When pnpm-lock.yaml is present, use pnpm for install, lint, type-check,
format check, tests, and security audit instead of npm. Repos using npm
are unaffected (falls back to existing npm behavior).
This fixes the npm/pnpm inconsistency in headlamp-polaris-plugin where
local development uses pnpm but CI used npm, causing:
- Different transitive dependency resolution (TypeScript not hoisted)
- Different audit results (pnpm audit vs npm audit)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
ARC runner scale set was recreated on 2026-03-19 with label
`runners-privilegedescalation` but all shared workflows still referenced
`local-ubuntu-latest`. This label mismatch caused startup_failure on
every Release workflow and queued CI jobs with no runner to pick them up.
Updates all 4 workflows and the actionlint config to match the current
ARC runner scale set label.
Closes#27
actions/checkout v6 was already adopted in headlamp-agent-skills.
This brings the org-level reusable workflows (plugin-ci, plugin-release,
ci-health-check) up to the same version. Affects all plugin repos that
call these shared workflows.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Adds a security audit step (npm audit --omit=dev) to catch known
vulnerabilities in production dependencies. Runs after tests so build
failures are reported before audit findings. Uses --omit=dev to focus
on production-facing risk.
This covers all 6 plugin repos that use the shared workflow.
Hugh Hackman
Hugh Hackman