Files

T

Chris Farhood adcce5a531 fix(pr-validation): remove sudo from shellcheck install

The act runner container runs as root and does not have sudo
installed, causing CI job 187 to fail with "sudo: command not found".

Co-Authored-By: Paperclip <noreply@paperclip.ing>

2026-05-16 21:08:24 +00:00

ci-health-check.yaml

fix: change plugin-ci.yaml runs-on to ubuntu-latest (#195 )

2026-05-15 19:35:57 +00:00

detect-pr-pipeline.yaml

fix(actionlint): resolve untrusted github.head_ref and undefined secrets

2026-05-16 04:35:11 +00:00

dual-approval-check.yaml

fix: change plugin-ci.yaml runs-on to ubuntu-latest (#195 )

2026-05-15 19:35:57 +00:00

plugin-ci.yaml

fix: change plugin-ci.yaml runs-on to ubuntu-latest (#195 )

2026-05-15 19:35:57 +00:00

plugin-release.yaml

fix(actionlint): replace curl with wget, fix secrets.GITEA_TOKEN references

2026-05-16 10:42:57 +00:00

pr-validation.yaml

fix(pr-validation): remove sudo from shellcheck install

2026-05-16 21:08:24 +00:00

README.md

fix: address QA findings on detect-pipeline workflow

2026-05-11 22:25:45 +00:00

renovate.yaml

fix: add RENOVATE_ENDPOINT for Gitea self-hosted instance

2026-05-14 20:37:48 +00:00

stale-release-cleanup.yaml

fix: use refs/remotes/origin for branch scanning in stale-release-cleanup

2026-04-22 18:15:30 +00:00

README.md

GitHub Actions Workflows

This directory contains reusable and repo-specific GitHub Actions workflows for the privilegedescalation organization.

Available Tools on Runners

Always Available

curl - HTTP client (use this instead of gh CLI for API calls)
jq - JSON processor
bash - Shell
git - Version control
docker / podman - Container runtime (depending on runner)

NOT Available (must install if needed)

gh CLI - GitHub CLI is not pre-installed on runners. Use curl with the GitHub API instead.

Best Practices

GitHub API Calls

Instead of using gh CLI (which is not installed), use curl with the GitHub API:

- name: Set PR label
  env:
    GH_TOKEN: ${{ github.token }}
    REPO: ${{ github.repository }}
    PR_NUMBER: ${{ github.event.pull_request.number }}
  run: |
    curl -sf \
      -X POST \
      -H "Authorization: Bearer ${GH_TOKEN}" \
      -H "Accept: application/vnd.github.v3+json" \
      "https://api.github.com/repos/${REPO}/issues/${PR_NUMBER}/labels" \
      -d '{"labels":["label-name"]}'

Workflow Validation

Run actionlint locally before pushing:

actionlint -color .github/workflows/*.yaml

Reusable Workflows

plugin-ci.yaml - Standard CI for Headlamp plugins
plugin-e2e.yaml - E2E testing for Headlamp plugins
dual-approval-check.yaml - Checks for CTO and QA approval
detect-pr-pipeline.yaml - Detects Pipeline A vs Pipeline B based on changed files

Workflow Naming Convention

Use kebab-case: my-workflow.yaml
Be descriptive: plugin-ci.yaml not ci.yaml
For reusable workflows, keep the name clear about its purpose

Required Gates

All PRs must pass:

actionlint validation (workflow YAML syntax)
Shell script validation (if scripts are used)
Any repo-specific CI checks

Common Patterns

Getting Changed Files

Use tj-actions/changed-files:

- name: Get changed files
  id: changed-files
  uses: tj-actions/changed-files@v47
  with:
    files_separator: '\n'

Setting Job Outputs

- name: Set output
  id: detect
  run: |
    echo "pipeline-type=pipeline-a" >> $GITHUB_OUTPUT

Access in downstream jobs: ${{ jobs.job-name.outputs.pipeline-type }}