Compare commits
12 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 6c9a4acb7f | |||
| f4e8472cb3 | |||
| bc728a753a | |||
| ae8086f38b | |||
| 1a7770b01f | |||
| 39b4eaf232 | |||
| 6f995bf6fc | |||
| a11d911948 | |||
| 1c2b97d41d | |||
| d2f1e497ef | |||
| 4f3e3e8d2c | |||
| 7f027c6ec2 |
@@ -1,3 +1,2 @@
|
|||||||
self-hosted-runner:
|
self-hosted-runner:
|
||||||
labels:
|
labels: []
|
||||||
- runners-privilegedescalation
|
|
||||||
|
|||||||
@@ -44,6 +44,9 @@ if [ ${#PLUGIN_REPOS[@]} -eq 0 ]; then
|
|||||||
PLUGIN_REPOS=("${PLUGIN_REPOS_FALLBACK[@]}")
|
PLUGIN_REPOS=("${PLUGIN_REPOS_FALLBACK[@]}")
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Private repos not visible to dynamic discovery
|
||||||
|
PLUGIN_REPOS+=("infra")
|
||||||
|
|
||||||
echo "=== CI/CD Health Check — $(date -u '+%Y-%m-%d %H:%M UTC') ==="
|
echo "=== CI/CD Health Check — $(date -u '+%Y-%m-%d %H:%M UTC') ==="
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
|
|||||||
@@ -7,7 +7,7 @@ on:
|
|||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
health-check:
|
health-check:
|
||||||
runs-on: runners-privilegedescalation
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@v6
|
uses: actions/checkout@v6
|
||||||
|
|||||||
@@ -11,7 +11,7 @@ permissions:
|
|||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
test-detection-logic:
|
test-detection-logic:
|
||||||
runs-on: runners-privilegedescalation
|
runs-on: ubuntu-latest
|
||||||
timeout-minutes: 2
|
timeout-minutes: 2
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
@@ -21,7 +21,7 @@ jobs:
|
|||||||
run: bash scripts/test-detect-pipeline.sh
|
run: bash scripts/test-detect-pipeline.sh
|
||||||
|
|
||||||
detect-pipeline:
|
detect-pipeline:
|
||||||
runs-on: runners-privilegedescalation
|
runs-on: ubuntu-latest
|
||||||
timeout-minutes: 5
|
timeout-minutes: 5
|
||||||
outputs:
|
outputs:
|
||||||
pipeline-type: ${{ steps.detect.outputs.pipeline-type }}
|
pipeline-type: ${{ steps.detect.outputs.pipeline-type }}
|
||||||
|
|||||||
@@ -11,7 +11,7 @@ on:
|
|||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
ci:
|
ci:
|
||||||
runs-on: runners-privilegedescalation
|
runs-on: ubuntu-latest
|
||||||
timeout-minutes: 10
|
timeout-minutes: 10
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
@@ -113,6 +113,34 @@ jobs:
|
|||||||
restore-keys: |
|
restore-keys: |
|
||||||
${{ runner.os }}-pnpm-
|
${{ runner.os }}-pnpm-
|
||||||
|
|
||||||
|
- name: Validate pnpm lockfile freshness
|
||||||
|
if: steps.pkg-manager.outputs.manager == 'pnpm'
|
||||||
|
run: |
|
||||||
|
if [ ! -f "pnpm-lock.yaml" ]; then
|
||||||
|
echo "No pnpm-lock.yaml found, skipping lockfile freshness check"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
if ! grep -q 'overrides:' pnpm-lock.yaml 2>/dev/null; then
|
||||||
|
echo "No overrides section in pnpm-lock.yaml, skipping lockfile freshness check"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
echo "Detected pnpm-lock.yaml with overrides section. Checking lockfile freshness..."
|
||||||
|
ERR_FILE=$(mktemp)
|
||||||
|
if pnpm install --frozen-lockfile 2>&1 | tee "$ERR_FILE"; then
|
||||||
|
echo "Lockfile is fresh."
|
||||||
|
else
|
||||||
|
if grep -q "CONFIG_MISMATCH\|EBADLOCKFILE\|ERR_PNPM_LOCKFILE" "$ERR_FILE"; then
|
||||||
|
echo ""
|
||||||
|
echo "::error::pnpm-lock.yaml is out of sync with package.json overrides."
|
||||||
|
echo "::error::This typically happens when transitive dependencies change but the lockfile wasn't regenerated."
|
||||||
|
echo "::error::Run 'pnpm install' to regenerate the lockfile and commit the updated pnpm-lock.yaml."
|
||||||
|
rm -f "$ERR_FILE"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
rm -f "$ERR_FILE"
|
||||||
|
echo "::warning::Install failed with a different error. Will retry in the Install dependencies step."
