Adds 'infra' to PLUGIN_REPOS after the discovery/fallback logic so the
private infra repo is always included in CI/CD health checks regardless
of which path populated PLUGIN_REPOS.
Fixes: PRI-906
Fixes: PRI-488
Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit updates ci-health-check.sh to categorize CI failures:
- Code failures: test/lint/build failures on main → FAIL
- Infra failures: startup_failure, timed_out → FAIL
- Pending (process): action_required (awaiting review) → INFO only
action_required is no longer treated as a failure since it's an expected
process state (PRs awaiting dual approval).
Co-Authored-By: Paperclip <noreply@paperclip.ing>
PR #115's first commit landed dynamic discovery via gh api but missed
three of the five issue requirements. This commit completes them:
- Move headlamp- prefix filtering into jq via startswith() and add
explicit exclusion for headlamp-agent-skills (skills bundle, not a
plugin), instead of relying on grep -E '^headlamp-.+'.
- Add PLUGIN_REPOS_FALLBACK with the previously hardcoded list and
use it when discovery returns empty, instead of exiting with error.
- Add header comment documenting the discovery filter and the
headlamp-agent-skills exclusion.
Verified jq filter against live API: returns 8 plugin repos, all
prefixed headlamp-, headlamp-agent-skills correctly excluded.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Use gh api --paginate to dynamically fetch all non-archived public repos
matching ^headlamp-.+ from the privilegedescalation org. This eliminates
the need to manually update the repo list when new plugins are added.
NOTE: --paginate must come before the endpoint arg, not after --jq.
The previous commit had 'gh api paginate' which is incorrect syntax.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Detects when workflow runs conclude with action_required, which indicates
GitHub's 'Require approval for first-time contributors' setting is blocking
workflow runs from the privilegedescalation-engineer[bot] GitHub App.
This is a CI pipeline blocker that prevents bot-authored PRs from advancing
through the review pipeline. See PRI-44 for the full investigation.
Co-authored-by: Hugh Hackman <hugh@privilegedescalation.ai>
- Exclude E2E Tests from CI failure count (keeps CI/CD noise separate)
- Add dedicated E2E warning line for main branch failures (PRI-494)
- Move Release failure warning outside the else block — always report it
- Update Release warning comment: graceful skip is now in place, so
failures are real errors not just missing-secrets noise
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Replace node -e JSON parsing with jq (available on our runners)
- Exclude Release workflow failures from FAIL count — these fail at
the post-release PR-creation step due to missing RELEASE_APP org
secrets (tracked in PRI-380), not actual CI breakage
- Demote Release failures to WARN so the health check exits 0 when
only Release is broken, giving clean signal for real CI problems
- Increase run limit from 5 to 10 for better intermittent failure detection
- Remove unnecessary Node.js setup step from the workflow
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Regression Regina
Chris Farhood
privilegedescalation-engineer[bot]