privilegedescalation/org
12
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: privilegedescalation/org:fix/pri-1630-runner-labels
Branches Tags
privilegedescalation/org:main privilegedescalation/org:fix/remove-plugin-release-workflow privilegedescalation/org:pri-1741-delete-shared-workflows privilegedescalation/org:ceo/restore-plugin-release-workflow privilegedescalation/org:ceo/merge-pr-67-plugin-release privilegedescalation/org:gandalf/restore-github-release-workflow privilegedescalation/org:fix/pri-1630-runner-labels privilegedescalation/org:gandalf/add-uat-skill privilegedescalation/org:nancy/sdlc-two-pipeline-routing privilegedescalation/org:master privilegedescalation/org:onboard-kubectl-karen privilegedescalation/org:chore/add-funding-yml privilegedescalation/org:cmo/kubecon-eu-2026-live-coverage privilegedescalation/org:docs/kubecon-prep-2026-03-14 privilegedescalation/org:docs/2026-03-13-status-report privilegedescalation/org:social/2026-03-12-industry-commentary privilegedescalation/org:social/kubecon-eu-2026
..
pull from: privilegedescalation/org:fix/remove-plugin-release-workflow
Branches Tags
privilegedescalation/org:main privilegedescalation/org:fix/remove-plugin-release-workflow privilegedescalation/org:pri-1741-delete-shared-workflows privilegedescalation/org:ceo/restore-plugin-release-workflow privilegedescalation/org:ceo/merge-pr-67-plugin-release privilegedescalation/org:gandalf/restore-github-release-workflow privilegedescalation/org:fix/pri-1630-runner-labels privilegedescalation/org:gandalf/add-uat-skill privilegedescalation/org:nancy/sdlc-two-pipeline-routing privilegedescalation/org:master privilegedescalation/org:onboard-kubectl-karen privilegedescalation/org:chore/add-funding-yml privilegedescalation/org:cmo/kubecon-eu-2026-live-coverage privilegedescalation/org:docs/kubecon-prep-2026-03-14 privilegedescalation/org:docs/2026-03-13-status-report privilegedescalation/org:social/2026-03-12-industry-commentary privilegedescalation/org:social/kubecon-eu-2026

39 Commits
fix/pri-1630-runner-labels .. fix/remove-plugin-release-workflow

Author SHA1 Message Date
Gandalf the Greybeard f5d570ea60 delete: remove plugin-release.yaml shared workflow from org repo (PRI-1736)
CI / ci (pull_request) Successful in 3s
Details
Promotion Gate / Promotion Gate (pull_request) Successful in 2s
Details
CI / lint (pull_request) Successful in 8s
Details 
Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-22 14:16:05 +00:00
Null Pointer Nancy 1b4913c0fd Merge pull request 'feat: restore GitHub release creation in plugin-release workflow' (#70) from ceo/restore-plugin-release-workflow into main
CI / ci (push) Successful in 2s
Details
CI / lint (push) Successful in 9s
Details
2026-05-21 19:41:40 +00:00
Chris Farhood 983498765e ci: add ci job and Promotion Gate workflow to satisfy branch protection
CI / ci (pull_request) Successful in 3s
Details
Promotion Gate / Promotion Gate (pull_request) Successful in 2s
Details
CI / lint (pull_request) Successful in 8s
Details 
Branch protection on main requires three status checks:
- CI / lint (pull_request) [was already satisfied]
- CI / ci (pull_request) [new: validates JSON files]
- Promotion Gate / Promotion Gate (pull_request) [new: validates skills structure]

Adding the ci job and Promotion Gate workflow so all required checks
can pass on PRs, unblocking future merges to main.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-21 19:37:01 +00:00
Chris Farhood f901d622d1 fix: remove trailing blank line from plugin-release.yaml (yamllint)
CI / lint (pull_request) Successful in 7s
Details 
yamllint max-end: 0 requires no trailing empty lines.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-21 19:14:23 +00:00
Chris Farhood ae024551bb fix: resolve pre-existing markdownlint errors blocking CI
CI / lint (pull_request) Failing after 13s
Details 
- sdlc-diagram.md: remove double blank line (MD012)
- sdlc/SKILL.md: add 'text' lang to fenced code blocks (MD040, 2 instances)
- uat/SKILL.md: add trailing newline (MD047)

These pre-existing issues were present on main and caused CI to fail
on any incoming PR.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-21 19:12:21 +00:00
Chris Farhood 1f18a1d982 feat: restore GitHub release creation in plugin-release workflow
CI / lint (pull_request) Failing after 8s
Details 
- Move Generate GitHub App token before Create GitHub Release
- Use steps.app-token.outputs.token instead of secrets.GITHUB_TOKEN

secrets.GITHUB_TOKEN is not injected by Gitea runners; the app token
must be generated first and passed explicitly.

Original work by Gandalf (commit 64b4d59, branch gandalf/restore-github-release-workflow).
Rebased onto main by CEO to resolve Gitea HTTP 500 caused by unrelated history.

Ref: PRI-1703, PRI-1702
Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-21 19:10:13 +00:00
Chris Farhood d62d5da70d ci: move to .gitea/workflows and expand lint coverage
CI / lint (push) Failing after 10s
Details 
Gitea picks up workflows from .gitea/. Adds yamllint, shellcheck,
and a skill-frontmatter validation step alongside the existing
markdownlint run, so PRs catch malformed YAML, shell scripts, and
missing skill metadata before merge.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-21 07:14:11 -04:00
Countess von Containerheim 4c71fab41b Merge pull request 'chore: Configure Renovate' (#64) from renovate/configure into main
CI / lint (push) Failing after 3s
Details 
chore: Configure Renovate
 2026-05-20 03:03:45 +00:00
Chris Farhood 7183381140 Fix typo in GitHub authentication section 2026-05-14 07:38:58 -04:00
Chris Farhood 611334167b Update GitHub authentication instructions 
Removed note about token expiration for GitHub authentication.
 2026-05-14 07:38:45 -04:00
Chris Farhood a3bab704df Update SKILL.md 2026-05-14 07:38:30 -04:00
privilegedescalation-engineer[bot] c48eccd70c Update SDLC skill: add UAT_PLAYBOOK.md maintenance requirement (PRI-1487) 2026-05-14 04:16:25 +00:00
privilegedescalation-engineer[bot] ea1f585722 Rework UAT skill: remove per-plugin tables, reference UAT_PLAYBOOK.md 2026-05-14 04:15:34 +00:00
privilegedescalation-engineer[bot] bedef6ab6a remove test file 2026-05-14 04:14:49 +00:00
privilegedescalation-engineer[bot] 1fe4f900b0 test 2026-05-14 04:14:28 +00:00
privilegedescalation-qa[bot] 44e528c373 Add dedicated UAT skill with plugin testing procedures 
Add dedicated UAT skill with plugin testing procedures
 2026-05-14 03:15:29 +00:00
Chris Farhood c041da4847 Add dedicated UAT skill with plugin testing procedures 
- Add skills/uat/SKILL.md with concrete testing procedures for all 7 Headlamp plugins
- Update SDLC skill to reference the new uat skill for detailed procedures
- Fix namespace reference: UAT runs in headlamp-uat namespace, not privilegedescalation

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-14 03:11:28 +00:00
Chris Farhood fe3b4b90d7 docs(product-context): add headlamp-argocd-plugin to plugin inventory 
Plugin existed on GitHub but was missing from the skill inventory, causing
it to be omitted from UAT gap analysis. Count updated from 6 to 7.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-14 01:22:24 +00:00
privilegedescalation-engineer[bot] f9b3ea1882 Add renovate.json 2026-05-13 17:34:33 +00:00
Chris Farhood 40a8f3d773 Fix SDLC skill: require UUID stage/participant IDs, clarify Reviewers UI field 
The previous commit used string IDs like "qa-review" for execution policy
stages, but the API requires UUIDs and rejects non-UUID values. Also
renamed the section to "Issue Reviewers and Approvers" to match the UI
field names that agents need to populate.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-12 00:04:46 +00:00
Chris Farhood b5aa2b54a0 Add 'Issue Handoff via Execution Policy' section to SDLC skill 
- Added new section explaining how to configure executionPolicy for automated reviewer handoffs
- Documented Pipeline A execution policy with QA and UAT stages
- Documented Pipeline B execution policy with single QA stage
- Explained triggering handoffs via in_review status
- Referenced Paperclip API reference for full schema

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-11 23:31:52 +00:00
Chris Farhood bfe02545e5 Remove handoff protocol and status semantics from SDLC skill 
These are Paperclip platform mechanics already covered by the
Paperclip skill. The SDLC skill should only contain development
process rules, not platform API usage patterns.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-11 21:45:04 +00:00
Chris Farhood 0641848c4b Overhaul SDLC to three-branch promotion model 
Replace the 5-stage pipeline (CI→UAT→QA→CTO→CEO) with a three-branch
promotion chain: dev (engineer self-merge) → uat (QA gates) → main
(UAT gates). Removes CTO review stage, CEO merge bottleneck, and SLA
timelines. Each gate owner has merge authority.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-11 21:40:54 +00:00
Chris Farhood 40caf8cfee Remove SLA section from SDLC skill and diagram 
SLA timelines are meaningless to agents operating in heartbeats.
Removed the 48-hour PR review SLA from SKILL.md and the SLA
gantt chart from sdlc-diagram.md.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-11 20:56:17 +00:00
Chris Farhood da86aa7754 Add SDLC pipeline Mermaid diagram 
Visualizes both pipelines (A: plugin, B: infra), the board approval
gate, PR review SLA, handoff protocol, and issue status lifecycle.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-11 20:54:22 +00:00
privilegedescalation-engineer[bot] b1e2000542 fix: restore CI workflow with markdownlint config (#63) 
- Restore .github/workflows/ci.yaml that was deleted in April cleanup
- Add .markdownlint.yaml with relaxed rules for skill files
- Fix MD040 error in skills/sdlc/SKILL.md (add language to code block)
- Allows line lengths > 80, emphasis-as-headings, compact tables

Fixes CI failures on 'Merge POLICIES.md content into agent instruction bundles' commit.

Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
 2026-05-11 20:22:24 +00:00
Chris Farhood d4a6141986 Add non-negotiable rule: agents must never change other agents' model configs 
Board directive (PRI-1245): agents suggesting or making model changes for
other agents due to quota exhaustion is explicitly forbidden. Quota issues
must be escalated to the board.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-11 19:30:03 +00:00
Chris Farhood d077c62bcb Improve CI health check script with enhanced monitoring 
Enhanced the ci-health-check.sh script to:
- Add stale repo detection (repos with no updates in 30+ days)
- Add CI workflow configuration checks
- Add color-coded output for better readability
- Track multiple failure types (CI failures, stale repos, no CI)
- Provide clearer summary reporting
- Increase CRITICAL_THRESHOLD to 3 for better filtering

This enables proactive monitoring of both CI health and repository
maintenance status across all privilegedescalation repos.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-11 18:48:23 +00:00
Chris Farhood 8840bd874d Fix: Disable MD004 unordered list style rule in markdownlint 
- Skill files use dashes for unordered lists, but markdownlint expects asterisks
- Disable MD004 to allow both dash and asterisk styles
- Aligns with existing exceptions for MD013, MD036, and MD060

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-11 18:33:02 +00:00
Chris Farhood 4c779823a0 Add CI health check script for automated failure detection 
Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-11 18:28:09 +00:00
Chris Farhood 496be01898 fix: restore CI workflow with markdownlint config 
- Restore .github/workflows/ci.yaml that was deleted in April cleanup
- Add .markdownlint.yaml with relaxed rules for skill files
- Fix MD040 error in skills/sdlc/SKILL.md (add language to code block)
- Allows line lengths > 80, emphasis-as-headings, compact tables

Fixes CI failures on 'Merge POLICIES.md content into agent instruction bundles' commit.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-11 18:28:09 +00:00
Chris Farhood 64269836f2 Merge pull request #59 from privilegedescalation/gandalf/safety-anti-impersonation-rules 2026-05-09 12:43:01 -04:00
Chris Farhood a03256c231 Update safety skill: add anti-impersonation and role-boundary rules 
Following PRI-737 investigation, add two rules to skills/safety/SKILL.md:

1. Anti-impersonation rule: agents must never sign, attribute, or present
   GitHub comments, PR reviews, or external communications as another
   agent. Every comment must accurately identify the authoring agent.