|
||||||
|
fi
|
||||||
|
|
||||||
- name: Install dependencies
|
- name: Install dependencies
|
||||||
run: |
|
run: |
|
||||||
max_attempts=3
|
max_attempts=3
|
||||||
@@ -173,7 +201,7 @@ jobs:
|
|||||||
- name: Security audit
|
- name: Security audit
|
||||||
run: |
|
run: |
|
||||||
if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
|
if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
|
||||||
npx audit-ci --pnpm --audit-level=high
|
npx audit-ci --pnpm --audit-level=high --config ./audit-ci.jsonc
|
||||||
else
|
else
|
||||||
npx audit-ci --npm --audit-level=high
|
npx audit-ci --npm --audit-level=high --config ./audit-ci.jsonc
|
||||||
fi
|
fi
|
||||||
@@ -35,7 +35,7 @@ concurrency:
|
|||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
check-secrets:
|
check-secrets:
|
||||||
runs-on: runners-privilegedescalation
|
runs-on: ubuntu-latest
|
||||||
outputs:
|
outputs:
|
||||||
ready: ${{ steps.check.outputs.ready }}
|
ready: ${{ steps.check.outputs.ready }}
|
||||||
steps:
|
steps:
|
||||||
@@ -61,7 +61,7 @@ jobs:
|
|||||||
check-token-permissions:
|
check-token-permissions:
|
||||||
needs: check-secrets
|
needs: check-secrets
|
||||||
if: needs.check-secrets.outputs.ready == 'true'
|
if: needs.check-secrets.outputs.ready == 'true'
|
||||||
runs-on: runners-privilegedescalation
|
runs-on: ubuntu-latest
|
||||||
outputs:
|
outputs:
|
||||||
has_write: ${{ steps.check.outputs.has_write }}
|
has_write: ${{ steps.check.outputs.has_write }}
|
||||||
steps:
|
steps:
|
||||||
@@ -101,7 +101,7 @@ jobs:
|
|||||||
check-tag:
|
check-tag:
|
||||||
needs: check-secrets
|
needs: check-secrets
|
||||||
if: needs.check-secrets.outputs.ready == 'true'
|
if: needs.check-secrets.outputs.ready == 'true'
|
||||||
runs-on: runners-privilegedescalation
|
runs-on: ubuntu-latest
|
||||||
outputs:
|
outputs:
|
||||||
skip: ${{ steps.check.outputs.skip }}
|
skip: ${{ steps.check.outputs.skip }}
|
||||||
steps:
|
steps:
|
||||||
@@ -121,7 +121,7 @@ jobs:
|
|||||||
release:
|
release:
|
||||||
needs: [ci, check-tag, check-secrets, check-token-permissions]
|
needs: [ci, check-tag, check-secrets, check-token-permissions]
|
||||||
if: needs.check-secrets.outputs.ready == 'true' && needs.check-tag.outputs.skip != 'true' && needs.check-token-permissions.outputs.has_write == 'true'
|
if: needs.check-secrets.outputs.ready == 'true' && needs.check-tag.outputs.skip != 'true' && needs.check-token-permissions.outputs.has_write == 'true'
|
||||||
runs-on: runners-privilegedescalation
|
runs-on: ubuntu-latest
|
||||||
timeout-minutes: 10
|
timeout-minutes: 10
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
@@ -208,7 +208,11 @@ jobs:
|
|||||||
- name: Update artifacthub-pkg.yml
|
- name: Update artifacthub-pkg.yml
|
||||||
run: |
|
run: |
|
||||||
VERSION="${{ inputs.version }}"
|
VERSION="${{ inputs.version }}"
|
||||||
PKG_NAME=$(jq -r .name package.json | sed 's|^@||' | tr '/' '-')
|
if [ -f artifacthub-pkg.yml ]; then
|
||||||
|
PKG_NAME=$(grep '^name:' artifacthub-pkg.yml | cut -d: -f2 | tr -d ' "')
|
||||||
|
else
|
||||||
|
PKG_NAME=$(jq -r .name package.json | sed 's|^@[^/]*/||')
|
||||||
|
fi
|
||||||
RELEASE_URL="https://github.com/${{ github.repository }}/releases/download/v${VERSION}/${PKG_NAME}-${VERSION}.tar.gz"
|
RELEASE_URL="https://github.com/${{ github.repository }}/releases/download/v${VERSION}/${PKG_NAME}-${VERSION}.tar.gz"
|
||||||
sed -i "s/^version:.*/version: \"${VERSION}\"/" artifacthub-pkg.yml
|
sed -i "s/^version:.*/version: \"${VERSION}\"/" artifacthub-pkg.yml
|
||||||
sed -i "s|headlamp/plugin/archive-url:.*|headlamp/plugin/archive-url: \"${RELEASE_URL}\"|" artifacthub-pkg.yml
|
sed -i "s|headlamp/plugin/archive-url:.*|headlamp/plugin/archive-url: \"${RELEASE_URL}\"|" artifacthub-pkg.yml
|
||||||
@@ -255,9 +259,13 @@ jobs:
|
|||||||
- name: Prepare release tarball
|
- name: Prepare release tarball
|
||||||
run: |
|
run: |
|
||||||
VERSION="${{ inputs.version }}"
|
VERSION="${{ inputs.version }}"
