privilegedescalation/org
12
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
bc728a753a8fa89bb12ca2a589d50a6d531d84fa
org/.github/workflows
T
History
Chris Farhood bc728a753a fix(plugin-release): remove invalid --json flag from gh pr create 
The --json flag is not valid for gh pr create, only for read commands
like gh pr list and gh pr view. This was causing the release workflow
to fail with 'unknown flag: --json' in the Create PR step.

The PR number is correctly retrieved on the line after via gh pr list,
so no other change was needed.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-13 12:33:00 +00:00
..
ci-health-check.yaml
ci: upgrade GitHub Actions to Node.js 24-compatible versions
2026-03-24 16:10:18 +00:00
detect-pr-pipeline.yaml
fix: address QA findings on detect-pipeline workflow
2026-05-11 22:25:45 +00:00
dual-approval-check.yaml
Replace dual-approval with promotion gate workflow (#177)
2026-05-11 21:37:00 +00:00
plugin-ci.yaml
Merge pull request #180 from privilegedescalation/hugh/add-audit-ci-allowlist
2026-05-12 22:35:46 +00:00
plugin-release.yaml
fix(plugin-release): remove invalid --json flag from gh pr create
2026-05-13 12:33:00 +00:00
pr-validation.yaml
fix: update runner label from local-ubuntu-latest to runners-privilegedescalation
2026-03-19 20:11:51 +00:00
README.md
fix: address QA findings on detect-pipeline workflow
2026-05-11 22:25:45 +00:00
stale-release-cleanup.yaml
fix: use refs/remotes/origin for branch scanning in stale-release-cleanup
2026-04-22 18:15:30 +00:00

README.md

GitHub Actions Workflows

This directory contains reusable and repo-specific GitHub Actions workflows for the privilegedescalation organization.

Available Tools on Runners

Always Available

  • curl - HTTP client (use this instead of gh CLI for API calls)
  • jq - JSON processor
  • bash - Shell
  • git - Version control
  • docker / podman - Container runtime (depending on runner)

NOT Available (must install if needed)

  • gh CLI - GitHub CLI is not pre-installed on runners. Use curl with the GitHub API instead.

Best Practices

GitHub API Calls

Instead of using gh CLI (which is not installed), use curl with the GitHub API:

- name: Set PR label
  env:
    GH_TOKEN: ${{ github.token }}
    REPO: ${{ github.repository }}
    PR_NUMBER: ${{ github.event.pull_request.number }}
  run: |
    curl -sf \
      -X POST \
      -H "Authorization: Bearer ${GH_TOKEN}" \
      -H "Accept: application/vnd.github.v3+json" \
      "https://api.github.com/repos/${REPO}/issues/${PR_NUMBER}/labels" \
      -d '{"labels":["label-name"]}'

Workflow Validation

Run actionlint locally before pushing:

actionlint -color .github/workflows/*.yaml

Reusable Workflows

  • plugin-ci.yaml - Standard CI for Headlamp plugins
  • plugin-e2e.yaml - E2E testing for Headlamp plugins
  • dual-approval-check.yaml - Checks for CTO and QA approval
  • detect-pr-pipeline.yaml - Detects Pipeline A vs Pipeline B based on changed files

Workflow Naming Convention

  • Use kebab-case: my-workflow.yaml
  • Be descriptive: plugin-ci.yaml not ci.yaml
  • For reusable workflows, keep the name clear about its purpose

Required Gates

All PRs must pass:

  1. actionlint validation (workflow YAML syntax)
  2. Shell script validation (if scripts are used)
  3. Any repo-specific CI checks

Common Patterns

Getting Changed Files

Use tj-actions/changed-files:

- name: Get changed files
  id: changed-files
  uses: tj-actions/changed-files@v47
  with:
    files_separator: '\n'

Setting Job Outputs

- name: Set output
  id: detect
  run: |
    echo "pipeline-type=pipeline-a" >> $GITHUB_OUTPUT

Access in downstream jobs: ${{ jobs.job-name.outputs.pipeline-type }}

Reference in New Issue View Git Blame Copy Permalink