2. Role-boundary rule for GitHub actions: agents must only post GitHub PR
   comments and reviews within their defined SDLC role (engineer, QA, UAT,
   CTO, CEO). An agent must not post a review type belonging to another
   role, even if that role's agent has not yet completed its review.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-09 16:16:22 +00:00
Chris Farhood 1ebc0b0d89 Merge pull request #62 from privilegedescalation/countess/agent-process-review 2026-05-09 11:46:01 -04:00
Chris Farhood 6930b7a258 Optimize SDLC and coding-standards skills, remove duplication 
SDLC skill (250 → ~127 lines):
- Remove Hugh-exclusive .github/workflows/ language; engineers share access
- Condense 48-hour SLA from 38 to 8 lines
- Replace verbose 5-stage pipeline description with compact diagrams
- Condense handoff protocol from 17 to 5 lines
- Remove status transition rules table (redundant with handoff protocol)
- Remove agent roster (agents have UUIDs in their own AGENTS.md)
- Remove work distribution section (redundant with agent instructions)

Coding-standards skill:
- Add SemVer, ArtifactHub distribution, ghcr.io registry rules
- Add Renovate/Dependabot, no-package-mirrors, npm-audit rules
- These were previously only in individual AGENTS.md files

Part of PRI-1094 — agent and process review.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-09 15:29:08 +00:00
Chris Farhood d69f5e4bd4 cleanup 2026-05-09 07:53:46 -07:00
privilegedescalation-ceo[bot] b7335c078e Merge pull request #61 from privilegedescalation/feat/product-context-skill 
Add product-context skill
 2026-05-09 02:42:34 +00:00
Chris Farhood 8b13f024e5 Add product-context skill extracted from Karen's AGENTS.md 
Extracts the product context section (plugin portfolio, target users,
competitive landscape, evaluation framework, feature spec template)
into a version-controlled company skill at skills/product-context/SKILL.md.
Updates CLAUDE.md with skill documentation and loading order.

Part of PRI-1094 — agent and process review.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-09 00:50:27 +00:00
Chris Farhood 12ccf82454 Revise PR review SLA: remove threat language, focus on visibility and process 
Replace dismissal-threat framing with operational consequences:
- 24h: public visibility + status flag
- 48h: merge queue block + escalation
- 72h+: blocks release if critical-path
- Exceptions: documented hand-off, not absolute prohibition

