When pnpm-lock.yaml has overrides section, validate that lockfile is fresh before install. If stale (detected via CONFIG_MISMATCH/EBADLOCKFILE/ERR_PNPM_LOCKFILE), fail with clear error message suggesting 'pnpm install' to regenerate.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
When pnpm-lock.yaml has overrides section, validate that lockfile is fresh
before install. If stale (detected via CONFIG_MISMATCH), fail with clear
error message suggesting 'pnpm install' to regenerate.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Add --config ./audit-ci.jsonc to audit-ci step so plugin repos can
provide their own allowlist for inherited @kinvolk/headlamp-plugin
dev-dependency CVEs (CTO decision PRI-854).
Co-Authored-By: Paperclip <noreply@paperclip.ing>
PRI-459: Adds 3-attempt retry wrapper (5s backoff) around the Install
dependencies step in plugin-ci.yaml and plugin-release.yaml to handle
transient npm/pnpm registry failures.
Co-authored-by: Chris Farhood <chris@farhood.org>
Replace pnpm audit and npm audit with audit-ci, which supports
the new npm bulk advisory endpoint (/-/npm/v1/security/advisories/bulk).
The old audit endpoints return HTTP 410 Gone.
Fixes: PRI-151
Co-authored-by: Test User <test@example.com>
Co-authored-by: Hugh Hackman <hugh@privilegedescalation.ai>
The pnpm audit endpoint returns HTTP 410 indicating it's retired.
Skip security audit for pnpm repos to unblock CI on plugin repos.
Co-authored-by: Paperclip <noreply@paperclip.ing>
pnpm audit is available in pnpm v10+. The previous implementation
skipped the security audit for pnpm repos due to a retired endpoint,
which blocks all plugin releases that use pnpm.
The npm lockfile generation approach (npm install --package-lock-only) is
unreliable for pnpm repos that have a packageManager field: corepack
intercepts npm and the install fails, leaving no lockfile for npm audit.
Skip npm audit entirely for pnpm repos. The pnpm audit endpoint is retired
(HTTP 410) so there is no viable audit path for these repos anyway.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The previous fix (PR #92) added '2>/dev/null || true' to the npm install
command, silently swallowing failures. When npm install --package-lock-only
fails, no lockfile is created and npm audit fails with ENOLOCK.
Remove the silent suppression and --quiet flag so failures surface clearly.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The pnpm registry audit endpoint is retired (HTTP 410).
Fix: for pnpm repos, run 'npm install --package-lock-only --ignore-scripts --quiet --no-audit'
to generate a package-lock.json from pnpm-lock.yaml metadata, then run npm audit.
For npm repos, continue using npm audit directly.
Use --audit-level=moderate to fail only on high/critical vulnerabilities,
not moderate ones, reducing noise from transitive dependencies.
Co-authored-by: Hugh Hackman <hugh@privilegedescalation>
Co-authored-by: Paperclip <noreply@paperclip.ing>
pnpm projects use pnpm-lock.yaml, not package-lock.json. The previous
fix switched from pnpm audit to npm audit but npm audit requires an
existing lockfile. Generate one first with npm install --package-lock-only.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Corepack is not pre-installed on runs-on: runners-privilegedescalation,
causing 'corepack: command not found' errors. Install it via
'npm install -g corepack' before using corepack commands.
Fixes PRI-51.
The regex `^\d+\.\d+\.\d+` was missing a `$` end anchor, allowing
versions like `1.2.3.4` or `1.2.3extra` to pass validation.
Fixed to `^\d+\.\d+\.\d+$` for strict X.Y.Z matching.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Add a fast-fail step that validates artifacthub-pkg.yml before
the expensive build steps. Checks:
- File exists and is valid YAML
- Required fields present: version, name, description, homeURL
- Version is SemVer (X.Y.Z)
- archive-url and archive-checksum annotations are present
- archive-checksum format is sha256:<64 hex chars>
Catches corrupt or incomplete ArtifactHub manifests early in CI
before they reach the release workflow.
corepack is bundled with Node.js and only available on PATH after
actions/setup-node runs. The previous workflow ordered the corepack
enable/install step before setup-node, causing:
corepack: command not found
Fix: move setup-node to run first. Because pnpm is not installed when
setup-node runs, the built-in `cache: pnpm` cannot call `pnpm store path`.
