sets PR label (pipeline-a or pipeline-b) for downstream routing
- Reusable workflow can be called from any PR
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The shared plugin-e2e.yaml workflow lacks a Get kubeconfig step. The
ARC runner (runners-privilegedescalation) has no static kubeconfig at
any expected path (/runner/config, ~/.kube/config). It DOES have an
in-cluster service account at /var/run/secrets/kubernetes.io/serviceaccount/token.
This fix adds the same three-tier kubeconfig detection used in
headlamp-polaris-plugin#144:
1. /runner/config (not present on this runner)
2. ~/.kube/config (not present on this runner)
3. Generate from in-cluster service account credentials
This unbreaks E2E for all plugins using the shared workflow:
- headlamp-argocd-plugin
- headlamp-kube-vip-plugin
- headlamp-tns-csi-plugin
Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
Add --config ./audit-ci.jsonc to audit-ci step so plugin repos can
provide their own allowlist for inherited @kinvolk/headlamp-plugin
dev-dependency CVEs (CTO decision PRI-854).
Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit updates ci-health-check.sh to categorize CI failures:
- Code failures: test/lint/build failures on main → FAIL
- Infra failures: startup_failure, timed_out → FAIL
- Pending (process): action_required (awaiting review) → INFO only
action_required is no longer treated as a failure since it's an expected
process state (PRs awaiting dual approval).
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The workflow was failing on pull_request_review events when triggered by
non-PR actors (e.g. greptile-apps[bot] commenting). The dual-approval job
would attempt to call the reusable workflow with a null PR number,
causing the reusable workflow to fail since there was no valid PR to check.
Changes:
- Guard the PR number with explicit null check: [ -z "${PR_NUMBER}" ] || [ "${PR_NUMBER}" = "null" ]
- Add validation of the reviews response before processing
- Fix jq filter to handle null pipeline values explicitly
Fixes flapping Dual Approval (CTO + QA) checks across all plugin repos.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Chris Farhood
Gandalf the Greybeard
Regression Regina
privilegedescalation-qa[bot]