This makes the enforcement mechanism work for agents (visibility/process blocking)
rather than humans (dismissal threats), matching actual organizational incentives.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
 2026-05-05 10:53:13 +00:00
32 changed files with 857 additions and 1510 deletions
Expand all files Collapse all files
.gitea/workflows/ci.yaml
+56
View File
@@ -0,0 +1,56 @@
name: CI
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install linters
run: |
sudo apt-get update
sudo apt-get install -y --no-install-recommends shellcheck yamllint
- name: Lint Markdown
uses: DavidAnson/markdownlint-cli2-action@v19
with:
globs: "**/*.md"
- name: Lint YAML
run: yamllint .
- name: Shellcheck
run: shellcheck scripts/*.sh
- name: Validate skill frontmatter
run: |
set -e
fail=0
for f in skills/*/SKILL.md; do
fm=$(awk 'BEGIN{c=0} /^---$/{c++; next} c==1{print} c>=2{exit}' "$f")
for key in name description; do
if ! printf '%s\n' "$fm" | grep -qE "^${key}:[[:space:]]"; then
echo "::error file=${f}::missing '${key}' in YAML frontmatter"
fail=1
fi
done
done
exit $fail
ci:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Validate JSON files
run: |
find . -name "*.json" -not -path "./.git/*" | while read -r f; do
python3 -m json.tool "$f" > /dev/null || { echo "::error file=$f::Invalid JSON"; exit 1; }
done
echo "All JSON files valid"
.gitea/workflows/promotion-gate.yaml
+24
View File
@@ -0,0 +1,24 @@
name: Promotion Gate
on:
pull_request:
branches: [main]
jobs:
promotion_gate:
name: Promotion Gate
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Validate skills directory structure
run: |
set -e
fail=0
for dir in skills/*/; do
if [ ! -f "${dir}SKILL.md" ]; then
echo "::error::Missing SKILL.md in ${dir}"
fail=1
fi
done
exit $fail
.github/FUNDING.yml
-1
View File
@@ -1 +0,0 @@
github: [privilegedescalation]
.github/actionlint.yaml
-2
View File
@@ -1,2 +0,0 @@
self-hosted-runner:
labels: []
.github/scripts/ci-health-check.sh
-132
View File
@@ -1,132 +0,0 @@
#!/usr/bin/env bash
# ci-health-check.sh — Scan all privilegedescalation repos for CI/CD health
# Run from: /paperclip/privilegedescalation/engineering/hugh
# Requires: GH_TOKEN set (use: export GH_TOKEN=$(bash ./get-github-token.sh))
#
# Plugin repo discovery
# ---------------------
# PLUGIN_REPOS is populated dynamically from the GitHub org so newly created
# plugin repos are picked up automatically. The filter is:
# - non-archived, public repos in the privilegedescalation org
# - name starts with "headlamp-"
# - excludes "headlamp-agent-skills" (skills bundle, not a Headlamp plugin)
# If discovery fails (network error, GH_TOKEN missing, API outage), we fall
# back to a hardcoded list so the health check still produces a useful report.
#
# Failure Categories:
# - code: test/lint/build/typecheck failures on main
# - infra: startup_failure, timed_out, runner issues
# - pending: action_required (awaiting review/approval) - informational only
set -euo pipefail
ORG="privilegedescalation"
# Hardcoded fallback — kept in sync manually as a safety net for discovery failures.
PLUGIN_REPOS_FALLBACK=(
headlamp-polaris-plugin
headlamp-rook-plugin
headlamp-sealed-secrets-plugin
headlamp-intel-gpu-plugin
headlamp-tns-csi-plugin
headlamp-kube-vip-plugin
headlamp-plugin-template
headlamp-argocd-plugin
)
mapfile -t PLUGIN_REPOS < <(
gh api --paginate "orgs/${ORG}/repos" \
--jq '.[] | select(.archived == false and .visibility == "public" and (.name | startswith("headlamp-")) and .name != "headlamp-agent-skills") | .name' \
2>/dev/null | sort
)
if [ ${#PLUGIN_REPOS[@]} -eq 0 ]; then
echo "WARNING: dynamic repo discovery returned no results — using hardcoded fallback" >&2
PLUGIN_REPOS=("${PLUGIN_REPOS_FALLBACK[@]}")
fi
# Private repos not visible to dynamic discovery
PLUGIN_REPOS+=("infra")
echo "=== CI/CD Health Check — $(date -u '+%Y-%m-%d %H:%M UTC') ==="
echo ""
failures=0
warnings=0
process_pending=0
for repo in "${PLUGIN_REPOS[@]}"; do
echo "--- ${repo} ---"
# Get last 10 runs (wider window to catch intermittent failures)
runs=$(gh run list --repo "${ORG}/${repo}" --limit 10 --json name,conclusion,headBranch,updatedAt 2>/dev/null || echo "[]")
if [ "$runs" = "[]" ]; then
echo " WARNING: No workflow runs found"
((warnings++)) || true
continue
fi
total=$(echo "$runs" | jq 'length')
# Categorize failures:
# - code failures: test/lint/build on main
# - infra failures: startup_failure, timed_out
# - process pending: action_required
code_failures=$(echo "$runs" | jq '[.[] | select(.headBranch=="main" and .conclusion=="failure" and .name!="Release" and .name!="E2E Tests")] | length')
infra_failures=$(echo "$runs" | jq '[.[] | select(.conclusion=="startup_failure" or .conclusion=="timed_out")] | length')
action_required=$(echo "$runs" | jq '[.[] | select(.conclusion=="action_required")] | length')
if [ "$code_failures" -gt 0 ]; then
echo " FAIL (code): ${code_failures} CI failure(s) in last ${total} runs on main:"
echo "$runs" | jq -r '.[] | select(.headBranch=="main" and .conclusion=="failure" and .name!="Release" and .name!="E2E Tests") | " - \(.name) (\(.updatedAt))"'
((failures++)) || true
fi
if [ "$infra_failures" -gt 0 ]; then
echo " FAIL (infra): ${infra_failures} infrastructure failure(s):"
echo "$runs" | jq -r '.[] | select(.conclusion=="startup_failure" or .conclusion=="timed_out") | " - \(.name): \(.conclusion) (\(.updatedAt))"'
((failures++)) || true
fi
if [ "$code_failures" -eq 0 ] && [ "$infra_failures" -eq 0 ]; then
echo " OK: CI passing on main"
fi
# Process pending — informational only (awaiting review/approval)
if [ "$action_required" -gt 0 ]; then
echo " INFO: ${action_required} workflow run(s) awaiting action (dual approval, review, etc.):"
echo "$runs" | jq -r '.[] | select(.conclusion=="action_required") | " - \(.name) on \(.headBranch) (\(.updatedAt))"'
((process_pending++)) || true
fi
# Surface E2E test failures as warnings (infra blocker: RBAC not yet applied — PRI-494)
e2e_failures=$(echo "$runs" | jq '[.[] | select(.headBranch=="main" and .name=="E2E Tests" and .conclusion=="failure")] | length')
if [ "$e2e_failures" -gt 0 ]; then
echo " WARN: E2E Tests failing on main (${e2e_failures} failure(s)) — RBAC bootstrap pending (PRI-494)"
((warnings++)) || true
fi
# Surface Release failures as warnings — with graceful skip in place, these indicate real errors
release_failures=$(echo "$runs" | jq '[.[] | select(.name=="Release" and .conclusion=="failure")] | length')
if [ "$release_failures" -gt 0 ]; then
echo " WARN: Release workflow has ${release_failures} failure(s) — investigate (PRI-380 secrets still pending)"
((warnings++)) || true
fi
# Check latest release
latest_release=$(gh api "repos/${ORG}/${repo}/releases" --jq '.[0].tag_name // "none"' 2>/dev/null || echo "error")
echo " Latest release: ${latest_release}"
echo ""
done
echo "=== Summary ==="
echo "Repos scanned: ${#PLUGIN_REPOS[@]}"
echo "With failures: ${failures}"
echo "With warnings: ${warnings}"
echo "With pending approval: ${process_pending}"
if [ "$failures" -gt 0 ]; then
exit 1
fi
.github/workflows/README.md
-84
View File
@@ -1,84 +0,0 @@
# GitHub Actions Workflows
This directory contains reusable and repo-specific GitHub Actions workflows for the privilegedescalation organization.
## Available Tools on Runners
### Always Available
- `curl` - HTTP client (use this instead of `gh` CLI for API calls)
- `jq` - JSON processor
- `bash` - Shell
- `git` - Version control
- `docker` / `podman` - Container runtime (depending on runner)
### NOT Available (must install if needed)
- `gh` CLI - GitHub CLI is **not** pre-installed on runners. Use `curl` with the GitHub API instead.
## Best Practices
### GitHub API Calls
Instead of using `gh` CLI (which is not installed), use `curl` with the GitHub API:
```yaml
- name: Set PR label
env:
GH_TOKEN: ${{ github.token }}
REPO: ${{ github.repository }}
PR_NUMBER: ${{ github.event.pull_request.number }}
run: |
curl -sf \
-X POST \
-H "Authorization: Bearer ${GH_TOKEN}" \
-H "Accept: application/vnd.github.v3+json" \
"https://api.github.com/repos/${REPO}/issues/${PR_NUMBER}/labels" \
-d '{"labels":["label-name"]}'
```
### Workflow Validation
Run actionlint locally before pushing:
```bash
actionlint -color .github/workflows/*.yaml
```
### Reusable Workflows
- `plugin-ci.yaml` - Standard CI for Headlamp plugins
- `plugin-e2e.yaml` - E2E testing for Headlamp plugins
- `dual-approval-check.yaml` - Checks for CTO and QA approval
- `detect-pr-pipeline.yaml` - Detects Pipeline A vs Pipeline B based on changed files
## Workflow Naming Convention
- Use kebab-case: `my-workflow.yaml`
- Be descriptive: `plugin-ci.yaml` not `ci.yaml`
- For reusable workflows, keep the name clear about its purpose
## Required Gates
All PRs must pass:
1. `actionlint` validation (workflow YAML syntax)
2. Shell script validation (if scripts are used)
3. Any repo-specific CI checks
## Common Patterns
### Getting Changed Files
Use `tj-actions/changed-files`:
```yaml
- name: Get changed files
id: changed-files
uses: tj-actions/changed-files@v47
with:
files_separator: '\n'
```
### Setting Job Outputs
```yaml
- name: Set output
id: detect
run: |
echo "pipeline-type=pipeline-a" >> $GITHUB_OUTPUT
```
Access in downstream jobs: `${{ jobs.job-name.outputs.pipeline-type }}`
.github/workflows/ci-health-check.yaml
-33
View File
@@ -1,33 +0,0 @@
name: CI/CD Health Check
on:
schedule:
- cron: '0 8 * * 1-5' # Every weekday at 8 AM UTC
workflow_dispatch:
jobs:
health-check:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v6
- name: Generate GitHub App token
id: app-token
uses: actions/create-github-app-token@v3
continue-on-error: true
with:
app-id: ${{ secrets.RELEASE_APP_ID }}
private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
owner: privilegedescalation
- name: Run CI/CD health check
env:
GH_TOKEN: ${{ steps.app-token.outputs.token || secrets.GITHUB_TOKEN }}
run: |
if [ "${{ steps.app-token.outcome }}" = "success" ]; then
echo "Using GitHub App token for cross-repo access"
else
echo "::warning::RELEASE_APP_ID not configured — using GITHUB_TOKEN. Cross-repo workflow run data will be unavailable. Configure RELEASE_APP_ID org secret to enable full health check."
fi
./.github/scripts/ci-health-check.sh
.github/workflows/detect-pr-pipeline.yaml
-65
View File
@@ -1,65 +0,0 @@
name: Detect PR Pipeline Type
on:
pull_request:
branches: [main, dev, uat]
workflow_call:
permissions:
contents: read
pull-requests: write
jobs:
test-detection-logic:
runs-on: ubuntu-latest
timeout-minutes: 2
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Run detection tests
run: bash scripts/test-detect-pipeline.sh
detect-pipeline:
runs-on: ubuntu-latest
timeout-minutes: 5
outputs:
pipeline-type: ${{ steps.detect.outputs.pipeline-type }}
steps:
- name: Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Get changed files
id: changed-files
uses: tj-actions/changed-files@v47
with:
files_separator: '\n'
- name: Detect pipeline type
id: detect
run: |
echo "Changed files:"