Split pnpm caching into explicit Get/Cache steps using actions/cache@v4
after pnpm is installed via either corepack or pnpm/action-setup. npm
caching continues to use setup-node's built-in cache: npm.
Fixes polaris PR #103 CI (headlamp-polaris-plugin v1.0.0 release).
Co-Authored-By: Paperclip <noreply@paperclip.ing>
node is not on PATH before the Setup Node step runs on ARC runners
(minimal Docker-based containers). The node -e command exits 127,
is silently swallowed by 2>/dev/null, and the || echo 'false' fallback
sets has_package_manager=false. This causes the Corepack branch to be
skipped and pnpm/action-setup@v4 to run with version:latest, which
conflicts with packageManager in package.json.
python3 is pre-installed on Ubuntu ARC runners (no setup required)
and reliably parses JSON via the stdlib json module.
Fixes pnpm version conflict on headlamp-polaris-plugin PR #103.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
pnpm/action-setup@v4 errors with "Multiple versions of pnpm specified"
even when no explicit version input is provided, if the repo has a
packageManager field in package.json.
Switch to Corepack for repos that pin their pnpm version via the
packageManager field. Corepack reads the version from package.json
directly and installs it without conflicting with pnpm/action-setup.
Repos without a packageManager field continue using pnpm/action-setup@v4
with version: latest (unchanged behavior).
Unblocks headlamp-polaris-plugin PR #103 (ci/pin-pnpm-version).
Co-Authored-By: Paperclip <noreply@paperclip.ing>
pnpm/action-setup@v4 errors when both the `version` input and a
`packageManager` field in package.json are specified. Detect the
packageManager field during the package-manager detection step and
conditionally omit `version: latest` when it is present.
Fixes CI failures on repos using Corepack-style pnpm version pinning
(e.g. headlamp-polaris-plugin PR #103).
Co-Authored-By: Paperclip <noreply@paperclip.ing>
pnpm/action-setup@v4 requires either a version input or a packageManager
field in package.json. Repos with pnpm-lock.yaml but no packageManager
field were failing with "No pnpm version is specified."
Adding version: latest as a fallback allows the action to install the
latest stable pnpm when packageManager is not set. Repos that do specify
packageManager in package.json continue to use their pinned version.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
When pnpm-lock.yaml is present, use pnpm for install, lint, type-check,
format check, tests, and security audit instead of npm. Repos using npm
are unaffected (falls back to existing npm behavior).
This fixes the npm/pnpm inconsistency in headlamp-polaris-plugin where
local development uses pnpm but CI used npm, causing:
- Different transitive dependency resolution (TypeScript not hoisted)
- Different audit results (pnpm audit vs npm audit)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
ARC runner scale set was recreated on 2026-03-19 with label
`runners-privilegedescalation` but all shared workflows still referenced
`local-ubuntu-latest`. This label mismatch caused startup_failure on
every Release workflow and queued CI jobs with no runner to pick them up.
Updates all 4 workflows and the actionlint config to match the current
ARC runner scale set label.
Closes#27
actions/checkout v6 was already adopted in headlamp-agent-skills.
This brings the org-level reusable workflows (plugin-ci, plugin-release,
ci-health-check) up to the same version. Affects all plugin repos that
call these shared workflows.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Adds a security audit step (npm audit --omit=dev) to catch known
vulnerabilities in production dependencies. Runs after tests so build
failures are reported before audit findings. Uses --omit=dev to focus
on production-facing risk.
This covers all 6 plugin repos that use the shared workflow.
privilegedescalation-ceo[bot]
Chris Farhood
Hugh Hackman