|
||||||
# headlamp-plugin strips the @ scope prefix and replaces / with - when naming tarballs.
|
# headlamp-plugin strips the @org/ prefix when naming tarballs.
|
||||||
# e.g. @privilegedescalation/headlamp-argocd-plugin -> privilegedescalation-headlamp-argocd-plugin
|
# e.g. @privilegedescalation/headlamp-argocd-plugin -> headlamp-argocd-plugin
|
||||||
PKG_NAME=$(jq -r .name package.json | sed 's|^@||' | tr '/' '-')
|
if [ -f artifacthub-pkg.yml ]; then
|
||||||
|
PKG_NAME=$(grep '^name:' artifacthub-pkg.yml | cut -d: -f2 | tr -d ' "')
|
||||||
|
else
|
||||||
|
PKG_NAME=$(jq -r .name package.json | sed 's|^@[^/]*/||')
|
||||||
|
fi
|
||||||
TARBALL="${PKG_NAME}-${VERSION}.tar.gz"
|
TARBALL="${PKG_NAME}-${VERSION}.tar.gz"
|
||||||
for f in *.tar.gz; do
|
for f in *.tar.gz; do
|
||||||
[ "$f" != "$TARBALL" ] && mv "$f" "$TARBALL"
|
[ "$f" != "$TARBALL" ] && mv "$f" "$TARBALL"
|
||||||
@@ -302,6 +310,13 @@ jobs:
|
|||||||
git push origin "$BRANCH"
|
git push origin "$BRANCH"
|
||||||
git push origin "refs/tags/v${VERSION}"
|
git push origin "refs/tags/v${VERSION}"
|
||||||
|
|
||||||
|
- name: Generate GitHub App token
|
||||||
|
id: app-token
|
||||||
|
uses: actions/create-github-app-token@v3
|
||||||
|
with:
|
||||||
|
app-id: ${{ secrets.RELEASE_APP_ID }}
|
||||||
|
private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
|
||||||
|
|
||||||
- name: Create GitHub Release
|
- name: Create GitHub Release
|
||||||
uses: softprops/action-gh-release@v2
|
uses: softprops/action-gh-release@v2
|
||||||
with:
|
with:
|
||||||
@@ -310,14 +325,7 @@ jobs:
|
|||||||
fail_on_unmatched_files: false
|
fail_on_unmatched_files: false
|
||||||
generate_release_notes: true
|
generate_release_notes: true
|
||||||
env:
|
env:
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
|
||||||
|
|
||||||
- name: Generate GitHub App token
|
|
||||||
id: app-token
|
|
||||||
uses: actions/create-github-app-token@v3
|
|
||||||
with:
|
|
||||||
app-id: ${{ secrets.RELEASE_APP_ID }}
|
|
||||||
private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
|
|
||||||
|
|
||||||
- name: Install GitHub CLI
|
- name: Install GitHub CLI
|
||||||
run: |
|
run: |
|
||||||
@@ -346,8 +354,7 @@ jobs:
|
|||||||
--title "release: v${VERSION}" \
|
--title "release: v${VERSION}" \
|
||||||
--body "$BODY" \
|
--body "$BODY" \
|
||||||
--base main \
|
--base main \
|
||||||
--head "release/v${VERSION}" \
|
--head "release/v${VERSION}"
|
||||||
--json number --jq '.number'
|
|
||||||
# Pull the number again to handle both create and pre-existing cases
|
# Pull the number again to handle both create and pre-existing cases
|
||||||
OPEN_PR=$(gh pr list --base main --head "release/v${VERSION}" --state open --json number --jq '.[0].number' 2>/dev/null)
|
OPEN_PR=$(gh pr list --base main --head "release/v${VERSION}" --state open --json number --jq '.[0].number' 2>/dev/null)
|
||||||
else
|
else
|
||||||
|
|||||||
@@ -6,7 +6,7 @@ on:
|
|||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
validate:
|
validate:
|
||||||
runs-on: runners-privilegedescalation
|
runs-on: ubuntu-latest
|
||||||
timeout-minutes: 5
|
timeout-minutes: 5
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
|
|||||||
@@ -1,5 +1,6 @@
|
|||||||
{
|
{
|
||||||
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
|
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
|
||||||
|
"gitAuthor": "Renovate Bot <bot@renovateapp.com>",
|
||||||
"extends": ["config:recommended"],
|
"extends": ["config:recommended"],
|
||||||
"baseBranches": ["main"],
|
"baseBranches": ["main"],
|
||||||
"schedule": ["every weekend"],
|
"schedule": ["every weekend"],
|
||||||
|
|||||||
Reference in New Issue
Block a user