echo "${{ steps.changed-files.outputs.all_changed_files }}"
pipeline=$(echo "${{ steps.changed-files.outputs.all_changed_files }}" | bash scripts/detect-pipeline.sh)
echo "pipeline-type=$pipeline" >> $GITHUB_OUTPUT
echo "Detected pipeline: $pipeline"
- name: Set PR label
if: github.event_name == 'pull_request'
env:
GH_TOKEN: ${{ github.token }}
REPO: ${{ github.repository }}
PR_NUMBER: ${{ github.event.pull_request.number }}
PIPELINE_TYPE: ${{ steps.detect.outputs.pipeline-type }}
run: |
curl -sf \
-X POST \
-H "Authorization: Bearer ${GH_TOKEN}" \
-H "Accept: application/vnd.github.v3+json" \
"https://api.github.com/repos/${REPO}/issues/${PR_NUMBER}/labels" \
-d "{\"labels\":[\"${PIPELINE_TYPE}\"]}"
.github/workflows/dual-approval-check.yaml
-85
View File
@@ -1,85 +0,0 @@
name: Promotion Gate
on:
workflow_call:
inputs:
pr_number:
description: "Pull request number"
required: false
type: number
jobs:
promotion-gate:
name: Promotion Gate
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- name: Check promotion approval
env:
GH_TOKEN: ${{ github.token }}
PR_NUMBER: ${{ inputs.pr_number }}
REPO: ${{ github.repository }}
BASE_REF: ${{ github.base_ref }}
run: |
if [ -z "${PR_NUMBER}" ] || [ "${PR_NUMBER}" = "null" ]; then
echo "::notice::No PR number in context. Skipping promotion gate."
exit 0
fi
echo "Checking promotion gate for PR #${PR_NUMBER} targeting ${BASE_REF} in ${REPO}"
# Determine required reviewer based on target branch
case "${BASE_REF}" in
dev)
echo "Target is dev — no review required. Engineers self-merge."
exit 0
;;
uat)
REQUIRED_REVIEWER="privilegedescalation-qa"
GATE_NAME="QA"
;;
main)
REQUIRED_REVIEWER="privilegedescalation-qa"
GATE_NAME="QA"
# For plugin repos (Pipeline A), UAT approval is needed for uat→main
# Check if the source branch is uat
SOURCE_REF=$(curl -sf \
-H "Authorization: Bearer ${GH_TOKEN}" \
-H "Accept: application/vnd.github.v3+json" \
"https://api.github.com/repos/${REPO}/pulls/${PR_NUMBER}" | jq -r '.head.ref')
if [ "${SOURCE_REF}" = "uat" ]; then
REQUIRED_REVIEWER="privilegedescalation-uat"
GATE_NAME="UAT"
fi
;;
*)
echo "::notice::Target branch '${BASE_REF}' has no promotion gate configured."
exit 0
;;
esac
echo "Required reviewer: ${REQUIRED_REVIEWER} (${GATE_NAME})"
REVIEWS=$(curl -sf \
-H "Authorization: Bearer ${GH_TOKEN}" \
-H "Accept: application/vnd.github.v3+json" \
"https://api.github.com/repos/${REPO}/pulls/${PR_NUMBER}/reviews")
if [ -z "${REVIEWS}" ] || [ "${REVIEWS}" = "null" ]; then
echo "::warning::Could not fetch reviews for PR #${PR_NUMBER}."
exit 1
fi
REVIEWER_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${REQUIRED_REVIEWER}" \
'[.[] | select(.user.login == $user or .user.login == ($user + "[bot]"))] | last | if .state then .state == "APPROVED" else false end')
echo "${GATE_NAME} (${REQUIRED_REVIEWER}) approved: ${REVIEWER_APPROVED}"
if [ "${REVIEWER_APPROVED}" = "true" ]; then
echo "Promotion gate passed: ${GATE_NAME} has approved."
else
echo "Promotion gate failed: waiting for ${GATE_NAME} approval from ${REQUIRED_REVIEWER}."
exit 1
fi
.github/workflows/plugin-ci.yaml
-207
View File
@@ -1,207 +0,0 @@
name: Plugin CI
on:
workflow_call:
inputs:
node-version:
description: 'Node.js version to use'
required: false
type: string
default: '22'
jobs:
ci:
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Validate artifacthub-pkg.yml
run: |
python3 - <<'EOF'
import sys, re
try:
import yaml
except ImportError:
print("::warning::PyYAML not available, skipping artifacthub-pkg.yml validation")
sys.exit(0)
try:
with open("artifacthub-pkg.yml") as f:
pkg = yaml.safe_load(f)
except FileNotFoundError:
print("::error::artifacthub-pkg.yml not found")
sys.exit(1)
except yaml.YAMLError as e:
print(f"::error::artifacthub-pkg.yml is invalid YAML: {e}")
sys.exit(1)
errors = []
for field in ["version", "name", "description", "homeURL"]:
if not pkg.get(field):
errors.append(f"Missing required field: {field}")
version = pkg.get("version", "")
if version and not re.match(r'^\d+\.\d+\.\d+$', str(version)):
errors.append(f"version '{version}' is not SemVer (expected X.Y.Z)")
annotations = pkg.get("annotations", {}) or {}
archive_url = annotations.get("headlamp/plugin/archive-url", "")
archive_checksum = annotations.get("headlamp/plugin/archive-checksum", "")
if not archive_url:
errors.append("Missing annotation: headlamp/plugin/archive-url")
if not archive_checksum:
errors.append("Missing annotation: headlamp/plugin/archive-checksum")
elif not re.match(r'^sha256:[0-9a-f]{64}$', str(archive_checksum)):
errors.append(f"archive-checksum has unexpected format: '{archive_checksum}' (expected sha256:<64 hex chars>)")
if errors:
for e in errors:
print(f"::error::{e}")
sys.exit(1)
print(f"artifacthub-pkg.yml valid: name={pkg['name']} version={pkg['version']}")
EOF
- name: Detect package manager
id: pkg-manager
run: |
if [ -f "pnpm-lock.yaml" ]; then
echo "manager=pnpm" >> $GITHUB_OUTPUT
PM=$(python3 -c "import json,sys; d=json.load(open('package.json')); print('true' if d.get('packageManager','').startswith('pnpm@') else 'false')" 2>/dev/null || echo "false")
echo "has_package_manager=$PM" >> $GITHUB_OUTPUT
else
echo "manager=npm" >> $GITHUB_OUTPUT
echo "has_package_manager=false" >> $GITHUB_OUTPUT
fi
- name: Setup Node
uses: actions/setup-node@v6
with:
node-version: ${{ inputs.node-version }}
cache: ${{ steps.pkg-manager.outputs.manager == 'npm' && 'npm' || '' }}
- name: Setup pnpm (via Corepack, reads version from packageManager field)
if: steps.pkg-manager.outputs.manager == 'pnpm' && steps.pkg-manager.outputs.has_package_manager == 'true'
run: |
npm install -g corepack
corepack enable pnpm
corepack install
- name: Setup pnpm (version latest)
if: steps.pkg-manager.outputs.manager == 'pnpm' && steps.pkg-manager.outputs.has_package_manager == 'false'
uses: pnpm/action-setup@v5
with:
run_install: false
version: latest
- name: Get pnpm store directory
id: pnpm-store
if: steps.pkg-manager.outputs.manager == 'pnpm'
run: echo "dir=$(pnpm store path --silent)" >> $GITHUB_OUTPUT
- name: Cache pnpm store
if: steps.pkg-manager.outputs.manager == 'pnpm'
uses: actions/cache@v5
with:
path: ${{ steps.pnpm-store.outputs.dir }}
key: ${{ runner.os }}-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }}
restore-keys: |
${{ runner.os }}-pnpm-
- name: Validate pnpm lockfile freshness
if: steps.pkg-manager.outputs.manager == 'pnpm'
run: |
if [ ! -f "pnpm-lock.yaml" ]; then
echo "No pnpm-lock.yaml found, skipping lockfile freshness check"
exit 0
fi
if ! grep -q 'overrides:' pnpm-lock.yaml 2>/dev/null; then
echo "No overrides section in pnpm-lock.yaml, skipping lockfile freshness check"
exit 0
fi
echo "Detected pnpm-lock.yaml with overrides section. Checking lockfile freshness..."
ERR_FILE=$(mktemp)
if pnpm install --frozen-lockfile 2>&1 | tee "$ERR_FILE"; then
echo "Lockfile is fresh."
else
if grep -q "CONFIG_MISMATCH\|EBADLOCKFILE\|ERR_PNPM_LOCKFILE" "$ERR_FILE"; then
echo ""
echo "::error::pnpm-lock.yaml is out of sync with package.json overrides."
echo "::error::This typically happens when transitive dependencies change but the lockfile wasn't regenerated."
echo "::error::Run 'pnpm install' to regenerate the lockfile and commit the updated pnpm-lock.yaml."
rm -f "$ERR_FILE"
exit 1
fi
rm -f "$ERR_FILE"
echo "::warning::Install failed with a different error. Will retry in the Install dependencies step."
fi
- name: Install dependencies
run: |
max_attempts=3
attempt=1
while [ $attempt -le $max_attempts ]; do
echo "Attempt $attempt of $max_attempts"
if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
pnpm install --frozen-lockfile && break
else
npm ci && break
fi
if [ $attempt -lt $max_attempts ]; then
echo "::warning::Install step failed on attempt $attempt. Retrying in 5 seconds..."
sleep 5
fi
attempt=$((attempt + 1))
done
if [ $attempt -gt $max_attempts ]; then
echo "::error::Install step failed after $max_attempts attempts."
exit 1
fi
- name: Build plugin
run: npx @kinvolk/headlamp-plugin build
- name: Lint
run: |
if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
pnpm run lint
else
npm run lint
fi
- name: Type-check
run: |
if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
pnpm run tsc
else
npm run tsc
fi
- name: Format check
run: |
if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
pnpm run format:check
else
npm run format:check
fi
- name: Run tests
run: |
if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
pnpm test
else
npm test
fi
- name: Security audit
run: |
if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
npx audit-ci --pnpm --audit-level=high --config ./audit-ci.jsonc
else
npx audit-ci --npm --audit-level=high --config ./audit-ci.jsonc
fi
.github/workflows/plugin-release.yaml
-440
View File
@@ -1,440 +0,0 @@
name: Plugin Release
on:
workflow_call:
inputs:
version:
description: 'Release version (e.g. 1.0.0)'
required: true
type: string
node-version:
description: 'Node.js version to use'
required: false
type: string
default: '22'
upstream-repo:
description: 'Upstream repo to fetch appVersion from (e.g. fenio/tns-csi). Leave empty to skip.'
required: false
type: string
default: ''
secrets:
RELEASE_APP_ID:
description: 'GitHub App ID for creating PRs (org blocks GITHUB_TOKEN from creating PRs)'
required: true
RELEASE_APP_PRIVATE_KEY:
description: 'GitHub App private key (PEM format)'
required: true
permissions:
contents: write
pull-requests: write
concurrency:
group: release
cancel-in-progress: false
jobs:
check-secrets:
runs-on: ubuntu-latest
outputs:
ready: ${{ steps.check.outputs.ready }}
steps:
- name: Verify RELEASE_APP_ID is configured
id: check
env:
RELEASE_APP_ID: ${{ secrets.RELEASE_APP_ID }}
run: |
if [ -z "$RELEASE_APP_ID" ]; then
echo "::notice::RELEASE_APP_ID org secret is not configured (see PRI-380). Release skipped — no artifacts will be created."
echo "ready=false" >> $GITHUB_OUTPUT
else
echo "ready=true" >> $GITHUB_OUTPUT
fi
ci:
needs: check-secrets
if: needs.check-secrets.outputs.ready == 'true'
uses: ./.github/workflows/plugin-ci.yaml
with:
node-version: ${{ inputs.node-version }}
check-token-permissions:
needs: check-secrets
if: needs.check-secrets.outputs.ready == 'true'
runs-on: ubuntu-latest
outputs:
has_write: ${{ steps.check.outputs.has_write }}
steps:
- name: Generate GitHub App token
id: app-token
uses: actions/create-github-app-token@v3
with:
app-id: ${{ secrets.RELEASE_APP_ID }}
private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
- name: Check write permissions via API
id: check
run: |
HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
-X POST \
-H "Authorization: Bearer ${{ steps.app-token.outputs.token }}" \
-H "Accept: application/vnd.github+json" \
"https://api.github.com/repos/${{ github.repository }}/git/refs" \
-d '{"ref":"refs/heads/_release_check","sha":"${{ github.sha }}"}')
if [ "$HTTP_CODE" = "201" ]; then
echo "::notice::Token has write permission — cleaning up test ref."
curl -s -o /dev/null -w "%{http_code}" \
-X DELETE \
-H "Authorization: Bearer ${{ steps.app-token.outputs.token }}" \
"https://api.github.com/repos/${{ github.repository }}/git/refs/heads/_release_check"
echo "has_write=true" >> $GITHUB_OUTPUT
elif [ "$HTTP_CODE" = "403" ]; then
echo "::error::Token lacks write permission. Release cannot push tags or branches."
echo "has_write=false" >> $GITHUB_OUTPUT
exit 1
else
echo "::warning::Unexpected response ($HTTP_CODE) when checking write permission."
echo "has_write=false" >> $GITHUB_OUTPUT
exit 1
fi
check-tag:
needs: check-secrets
if: needs.check-secrets.outputs.ready == 'true'
runs-on: ubuntu-latest
outputs:
skip: ${{ steps.check.outputs.skip }}
steps:
- name: Check if tag already exists
id: check
run: |
HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
-H "Authorization: Bearer ${{ github.token }}" \
"https://api.github.com/repos/${{ github.repository }}/git/refs/tags/v${{ inputs.version }}")
if [ "$HTTP_CODE" = "200" ]; then
echo "::notice::Tag v${{ inputs.version }} already exists. Release skipped (not an error)."
echo "skip=true" >> $GITHUB_OUTPUT
else
echo "skip=false" >> $GITHUB_OUTPUT
fi
release:
needs: [ci, check-tag, check-secrets, check-token-permissions]
if: needs.check-secrets.outputs.ready == 'true' && needs.check-tag.outputs.skip != 'true' && needs.check-token-permissions.outputs.has_write == 'true'
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Validate version format
run: |
if [[ ! "${{ inputs.version }}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "Error: Version must be in X.Y.Z format"
exit 1
fi
- name: Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Detect package manager
id: pkg-manager
run: |
if [ -f "pnpm-lock.yaml" ]; then
echo "manager=pnpm" >> $GITHUB_OUTPUT
echo "lockfile=pnpm-lock.yaml" >> $GITHUB_OUTPUT
# Check for packageManager field in package.json (Corepack pinning).
# pnpm/action-setup@v5 errors when packageManager is absent and no version
# is specified, so use Corepack for repos that have the field pinned and
# fall back to pnpm/action-setup with version: latest for repos that don't.
PM=$(python3 -c "import json,sys; d=json.load(open('package.json')); print('true' if d.get('packageManager','').startswith('pnpm@') else 'false')" 2>/dev/null || echo "false")
echo "has_package_manager=$PM" >> $GITHUB_OUTPUT
else
echo "manager=npm" >> $GITHUB_OUTPUT
echo "lockfile=package-lock.json" >> $GITHUB_OUTPUT
echo "has_package_manager=false" >> $GITHUB_OUTPUT
fi
- name: Setup Node
uses: actions/setup-node@v6
with:
node-version: ${{ inputs.node-version }}
# Only enable built-in npm caching here; pnpm caching is handled below
# after pnpm is installed (corepack is not available before setup-node).
cache: ${{ steps.pkg-manager.outputs.manager == 'npm' && 'npm' || '' }}
- name: Setup pnpm (via Corepack, reads version from packageManager field)
if: steps.pkg-manager.outputs.manager == 'pnpm' && steps.pkg-manager.outputs.has_package_manager == 'true'
run: |
npm install -g corepack
corepack enable pnpm
corepack install
- name: Setup pnpm (version latest)
if: steps.pkg-manager.outputs.manager == 'pnpm' && steps.pkg-manager.outputs.has_package_manager == 'false'
uses: pnpm/action-setup@v5
with:
run_install: false
version: latest
- name: Get pnpm store directory
id: pnpm-store
if: steps.pkg-manager.outputs.manager == 'pnpm'
run: echo "dir=$(pnpm store path --silent)" >> $GITHUB_OUTPUT
- name: Cache pnpm store
if: steps.pkg-manager.outputs.manager == 'pnpm'
uses: actions/cache@v5
with:
path: ${{ steps.pnpm-store.outputs.dir }}
key: ${{ runner.os }}-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }}
restore-keys: |
${{ runner.os }}-pnpm-
- name: Configure Git
run: |
git config --global user.name "github-actions[bot]"
git config --global user.email "github-actions[bot]@users.noreply.github.com"
git config --global --add safe.directory "$GITHUB_WORKSPACE"
- name: Update version in package.json
run: |
if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
pnpm version ${{ inputs.version }} --no-git-tag-version --allow-same-version
else
npm version ${{ inputs.version }} --no-git-tag-version --allow-same-version
fi
- name: Update artifacthub-pkg.yml
run: |
VERSION="${{ inputs.version }}"
if [ -f artifacthub-pkg.yml ]; then
PKG_NAME=$(grep '^name:' artifacthub-pkg.yml | cut -d: -f2 | tr -d ' "')
else
PKG_NAME=$(jq -r .name package.json | sed 's|^@[^/]*/||')
fi
RELEASE_URL="https://github.com/${{ github.repository }}/releases/download/v${VERSION}/${PKG_NAME}-${VERSION}.tar.gz"
sed -i "s/^version:.*/version: \"${VERSION}\"/" artifacthub-pkg.yml
sed -i "s|headlamp/plugin/archive-url:.*|headlamp/plugin/archive-url: \"${RELEASE_URL}\"|" artifacthub-pkg.yml
- name: Update appVersion from upstream release
if: inputs.upstream-repo != ''
run: |
APP_VERSION=$(curl -sf "https://api.github.com/repos/${{ inputs.upstream-repo }}/releases/latest" | jq -r '.tag_name | ltrimstr("v")')
if [ -z "$APP_VERSION" ] || [ "$APP_VERSION" = "null" ]; then
echo "::warning::Could not fetch latest upstream release, skipping appVersion update"
else
sed -i "s|^appVersion:.*|appVersion: \"${APP_VERSION}\"|" artifacthub-pkg.yml
echo "appVersion set to ${APP_VERSION}"
fi
- name: Install dependencies
run: |
max_attempts=3
attempt=1
while [ $attempt -le $max_attempts ]; do
echo "Attempt $attempt of $max_attempts"
if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
pnpm install --frozen-lockfile && break
else
npm ci && break
fi
if [ $attempt -lt $max_attempts ]; then
echo "::warning::Install step failed on attempt $attempt. Retrying in 5 seconds..."
sleep 5
fi
attempt=$((attempt + 1))
done
if [ $attempt -gt $max_attempts ]; then
echo "::error::Install step failed after $max_attempts attempts."
exit 1
fi
- name: Build plugin
run: npx @kinvolk/headlamp-plugin build
- name: Package plugin
run: npx @kinvolk/headlamp-plugin package
- name: Prepare release tarball
run: |
VERSION="${{ inputs.version }}"
# headlamp-plugin strips the @org/ prefix when naming tarballs.
# e.g. @privilegedescalation/headlamp-argocd-plugin -> headlamp-argocd-plugin
if [ -f artifacthub-pkg.yml ]; then
PKG_NAME=$(grep '^name:' artifacthub-pkg.yml | cut -d: -f2 | tr -d ' "')
else
PKG_NAME=$(jq -r .name package.json | sed 's|^@[^/]*/||')
fi
TARBALL="${PKG_NAME}-${VERSION}.tar.gz"
for f in *.tar.gz; do
[ "$f" != "$TARBALL" ] && mv "$f" "$TARBALL"
done
if [ ! -f "$TARBALL" ]; then
echo "Error: Expected tarball $TARBALL not found"
ls -la *.tar.gz 2>/dev/null || echo "No .tar.gz files found"
exit 1
fi
echo "TARBALL=$TARBALL" >> $GITHUB_ENV
echo "PKG_NAME=$PKG_NAME" >> $GITHUB_ENV
- name: Validate tarball
run: |
echo "Tarball: ${{ env.TARBALL }}"
ls -lh "${{ env.TARBALL }}"
tar -tzf "${{ env.TARBALL }}" | head -20
tar -tzf "${{ env.TARBALL }}" | grep -q "main.js" || { echo "Error: main.js not found in tarball"; exit 1; }
- name: Compute checksum
run: |
CHECKSUM=$(sha256sum "${{ env.TARBALL }}" | awk '{print $1}')
echo "CHECKSUM=$CHECKSUM" >> $GITHUB_ENV
sed -i "s|headlamp/plugin/archive-checksum:.*|headlamp/plugin/archive-checksum: sha256:${CHECKSUM}|" artifacthub-pkg.yml
- name: Commit and tag
run: |
VERSION="${{ inputs.version }}"
BRANCH="release/v${VERSION}"
# If the release branch already exists (e.g. from a failed prior run),
# delete it so the re-trigger can proceed cleanly. The check-tag job
# above already skips when the tag exists, so we only reach here when
# the tag does NOT exist yet — safe to remove a stale branch.
if git ls-remote --exit-code origin "refs/heads/$BRANCH" 2>/dev/null; then
echo "::notice::Branch $BRANCH already exists — deleting for clean re-trigger."
git push origin --delete "$BRANCH"
fi
git checkout -b "$BRANCH"
git add package.json "${{ steps.pkg-manager.outputs.lockfile }}" artifacthub-pkg.yml
git commit -m "release: v${VERSION}"
git tag "v${VERSION}"
git push origin "$BRANCH"
git push origin "refs/tags/v${VERSION}"
- name: Generate GitHub App token
id: app-token
uses: actions/create-github-app-token@v3
with:
app-id: ${{ secrets.RELEASE_APP_ID }}
private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
- name: Create GitHub Release
uses: softprops/action-gh-release@v2
with:
tag_name: "v${{ inputs.version }}"
files: ${{ env.TARBALL }}
fail_on_unmatched_files: false
generate_release_notes: true
env:
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
- name: Install GitHub CLI
run: |
if ! command -v gh &>/dev/null; then
GH_VERSION="2.74.0"
curl -fsSL "https://github.com/cli/cli/releases/download/v${GH_VERSION}/gh_${GH_VERSION}_linux_amd64.tar.gz" -o /tmp/gh.tar.gz
tar -xzf /tmp/gh.tar.gz -C /tmp
mkdir -p "$HOME/.local/bin"
mv "/tmp/gh_${GH_VERSION}_linux_amd64/bin/gh" "$HOME/.local/bin/gh"
rm -rf /tmp/gh.tar.gz "/tmp/gh_${GH_VERSION}_linux_amd64"
echo "$HOME/.local/bin" >> "$GITHUB_PATH"
"$HOME/.local/bin/gh" --version
fi
- name: Create PR for version bump
run: |
set -o pipefail
VERSION="${{ inputs.version }}"
BODY=$(printf "Automated version bump and checksum update for v%s.\n\ncc @cpfarhood" "${VERSION}")
# Create PR only if an OPEN one doesn't already exist.
# Note: gh pr view also finds MERGED PRs; we must check for open ones explicitly
# so that a re-trigger after a stale-branch delete creates a fresh PR.
OPEN_PR=$(gh pr list --base main --head "release/v${VERSION}" --state open --json number --jq '.[0].number' 2>/dev/null)
if [ -z "$OPEN_PR" ]; then
gh pr create \
--title "release: v${VERSION}" \
--body "$BODY" \
--base main \
--head "release/v${VERSION}"
# Pull the number again to handle both create and pre-existing cases
OPEN_PR=$(gh pr list --base main --head "release/v${VERSION}" --state open --json number --jq '.[0].number' 2>/dev/null)
else
echo "::notice::Open PR #${OPEN_PR} for release/v${VERSION} already exists — skipping creation."
fi
# Guard: ensure we have a PR number before proceeding
if [ -z "$OPEN_PR" ]; then
echo "::error::Could not determine PR number for release/v${VERSION}."
exit 1
fi
echo "::notice::Working with PR #${OPEN_PR}"
# Check if PR was already merged (idempotency — safe to re-trigger after a stale branch)
MERGED_CHECK=$(gh pr view "$OPEN_PR" --json state --jq '.state' 2>/dev/null)
if [ "$MERGED_CHECK" = "MERGED" ]; then
echo "::notice::PR #${OPEN_PR} was already merged. Nothing to do."
exit 0
fi
# Determine whether to use --auto or not based on current status.
# Retry the status check up to 3 times with exponential back-off when
# GitHub is still computing the merge state (UNKNOWN state).
MAX_RETRIES=3
BACKOFF=3
MERGE_STATE=""
for i in $(seq 1 $MAX_RETRIES); do
MERGE_STATE=$(gh pr view "$OPEN_PR" --json mergeStateStatus --jq '.mergeStateStatus' 2>/dev/null)
if [ "$MERGE_STATE" != "UNKNOWN" ]; then
break
fi
if [ $i -lt $MAX_RETRIES ]; then
echo "PR merge state is UNKNOWN (GitHub still computing). Retry ${i}/${MAX_RETRIES} in ${BACKOFF}s..."
sleep $BACKOFF
BACKOFF=$((BACKOFF * 2))
fi
done
if [ "$MERGE_STATE" = "BLOCKED" ] || [ "$MERGE_STATE" = "UNKNOWN" ]; then
echo "PR is $MERGE_STATE — attempting auto-merge (safe fallback, waits for branch protection checks)."
if gh pr merge "$OPEN_PR" --auto --squash --delete-branch 2>&1; then
echo "Auto-merge initiated successfully."
else
AUTO_MERGE_ERR=$?
# If --auto failed because auto-merge is disabled for this repo
# (autoMergeAllowed: false), fall back to --admin which merges
# regardless of branch protection rules. --admin requires GitHub
# App token, not GITHUB_TOKEN, so GH_TOKEN is already correct.
if gh pr merge "$OPEN_PR" --admin --squash --delete-branch 2>&1; then
echo "Auto-merge unavailable (autoMergeAllowed: false) — merged via --admin."
else
echo "::error::Both --auto and --admin merge failed. Exiting."
exit 1
fi
fi
else
echo "PR is $MERGE_STATE — merging directly."
gh pr merge "$OPEN_PR" --squash --delete-branch
fi
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
- name: Verify checksums are consistent (main == tag == tarball)
run: |
VERSION="${{ inputs.version }}"
TARBALL_CS=$(sha256sum "${{ env.TARBALL }}" | awk '{print $1}')
# Checksum recorded in the tag's artifacthub-pkg.yml
TAG_CS=$(git show "v${VERSION}:artifacthub-pkg.yml" 2>/dev/null | grep "archive-checksum" | awk '{print $2}' | sed 's/sha256://')
# Checksum now on main (after PR merge)
MAIN_CS=$(git fetch origin main 2>/dev/null; git show "origin/main:artifacthub-pkg.yml" | grep "archive-checksum" | awk '{print $2}' | sed 's/sha256://')
echo "Tarball SHA256 : $TARBALL_CS"
echo "Tag artifacthub: $TAG_CS"
echo "Main artifacthub: $MAIN_CS"
FAIL=0
[ "$TARBALL_CS" != "$TAG_CS" ] && echo "ERROR: tag checksum mismatch!" && FAIL=1
[ "$TARBALL_CS" != "$MAIN_CS" ] && echo "ERROR: main checksum mismatch!" && FAIL=1
[ "$FAIL" = "1" ] && exit 1
echo "All checksums consistent — ArtifactHub will index correctly."
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
.github/workflows/pr-validation.yaml
-40
View File
@@ -1,40 +0,0 @@
name: PR Validation
on:
pull_request:
branches: [main]
jobs:
validate:
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Install actionlint
run: |
ACTIONLINT_VERSION="1.7.7"
mkdir -p "$HOME/.local/bin"
curl -fsSL "https://github.com/rhysd/actionlint/releases/download/v${ACTIONLINT_VERSION}/actionlint_${ACTIONLINT_VERSION}_linux_amd64.tar.gz" \
| tar -xz -C "$HOME/.local/bin" actionlint
echo "$HOME/.local/bin" >> "$GITHUB_PATH"
- name: Validate workflow YAML with actionlint
run: actionlint -color .github/workflows/*.yaml
- name: Install shellcheck
run: |
sudo apt-get update -qq && sudo apt-get install -y -qq shellcheck >/dev/null 2>&1
- name: Shellcheck scripts
run: |
if ls .github/scripts/*.sh 1>/dev/null 2>&1; then
for script in .github/scripts/*.sh; do
echo "Checking ${script}..."
shellcheck --severity=warning "$script"
done
else
echo "No shell scripts to check"
fi
.github/workflows/stale-release-cleanup.yaml
-66
View File
@@ -1,66 +0,0 @@
name: Stale Release Branch Cleanup
on:
schedule:
- cron: '0 9 * * 1' # Weekly every Monday at 09:00 UTC
workflow_dispatch:
inputs:
dry_run:
description: 'Dry run (no changes made)'
required: false
default: false
type: boolean
jobs:
cleanup-stale-branches:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
sparse-checkout: |
.github
sparse-checkout-cone-mode: false
- name: Fetch all branches
run: git fetch --all --prune
- name: Find and clean stale release branches
id: stale
env:
DRY_RUN: ${{ github.event.inputs.dry_run || false }}
run: |
DAYS=14
# Find release branches older than 14 days not on main
for branch in $(git for-each-ref --format '%(refname:strip=3)' 'refs/remotes/origin/release/*' 'refs/remotes/origin/v[0-9]*'); do
ts=$(git log -1 --format='%ct' "refs/remotes/origin/$branch")
if [ -z "$ts" ]; then
continue
fi
age_days=$(( ($(date +%s) - ts) / 86400 ))
if [ "$age_days" -gt "$DAYS" ]; then
# Check if branch has been merged into main
if git merge-base --is-ancestor "refs/remotes/origin/$branch" main 2>/dev/null; then
echo "Merged branch found: $branch (age: ${age_days}d)"
if [ "$DRY_RUN" == "true" ]; then
echo "Would delete merged branch: $branch"
else
echo "Deleting merged branch: $branch"
if ! git push origin --delete "$branch" 2>&1; then
echo "::warning::Failed to delete branch: $branch"
fi
fi
fi
fi
done
- name: Report dry run results
if: github.event.inputs.dry_run == 'true'
run: |
echo "Dry run complete. No branches were deleted."
echo ""
echo "Release branches found:"
git for-each-ref --format '%(refname:strip=3) - %(committerdate:relative)' \
'refs/remotes/origin/release/*' 'refs/remotes/origin/v[0-9]*' 2>/dev/null || echo "None found"
.markdownlint.yaml
+15
View File
@@ -0,0 +1,15 @@
# Markdownlint configuration for the org repo.
# Skill files intentionally use longer lines and emphasis-as-headings.
# Allow these patterns for skills directory.
# Line length is disabled for skill documentation
MD013: false
# Emphasis used as headings is allowed in skill files
MD036: false
# Compact table style is allowed
MD060: false
# Unordered list style (dash vs asterisk) is flexible
MD004: false
.yamllint.yaml
+7
View File
@@ -0,0 +1,7 @@
extends: default
rules:
line-length: disable
document-start: disable
truthy:
check-keys: false
CLAUDE.md
+35
View File
@@ -0,0 +1,35 @@
# CLAUDE.md
This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
## Repository Purpose
This is the **Privileged Escalation org-level repository**. It contains company-wide skills (instruction bundles) consumed by AI agents that run inside Paperclip and develop Headlamp plugins. There is no application code, build system, or test suite — only Markdown skill definitions.
## Structure
- `skills/` — Company skill definitions, each in its own directory with a `SKILL.md` file
- `skills/safety/SKILL.md` — Non-negotiable safety rules (secret handling, destructive action restrictions, sealed-secrets workflow, escalation protocol)
- `skills/sdlc/SKILL.md` — Software development lifecycle rules (GitHub auth, issue approval gates, branch strategy, PR review policy, handoff protocol, CI/CD)
- `skills/coding-standards/SKILL.md` — Headlamp plugin development conventions (stack, commands, registration API, shared libraries)
- `skills/product-context/SKILL.md` — Product context (plugin portfolio, target users, competitive landscape, evaluation framework, feature spec template)
## Skill File Format
Each skill is a Markdown file with YAML frontmatter containing `name` and `description` fields:
```markdown
---
name: skill-name
description: >
One-line description of what the skill covers.
---
# Skill Title
Content...
```
## Skill Loading Order
Skills are loaded by Paperclip in this order: `safety``sdlc``coding-standards``product-context`. Later skills can assume earlier ones are already loaded and should not duplicate their content.
FUNDING.yml
-1
View File
@@ -1 +0,0 @@
github: [privilegedescalation]
LICENSE
-73
View File
@@ -1,73 +0,0 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files.
"Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions:
(a) You must give any other recipients of the Work or Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License.
You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
README.md
-1
View File
@@ -1 +0,0 @@
# .github
profile/README.md
-53
View File
@@ -1,53 +0,0 @@
<p align="center">
<img src="privilegedescalation-logo.jpg" alt="Privileged Escalation" width="300" />
</p>
<div align="center">
![GitHub Org stars](https://img.shields.io/github/stars/privilegedescalation)
![GitHub followers](https://img.shields.io/github/followers/privilegedescalation)
![License](https://img.shields.io/github/license/privilegedescalation/.github)
![Profile views](https://komarev.com/ghpvc/?username=privilegedescalation&color=brightgreen)
</div>
<h3 align="center">Headlamp plugins for the infrastructure you actually run.</h3>
<p align="center">
<a href="https://artifacthub.io/packages/search?org=privilegedescalation&kind=21">Artifact Hub</a>
·
<a href="https://headlamp.dev">Headlamp</a>
·
<a href="https://github.com/sponsors/privilegedescalation">Sponsor</a>
</p>
---
We build open source [Headlamp](https://headlamp.dev) plugins that bring deep visibility into Kubernetes storage, networking, GPU, and security subsystems — right inside your cluster dashboard.
## Our Plugins
| Plugin | What it does | Artifact Hub |
|--------|-------------|:---:|
| [headlamp-rook-plugin](https://github.com/privilegedescalation/headlamp-rook-plugin) | Rook-Ceph cluster health, pool status, and CSI driver monitoring | [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/headlamp-rook-plugin)](https://artifacthub.io/packages/headlamp/headlamp-rook-plugin/headlamp-rook-plugin) |
| [headlamp-tns-csi-plugin](https://github.com/privilegedescalation/headlamp-tns-csi-plugin) | TrueNAS CSI driver visibility and kbench storage benchmarking | [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/headlamp-tns-csi-plugin)](https://artifacthub.io/packages/headlamp/headlamp-tns-csi-plugin/headlamp-tns-csi-plugin) |
| [headlamp-sealed-secrets-plugin](https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin) | Manage Bitnami Sealed Secrets with client-side encryption | [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/headlamp-sealed-secrets-plugin)](https://artifacthub.io/packages/headlamp/headlamp-sealed-secrets-plugin/headlamp-sealed-secrets-plugin) |
| [headlamp-polaris-plugin](https://github.com/privilegedescalation/headlamp-polaris-plugin) | Fairwinds Polaris security and best-practices auditing | [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/headlamp-polaris-plugin)](https://artifacthub.io/packages/headlamp/headlamp-polaris-plugin/headlamp-polaris-plugin) |
| [headlamp-intel-gpu-plugin](https://github.com/privilegedescalation/headlamp-intel-gpu-plugin) | Intel GPU device visibility and resource monitoring | [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/headlamp-intel-gpu-plugin)](https://artifacthub.io/packages/headlamp/headlamp-intel-gpu-plugin/headlamp-intel-gpu-plugin) |
| [headlamp-kube-vip-plugin](https://github.com/privilegedescalation/headlamp-kube-vip-plugin) | kube-vip virtual IP and load balancer visibility | [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/headlamp-kube-vip)](https://artifacthub.io/packages/headlamp/headlamp-kube-vip/headlamp-kube-vip) |
## Why Headlamp?
Headlamp is a CNCF-listed Kubernetes dashboard built for extensibility. Our plugins slot in natively — no separate UIs, no context switching. If you run Headlamp, you can add any of our plugins with a single command.
## Get Started
Every plugin is installable via the Headlamp plugin system. See individual repos for install instructions.
## Contributing
We welcome contributions, bug reports, and feature requests. Open an issue on any repo or start a discussion. All projects are licensed under Apache 2.0.
## Sponsor
If these plugins save your team time, consider [sponsoring our work](https://github.com/sponsors/privilegedescalation). Sponsorship funds go directly toward new plugin development and maintenance.
profile/privilegedescalation-logo.jpg
BIN
View File
Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 63 KiB

renovate-config.json
-33
View File
@@ -1,33 +0,0 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"gitAuthor": "Renovate Bot <bot@renovateapp.com>",
"extends": ["config:recommended"],
"baseBranches": ["main"],
"schedule": ["every weekend"],
"prConcurrentLimit": 5,
"pinDigests": true,
"packageRules": [
{
"matchManagers": ["npm"],
"matchUpdateTypes": ["minor", "patch"],
"groupName": "npm minor and patch"
},
{
"matchManagers": ["npm"],
"matchUpdateTypes": ["major"],
"groupName": "npm major updates",
"automerge": false
},
{
"matchManagers": ["github-actions"],
"matchUpdateTypes": ["minor", "patch"],
"groupName": "github-actions minor and patch"
},
{
"matchManagers": ["github-actions"],
"matchUpdateTypes": ["major"],
"groupName": "github-actions major updates",
"automerge": false
}
]
}
renovate.json
+6
View File
@@ -0,0 +1,6 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"local>privilegedescalation/.github:renovate-config"
]
}
scripts/ci-health-check.sh
Executable
+106
View File
@@ -0,0 +1,106 @@
#!/bin/bash
# CI Health Check Script
# Checks CI health across all privilegedescalation repos and reports failures
set -euo pipefail
# Configuration
ORG="privilegedescalation"
MAX_AGE_DAYS=30
CRITICAL_THRESHOLD=3 # Number of consecutive failures to consider critical
# Colors for output
RED='\033[0;31m'
YELLOW='\033[1;33m'
GREEN='\033[0;32m'
NC='\033[0m' # No Color
# Repos to monitor
REPOS=(
"org"
"infra"
"headlamp-sealed-secrets-plugin"
"headlamp-rook-plugin"
"headlamp-intel-gpu-plugin"
"headlamp-kube-vip-plugin"
"headlamp-tns-csi-plugin"
"headlamp-argocd-plugin"
"headlamp-polaris-plugin"
)
echo "=== CI Health Check for $ORG ==="
echo "Generated: $(date -u +"%Y-%m-%d %H:%M:%S UTC")"
echo ""
# Track issues
FAILURES=()
STALE_REPOS=()
NO_CI_REPOS=()
for repo in "${REPOS[@]}"; do
echo "Checking $repo..."
# Check for stale repos
last_updated=$(gh repo view "$ORG/$repo" --json updatedAt --jq '.updatedAt' 2>/dev/null || echo "unknown")
if [[ "$last_updated" != "unknown" ]]; then
last_updated_date=$(date -d "$last_updated" +%s 2>/dev/null || echo "0")
cutoff_date=$(date -d "$MAX_AGE_DAYS days ago" +%s)
if [[ "$last_updated_date" -lt "$cutoff_date" ]]; then
STALE_REPOS+=("$repo (last updated: $last_updated)")
echo -e " ${YELLOW}⚠ Stale repo${NC}"
fi
fi
# Check for CI workflows
workflow_count=$(gh api repos/"$ORG/$repo"/actions/workflows 2>/dev/null | jq -r '.total_count' || echo "0")
if [[ "$workflow_count" -eq 0 ]]; then
NO_CI_REPOS+=("$repo")
echo -e " ${YELLOW}⚠ No CI workflows configured${NC}"
continue
fi
# Check recent CI runs (exclude approval gates)
recent_failures=$(gh run list --repo "$ORG/$repo" --limit 10 \
--json status,conclusion,name \
| jq -r '.[] | select(.conclusion == "failure") | select(.name | contains("CI") or contains("E2E") or contains("ci") or contains("e2e")) | .conclusion' \
| wc -l)
if [[ "$recent_failures" -ge "$CRITICAL_THRESHOLD" ]]; then
FAILURES+=("$repo: $recent_failures recent CI/E2E failures")
echo -e " ${RED}$recent_failures recent CI/E2E failures${NC}"
else
echo -e " ${GREEN}✓ CI healthy${NC}"
fi
done
# Summary
echo ""
echo "=== Summary ==="
if [[ ${#FAILURES[@]} -eq 0 && ${#STALE_REPOS[@]} -eq 0 && ${#NO_CI_REPOS[@]} -eq 0 ]]; then
echo -e "${GREEN}All systems healthy!${NC}"
exit 0
else
if [[ ${#FAILURES[@]} -gt 0 ]]; then
echo -e "${RED}CI Failures:${NC}"
for failure in "${FAILURES[@]}"; do
echo " - $failure"
done
fi
if [[ ${#STALE_REPOS[@]} -gt 0 ]]; then
echo -e "${YELLOW}Stale Repos (no updates in $MAX_AGE_DAYS+ days):${NC}"
for stale in "${STALE_REPOS[@]}"; do
echo " - $stale"
done
fi
if [[ ${#NO_CI_REPOS[@]} -gt 0 ]]; then
echo -e "${YELLOW}Repos without CI:${NC}"
for no_ci in "${NO_CI_REPOS[@]}"; do
echo " - $no_ci"
done
fi
exit 1
fi
scripts/detect-pipeline.sh
-49
View File
@@ -1,49 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
# Reads a newline-separated list of changed files from stdin.
# Outputs "pipeline-a" or "pipeline-b" to stdout.
# Pipeline B: all files are infra-only (config, docs, workflows).
# Pipeline A: any non-infra file present.
detect_pipeline() {
local all_infra=true
while IFS= read -r file; do
[ -z "$file" ] && continue
local filename
local dir
filename=$(basename "$file")
dir=$(dirname "$file")
if [[ "$dir" == ".github" || "$dir" == .github/* ]] || \
[[ "$dir" == "infra" || "$dir" == infra/* ]] || \
[[ "$dir" == "org" || "$dir" == org/* ]] || \
[[ "$filename" == *.md ]] || \
[[ "$filename" == .eslintrc* ]] || \
[[ "$filename" == .prettierrc* ]] || \
[[ "$filename" == renovate.json* ]] || \
[[ "$filename" == .gitignore ]] || \
[[ "$filename" == .editorconfig ]] || \
[[ "$filename" == LICENSE ]] || \
[[ "$filename" == Dockerfile ]] || \
[[ "$filename" == docker-compose* ]] || \
[[ "$filename" == Makefile ]]; then
continue
else
all_infra=false
break
fi
done
if [ "$all_infra" = true ]; then
echo "pipeline-b"
else
echo "pipeline-a"
fi
}
if [ "${BASH_SOURCE[0]}" = "$0" ]; then
detect_pipeline
fi
scripts/test-detect-pipeline.sh
-145
View File
@@ -1,145 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
source "$SCRIPT_DIR/detect-pipeline.sh"
PASS=0
FAIL=0
assert_eq() {
local test_name="$1" expected="$2" actual="$3"
if [ "$expected" = "$actual" ]; then
echo "PASS: $test_name"
PASS=$((PASS + 1))
else
echo "FAIL: $test_name (expected=$expected, actual=$actual)"
FAIL=$((FAIL + 1))
fi
}
run_detect() {
echo "$1" | detect_pipeline
}
# --- Pipeline B cases (infra-only) ---
assert_eq "single .github root file" "pipeline-b" \
"$(run_detect ".github/dependabot.yml")"
assert_eq ".github/workflows subdirectory" "pipeline-b" \
"$(run_detect ".github/workflows/ci.yaml")"
assert_eq "deeply nested .github path" "pipeline-b" \
"$(run_detect ".github/workflows/reusable/build.yaml")"
assert_eq "markdown file at root" "pipeline-b" \
"$(run_detect "README.md")"
assert_eq "markdown in subdirectory" "pipeline-b" \
"$(run_detect "docs/CONTRIBUTING.md")"
assert_eq "eslintrc config" "pipeline-b" \
"$(run_detect ".eslintrc.json")"
assert_eq "prettierrc config" "pipeline-b" \
"$(run_detect ".prettierrc.yaml")"
assert_eq "renovate config" "pipeline-b" \
"$(run_detect "renovate.json")"
assert_eq "renovate config5" "pipeline-b" \
"$(run_detect "renovate.json5")"
assert_eq "gitignore" "pipeline-b" \
"$(run_detect ".gitignore")"
assert_eq "editorconfig" "pipeline-b" \
"$(run_detect ".editorconfig")"
assert_eq "LICENSE" "pipeline-b" \
"$(run_detect "LICENSE")"
assert_eq "mixed infra files" "pipeline-b" \
"$(run_detect ".github/workflows/ci.yaml
README.md
.eslintrc.json
LICENSE")"
assert_eq "workflow + markdown combo" "pipeline-b" \
"$(run_detect ".github/workflows/detect-pr-pipeline.yaml
.github/workflows/README.md")"
assert_eq "infra root file" "pipeline-b" \
"$(run_detect "infra/helmrelease.yaml")"
assert_eq "infra nested file" "pipeline-b" \
"$(run_detect "infra/clusters/prod/kustomization.yaml")"
assert_eq "org root file" "pipeline-b" \
"$(run_detect "org/CODEOWNERS")"
assert_eq "org nested file" "pipeline-b" \
"$(run_detect "org/policies/branch-protection.json")"
assert_eq "Dockerfile" "pipeline-b" \
"$(run_detect "Dockerfile")"
assert_eq "docker-compose.yaml" "pipeline-b" \
"$(run_detect "docker-compose.yaml")"
assert_eq "docker-compose.override.yml" "pipeline-b" \
"$(run_detect "docker-compose.override.yml")"
assert_eq "Makefile" "pipeline-b" \
"$(run_detect "Makefile")"
assert_eq "mixed infra + org + workflow" "pipeline-b" \
"$(run_detect ".github/workflows/ci.yaml
infra/helmrelease.yaml
org/CODEOWNERS
README.md")"
# --- Pipeline A cases (has non-infra files) ---
assert_eq "plugin source file" "pipeline-a" \
"$(run_detect "headlamp-polaris-plugin/src/index.tsx")"
assert_eq "plugin package.json" "pipeline-a" \
"$(run_detect "headlamp-polaris-plugin/package.json")"
assert_eq "root source file" "pipeline-a" \
"$(run_detect "src/main.ts")"
assert_eq "mixed infra + code" "pipeline-a" \
"$(run_detect ".github/workflows/ci.yaml
headlamp-polaris-plugin/src/index.tsx
README.md")"
assert_eq "single non-infra file" "pipeline-a" \
"$(run_detect "server.js")"
assert_eq "plugin code + infra files" "pipeline-a" \
"$(run_detect "infra/helmrelease.yaml
org/CODEOWNERS
headlamp-polaris-plugin/src/index.tsx")"
# --- Edge cases ---
assert_eq "empty input" "pipeline-b" \
"$(run_detect "")"
assert_eq "root dot file (not in infra list)" "pipeline-a" \
"$(run_detect ".env")"
assert_eq ".github-like but not .github dir" "pipeline-a" \
"$(run_detect ".github-backup/config.yaml")"
# --- Summary ---
echo ""
echo "Results: $PASS passed, $FAIL failed"
if [ "$FAIL" -gt 0 ]; then
exit 1
fi
skills/coding-standards/SKILL.md
+67
View File
@@ -0,0 +1,67 @@
---
name: coding-standards
description: >
Coding standards for Privileged Escalation. Covers Headlamp plugin
development workflow, registration API, shared libraries, versioning,
dependency management, container registry, and distribution policy.
---
# Coding Standards
## Headlamp Plugins
All plugins extend [Headlamp](https://headlamp.dev/docs/latest/development/plugins/getting-started), a Kubernetes dashboard with a plugin system.
- **Language:** TypeScript + React 18, MUI v5
- **Scaffolding:** `npx --yes @kinvolk/headlamp-plugin create <plugin-name>`
- **Entry point:** `src/index.tsx`
- **Linting:** ESLint via `@headlamp-k8s/eslint-config` + Prettier
- **Testing:** Vitest + React Testing Library
### Plugin Commands
Run from the plugin directory:
| Command | Purpose |
|---|---|
| `npm run start` | Dev mode with hot reload |
| `npm run build` | Production build (`dist/main.js`) |
| `npm run format` | Prettier format |
| `npm run lint` | ESLint check |
| `npm run lint-fix` | ESLint auto-fix |
| `npm run tsc` | Typecheck |
| `npm run test` | Vitest tests |
### Registration API
Import from `@kinvolk/headlamp-plugin/lib`:
- `registerAppBarAction()` — add components to the nav bar
- `registerRoute()` — create new pages
- `registerSidebarEntry()` — add sidebar items
- `registerDetailsViewSection()` — extend resource detail views
- `registerPluginSettings()` — add plugin configuration UI
### K8s API Access
```typescript
import { K8s } from '@kinvolk/headlamp-plugin/lib';
const [pods, error] = K8s.ResourceClasses.Pod.useList();
```
### Shared Libraries
These are provided by Headlamp at runtime — **do not bundle them**:
React, React Router, Redux, MUI, Lodash, Monaco Editor, Notistack, Iconify.
## Versioning & Distribution
- **All releases use SemVer.** ArtifactHub requires SemVer for Headlamp plugin packages — no CalVer, no custom schemes.
- **Plugin distribution is ArtifactHub only.** Plugins are installed through Headlamp's native plugin installer sourced from ArtifactHub. No Helm charts, install scripts, or custom install mechanisms.
- **Container images go to `ghcr.io` only.** Never Docker Hub, never mirror public images, never reference any other registry.
## Dependency Management
- **Dependency updates are owned by Mend Renovate.** Never enable Dependabot, never create `.github/dependabot.yml`, never reference Dependabot in workflows or docs.
- **No package mirrors.** Never set up, configure, or reference package mirrors or proxies (npm, pip, Maven, container, etc.). Always use upstream registries directly.
- **Security scanning uses local tools.** Run `npm audit` or `pnpm audit` for vulnerability scanning. Do not use the GitHub vulnerability alerts API.
skills/product-context/SKILL.md
+119
View File
@@ -0,0 +1,119 @@
---
name: product-context
description: >
Product context for Privileged Escalation. Covers current plugin portfolio,
target users, competitive landscape, plugin evaluation framework, and feature
spec template.
---
# Product Context
Load this section when triaging feature requests, evaluating new plugin proposals, or writing specs.
## Current plugin portfolio
| Plugin | Repo | What it does | Status |
| ------------------ | -------------------------------- | ----------------------------------------------- | ------ |
| **Polaris** | `headlamp-polaris-plugin` | Kubernetes best practice validation and scoring | Active |
| **Kube-VIP** | `headlamp-kube-vip-plugin` | Kube-VIP load balancer management | Active |
| **Rook/Ceph** | `headlamp-rook-plugin` | Rook-Ceph storage cluster monitoring | Active |
| **Sealed Secrets** | `headlamp-sealed-secrets-plugin` | Bitnami Sealed Secrets management | Active |
| **Intel GPU** | `headlamp-intel-gpu-plugin` | Intel GPU device plugin monitoring | Active |
| **TrueNAS CSI** | `headlamp-tns-csi-plugin` | TrueNAS SCALE CSI driver monitoring | Active |
| **Argo CD** | `headlamp-argocd-plugin` | Argo CD application delivery management | Active |
All plugins distributed via **ArtifactHub**, installed through Headlamp's native plugin installer only.
## Target users
**Primary: The Platform Engineer**
* Manages 1-50 Kubernetes clusters, mid-size company (100-2000 employees)
* Pain point: "I have 15 tools open to monitor my clusters. I want one dashboard that shows me everything."
* Very high tech comfort. Knows Kubernetes deeply. Will read your source code.
* Will adopt a plugin in 5 minutes if it solves a real problem. Will drop it in 5 seconds if it's buggy or doesn't add value over `kubectl`.
**Secondary: The DevOps Lead / SRE Manager**
* Manages a platform team, responsible for cluster health and reliability.
* Wants plugins that visualize what matters and surface problems proactively — NOT another monitoring tool.
**Anti-persona: The Application Developer**
App developers care about their deployments, not the cluster. Features like "show me my pod logs" are already in Headlamp core. Don't build for them.
## Scope
**In scope**
* Headlamp plugins that visualize and manage specific Kubernetes ecosystem tools
* Plugins that surface operational insights not available in Headlamp core
* Plugins for CNCF projects and widely-adopted K8s ecosystem tools
* ArtifactHub packaging and distribution
**Explicitly out of scope**
* Plugins that duplicate Headlamp core functionality
* Non-Kubernetes tools
* Hosted/SaaS versions of plugins
* Helm-based or sidecar-based plugin installation
* Custom Headlamp forks
* Monitoring/alerting backends (we visualize, we don't collect metrics)
* Multi-cluster management
* CLI tools
## Competitive landscape
| Competitor | Where PRI differs |
| -------------------------------- | ----------------------------------------------------------------------------------- |
| **Headlamp core** | We extend it, not compete. If a feature belongs in core, contribute upstream. |
| **Lens** | Heavy, desktop-only, commercial. We make web-based, open source Headlamp better. |
| **k9s** | Different modality (TUI vs web). Not competitive. |
| **Komodor / Kubecost / Robusta** | Standalone products. Our plugins bring their insights INTO Headlamp. Complementary. |
PRI's moat: leading third-party Headlamp plugin developer. Plugins are free, open source, on ArtifactHub.
## Plugin evaluation framework
1. **Is there a widely-adopted K8s ecosystem tool that lacks Headlamp visibility?**
* Fewer than 1,000 GitHub stars or in alpha → too early. Close with "revisit when more mature."
* Already has a Headlamp plugin → duplicate. Close.
2. **Does the plugin add value over `kubectl` + the tool's own CLI/UI?**
* "It shows the same thing but in Headlamp" → weak value prop. Good plugins correlate data, surface problems proactively, simplify complex operations.
3. **Can Gandalf build and maintain it?**
* One engineer can maintain ~6-8 plugins at current complexity. We're at 7 now. New plugins mean either dropping an existing one or hiring.
4. **Is it installable via ArtifactHub without extras?**
* Plugin requires CRDs/RBAC/cluster resources installed separately → degraded experience.
* Unacceptable: plugin requires its own operator or sidecar.
**Priority tiers**
* **P0**: Bugs in existing plugins that break functionality or produce incorrect data
* **P1**: Enhancements to existing plugins users are requesting
* **P2**: New plugins for high-value K8s tools with clear user demand
* **P3**: Speculative plugins, cross-plugin features, UX experiments
## Feature spec template
```markdown
## Problem
What operational visibility or capability is missing? Who needs it? What do they do today instead?
## Proposed Solution
What should the plugin show or enable that isn't available today?
## Acceptance Criteria
- [ ] Plugin displays...
- [ ] User can...
- [ ] Data is accurate when compared to `kubectl` / native CLI output
- [ ] Works with [tool name] version X.Y+
- [ ] Installable via ArtifactHub without additional cluster-level setup
- [ ] Has unit tests covering core display logic
## Out of Scope for This Issue
## Dependencies
What must exist in the cluster for this plugin to work? (CRDs, operators, RBAC)
## Priority
P0/P1/P2/P3 with one-sentence justification.
```
skills/safety/SKILL.md
+38
View File
@@ -0,0 +1,38 @@
---
name: safety
description: >
Non-negotiable safety rules for all agents at Privileged Escalation. Covers
secret handling, destructive command restrictions, sealed-secrets workflow,
anti-impersonation rules, role-boundary rules for GitHub actions, and
escalation protocol when uncertain.
---
# Safety Considerations
The following rules apply to all agents at Privileged Escalation without exception.
## Non-Negotiable Rules
* **Never exfiltrate secrets or private data.** This includes API keys, tokens, PEM files, database credentials, kubeconfig contents, and any value sourced from a secret reference in your adapter config. Do not log, comment, or return these values in any output.
* **Seek Board Approval for Destructive Actions.** Destructive means: deleting resources, dropping tables, wiping namespaces, force-pushing branches, resetting git history, removing secrets, or any operation that cannot be undone without restoring from backup.
* **No plaintext secrets in any repository.** Kubernetes secrets go through Bitnami Sealed Secrets (`kubeseal`). Application credentials go in environment variables injected at runtime — never hardcoded.
* **Do not use `kubectl create` in production.**
The `privilegedescalation` namespace is Flux-managed. Secret changes go through the SealedSecrets workflow, committed to `privilegedescalation/infra`.
* **Never impersonate another agent or human.** Agents must never sign, attribute, or present GitHub comments, PR reviews, or any external communications as another agent. Every comment must accurately identify the authoring agent. Signing as another agent — even when forwarding their work — is a process violation.
* **Post GitHub comments only within your defined SDLC role.** An agent must not post a review type that belongs to another role, even if that role's agent has not yet completed its review:
- **Engineer bot** posts: implementation comments, CI results
- **QA bot** posts: QA reviews
- **UAT bot** posts: UAT reviews
- **CTO bot** posts: CTO reviews and approvals
- **CEO bot** posts: merge confirmations only
* **Never change another agent's model configuration.** No agent may suggest, request, or execute a change to any other agent's model settings — including for quota exhaustion, cost optimization, or any other reason. Quota issues must be escalated to the board. This is a non-negotiable board directive.
## If you are unsure
If you are unsure whether an action is safe, stop. Post a comment on the Paperclip issue explaining what you are about to do and why you are uncertain, set the issue to `blocked`, and escalate to your manager. Do not guess.
skills/sdlc/SKILL.md
+181
View File
@@ -0,0 +1,181 @@
---
name: sdlc
description: >
Software development lifecycle rules for Privileged Escalation. Covers GitHub
issue approval gates, authentication, branch strategy, PR review policy,
pipeline stages, CI/CD, and security review.
---
# Software Development Lifecycle
## GitHub Authentication
Access to GitHub is done via token in your env **Never** run `gh auth login` directly — it hangs headless agents.
## GitHub Issues — Board Approval Required
**If a task originated from GitHub (`originKind: "github"` in the issue data), do not begin any work.** Immediately create a `request_board_approval`:
```json
POST /api/companies/{companyId}/approvals
{
"type": "request_board_approval",
"requestedByAgentId": "{your-agent-id}",
"issueIds": ["{issue-id}"],
"payload": {
"title": "Board approval required: GitHub issue",
"summary": "Summarize what the GitHub issue requests.",
"recommendedAction": "Approve to begin work.",
"risks": ["Work begins without board review if approved."]
}
}
```
Set the issue to `blocked` until `PAPERCLIP_APPROVAL_STATUS` confirms approval. Only proceed once approved.
## Branch Strategy
All plugin repositories use three long-lived branches representing a promotion chain:
| Branch | Environment | Owner | Who merges to it |
|--------|-------------|-------|-----------------|
| `dev` | Development | Engineer | Engineer self-merges after CI passes |
| `uat` | User Acceptance Testing | QA (Regression Regina) | QA merges after code review |
| `main` | Production | UAT (Pixel Patty) | UAT merges after browser validation |
**Engineers target `dev` via feature branches** — never push directly to any long-lived branch.
Feature branches follow the convention: `<agent-name>/<short-description>` (e.g., `gandalf/add-sealed-secrets-list`).
## Pull Requests
All changes must happen via pull request. Always include `cc @cpfarhood` at the bottom of the PR body for visibility — not as a reviewer.
```bash
gh pr create --title "..." --body "... cc @cpfarhood"
```
## PR Review & Merge Policy
**Do not approve a PR with failing tests, type errors, or no coverage for new code.**
### Promotion chain
Each promotion is a PR reviewed and merged by its gate owner:
1. **feature → dev** — Engineer self-merges after CI passes. No review required. Dev is for validation, not quality gates.
2. **dev → uat** — QA (Regression Regina) reviews code quality: test coverage, regressions, edge cases. QA merges to `uat` after approval.
3. **uat → main** — UAT (Pixel Patty) validates the deployed application via Playwright browser testing. UAT merges to `main` after validation passes. For detailed UAT testing procedures, see the `uat` company skill.
**Each gate owner has merge authority.** No separate merge step by another role. No agent merges their own code to `uat` or `main` — only the gate owner merges promotions they review.
## Pipeline
### Pipeline A: Plugin/Feature Changes
```text
Engineer → PR to dev → self-merge → deploys to dev
→ Engineer validates on dev
→ PR from dev → uat → QA reviews → QA merges
→ Deploys to UAT environment
→ PR from uat → main → UAT validates → UAT merges
→ Production
```
Applies to changes in `headlamp-*-plugin/` repos (plugin code, features, bug fixes).
**UAT_PLAYBOOK.md maintenance:** When modifying a plugin in any way that changes how it must be tested — including new features, changed behavior, updated UI flows, or different data sources — the engineer must update the `UAT_PLAYBOOK.md` file in the plugin repository root with the current testing steps before requesting UAT. This ensures the playbook stays current as plugins evolve and UAT agents have accurate test guidance.
### Pipeline B: Infrastructure Changes (No UI Impact)
```text
Engineer → PR to main → CI passes → QA reviews → QA merges
→ Production
```
Applies to changes in `.github/workflows/`, `infra/`, `org/` repos, and template repos. No UAT stage needed — infrastructure changes have no UI to validate.
**Detection:** If `git diff` shows changes only in `.github/`, `infra/`, `org/`, or deployment files → Pipeline B. If any `headlamp-*-plugin/` code changed → Pipeline A.
**Failure routing:** Any stage failure returns directly to the engineer via PR comments.
## Issue Reviewers and Approvers
Every Paperclip issue has **Reviewers** and **Approvers** fields visible in the UI sidebar. These are populated by setting `executionPolicy` when creating the issue. Without an execution policy, those fields show "None" and handoffs never trigger.
**All stage and participant `id` fields must be random UUIDs.** Generate them at issue-creation time (e.g. via `uuidgen` or your language's UUID library). Do not use descriptive strings — the API rejects non-UUID values.
### Pipeline A — set reviewers on issue creation
For plugin/feature work (Pipeline A), set a two-stage execution policy so QA and UAT appear as reviewers:
```bash
QA_STAGE_ID=$(uuidgen)
QA_PART_ID=$(uuidgen)
UAT_STAGE_ID=$(uuidgen)
UAT_PART_ID=$(uuidgen)
```
```json
"executionPolicy": {
"mode": "normal",
"commentRequired": true,
"stages": [
{
"id": "<QA_STAGE_ID>",
"type": "review",
"approvalsNeeded": 1,
"participants": [
{ "id": "<QA_PART_ID>", "type": "agent", "agentId": "fd5dbec8-ddbb-4b57-9703-624e0ed90053" }
]
},
{
"id": "<UAT_STAGE_ID>",
"type": "review",
"approvalsNeeded": 1,
"participants": [
{ "id": "<UAT_PART_ID>", "type": "agent", "agentId": "01ec02f7-70c2-4fa1-ac3f-2545f1237ac3" }
]
}
]
}
```
- Stage 1 reviewer: Regression Regina (`fd5dbec8-ddbb-4b57-9703-624e0ed90053`)
- Stage 2 reviewer: Pixel Patty (`01ec02f7-70c2-4fa1-ac3f-2545f1237ac3`)
### Pipeline B — single reviewer
For infrastructure changes (Pipeline B), use one QA review stage:
```json
"executionPolicy": {
"mode": "normal",
"commentRequired": true,
"stages": [
{
"id": "<QA_STAGE_ID>",
"type": "review",
"approvalsNeeded": 1,
"participants": [
{ "id": "<QA_PART_ID>", "type": "agent", "agentId": "fd5dbec8-ddbb-4b57-9703-624e0ed90053" }
]
}
]
}
```
### Triggering the handoff
When an engineer completes work and merges to `dev`, set the Paperclip issue status to `in_review`. This activates the execution policy and wakes the first reviewer. Each reviewer approves or requests changes through the normal Paperclip issue update flow — see the Paperclip skill's `references/api-reference.md` for details.
## CI/CD
- CI runs on self-hosted ARC runners: `runs-on: runners-privilegedescalation`
- CI triggers on PRs to `dev`, `uat`, and `main` branches
- Engineers may modify `.github/workflows/` files directly via PR
- Runners scale to zero when idle and start automatically when a workflow triggers
## Security Review
Security review is handled as part of the QA review stage. Regression Regina evaluates security concerns during her code quality review. There is no separate dedicated security review agent.
skills/sdlc/sdlc-diagram.md
+134
View File
@@ -0,0 +1,134 @@
# SDLC Pipeline Diagram
## Full Lifecycle
```mermaid
flowchart TD
subgraph Origin["Task Origin"]
GH["GitHub Issue"]
PP["Paperclip Issue"]
end
subgraph Approval["Board Gate"]
BA{"Board Approval<br/>Required?"}
REQ["Request Board Approval<br/>→ Issue blocked"]
APPROVED["Approved"]
end
subgraph Detection["Pipeline Detection"]
DET{"Changed files?"}
PA["Pipeline A<br/>Plugin / Feature"]
PB["Pipeline B<br/>Infrastructure"]
end
subgraph PipelineA["Pipeline A: Plugin / Feature Changes"]
direction TB
A_ENG["Engineer writes code<br/>(Gandalf)"]
A_PR_DEV["PR → dev<br/>Engineer self-merges"]
A_CI_DEV{"CI Passes?"}
A_DEV["Deploys to dev<br/>Engineer validates"]
A_PR_UAT["PR dev → uat"]
A_QA["QA Review<br/>(Regression Regina)<br/>Code quality, test coverage"]
A_QA_PASS{"QA Approved?"}
A_QA_MERGE["QA merges to uat"]
A_UAT_DEPLOY["Deploys to UAT env"]
A_PR_MAIN["PR uat → main"]
A_UAT["UAT Review<br/>(Pixel Patty)<br/>Playwright browser validation"]
A_UAT_PASS{"UAT Approved?"}
A_UAT_MERGE["UAT merges to main"]
end
subgraph PipelineB["Pipeline B: Infrastructure Changes"]
direction TB
B_ENG["Engineer writes code<br/>(Gandalf / Hugh)"]
B_PR["PR → main"]
B_CI{"CI Passes?"}
B_QA["QA Review<br/>(Regression Regina)"]
B_QA_PASS{"QA Approved?"}
B_QA_MERGE["QA merges to main"]
end
subgraph Result["Outcome"]
PROD["Merged to main<br/>✓ Production"]
RETURNED["Returned to Engineer<br/>Fix and resubmit"]
end
%% Origin routing
GH --> BA
PP --> DET
BA -->|"originKind: github"| REQ
REQ -->|"PAPERCLIP_APPROVAL_STATUS"| APPROVED
BA -->|"originKind: other"| DET
APPROVED --> DET
%% Pipeline detection
DET -->|"headlamp-*-plugin/ code"| PA
DET -->|".github/, infra/, org/"| PB
%% Pipeline A flow
PA --> A_ENG --> A_PR_DEV --> A_CI_DEV
A_CI_DEV -->|"Pass"| A_DEV
A_CI_DEV -->|"Fail"| RETURNED
A_DEV --> A_PR_UAT --> A_QA --> A_QA_PASS
A_QA_PASS -->|"Approved"| A_QA_MERGE --> A_UAT_DEPLOY
A_QA_PASS -->|"Changes requested"| RETURNED
A_UAT_DEPLOY --> A_PR_MAIN --> A_UAT --> A_UAT_PASS
A_UAT_PASS -->|"Approved"| A_UAT_MERGE --> PROD
A_UAT_PASS -->|"Changes requested"| RETURNED
%% Pipeline B flow
PB --> B_ENG --> B_PR --> B_CI
B_CI -->|"Pass"| B_QA --> B_QA_PASS
B_CI -->|"Fail"| RETURNED
B_QA_PASS -->|"Approved"| B_QA_MERGE --> PROD
B_QA_PASS -->|"Changes requested"| RETURNED
RETURNED -->|"Fix and resubmit"| A_PR_DEV
RETURNED -->|"Fix and resubmit"| B_PR
%% Styling
classDef gate fill:#f9e4e4,stroke:#c0392b,color:#000
classDef pass fill:#e4f9e4,stroke:#27ae60,color:#000
classDef agent fill:#e4e9f9,stroke:#2980b9,color:#000
classDef decision fill:#fef9e7,stroke:#f39c12,color:#000
classDef deploy fill:#e8f4f8,stroke:#2c3e50,color:#000
class BA,A_CI_DEV,A_QA_PASS,A_UAT_PASS,B_CI,B_QA_PASS,DET decision
class A_QA,A_UAT,B_QA gate
class PROD pass
class A_ENG,B_ENG agent
class A_DEV,A_UAT_DEPLOY deploy
```
## Branch Promotion Chain
```mermaid
flowchart LR
subgraph Feature["Feature Branch"]
FB["gandalf/feature-name"]
end
subgraph Dev["dev branch"]
DEV["Engineer self-merges<br/>Deploys to dev env"]
end
subgraph UAT["uat branch"]
UATB["QA reviews & merges<br/>Deploys to UAT env"]
end
subgraph Main["main branch"]
MAIN["UAT validates & merges<br/>Deploys to production"]
end
FB -->|"PR + CI"| DEV
DEV -->|"PR + QA review"| UATB
UATB -->|"PR + UAT review"| MAIN
classDef dev fill:#fff3cd,stroke:#856404,color:#000
classDef uat fill:#cce5ff,stroke:#004085,color:#000
classDef prod fill:#d4edda,stroke:#155724,color:#000
class DEV dev
class UATB uat
class MAIN prod
```
skills/uat/SKILL.md
+69
View File
@@ -0,0 +1,69 @@
---
name: uat
description: >
Functional UAT procedures for Privileged Escalation Headlamp plugins. General
behavior, acceptance criteria, artifact requirements, and reference to
plugin-specific test steps in UAT_PLAYBOOK.md.
---
# UAT Procedures
## Purpose
This skill defines **functional User Acceptance Testing** for all Privileged Escalation Headlamp plugins. UAT validates that plugins work correctly in the deployed environment — by exercising plugin features in a running Headlamp instance, not by reviewing code or CI results.
## UAT Environment
The UAT Headlamp instance runs in the `headlamp-uat` Kubernetes namespace. Navigate to the Headlamp UAT URL using your Playwright browser. The plugin under test must be deployed to UAT before testing begins.
## General Process
For every `uat→main` promotion:
1. Open the Headlamp UAT instance in the browser
2. Confirm the plugin appears in the sidebar or app bar
3. Read the plugin's `UAT_PLAYBOOK.md` for the specific test steps to run
4. Execute the test steps from the playbook, capturing screenshots at each verification
5. Check the browser console for errors throughout
6. Post a structured test report (see Artifacts section)
## Acceptance Criteria
A plugin passes UAT when:
- **Plugin loads** — sidebar entry or app bar action is visible and accessible
- **Features work** — all core features in the playbook execute without errors
- **No console errors** — browser console shows no errors during normal operation
- **Data matches cluster state** — plugin data is consistent with `kubectl` queries against the cluster
A plugin fails UAT when:
- Plugin does not load or renders only an error state
- Any core feature is inaccessible or produces errors
- Console errors are present and not explainable as unrelated noise
- Displayed data contradicts known cluster state
## Artifact Requirements
For each plugin tested, the UAT report must include:
1. **Screenshots** of the plugin running in Headlamp — sidebar entry visible, main view loaded, at least one detail view
2. **Test checklist** — each step from `UAT_PLAYBOOK.md` marked pass/fail
3. **Console errors** — any browser console errors observed (attach screenshot if present)
4. **Environment info** — Headlamp version, plugin version, browser used, namespace context
## Reading UAT_PLAYBOOK.md
Each plugin repository contains a `UAT_PLAYBOOK.md` in its root directory. That file contains the canonical test steps for that specific plugin. Before running UAT, read the relevant playbook to know:
- Which features to exercise
- What the expected results are
- What screenshots to capture at each step
If `UAT_PLAYBOOK.md` does not exist for a plugin, treat that as a gap — report it in the UAT findings and flag it as a documentation issue.
## Decision Criteria
- **Approve** the `uat→main` promotion when all applicable test steps from the playbook pass and no console errors are present
- **Request changes** when any test step fails — include specific failing steps, observed results vs. expected results, and failure screenshots
- **Block** if the plugin fails to load entirely — escalate to CTO as a deployment issue requiring immediate resolution