privilegedescalation/org
12
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e75859c67aa8ca6ce9aeb4c759462e2fdb93a8a9
org/.github/workflows
T
History
Chris Farhood e75859c67a fix: resolve BASE_REF from PR API on pull_request_review events 
BASE_REF is empty on pull_request_review events since github.base_ref
is only populated on pull_request events. The empty string hit the
case * wildcard and silently passed the promotion gate.

Add a fallback that fetches .base.ref from the PR API when BASE_REF
is empty but a PR_NUMBER is available.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-14 05:58:37 +00:00
..
ci-health-check.yaml
ci: upgrade GitHub Actions to Node.js 24-compatible versions
2026-03-24 16:10:18 +00:00
detect-pr-pipeline.yaml
fix: address QA findings on detect-pipeline workflow
2026-05-11 22:25:45 +00:00
dual-approval-check.yaml
fix: resolve BASE_REF from PR API on pull_request_review events
2026-05-14 05:58:37 +00:00
plugin-ci.yaml
Merge pull request #180 from privilegedescalation/hugh/add-audit-ci-allowlist
2026-05-12 22:35:46 +00:00
plugin-release.yaml
fix(plugin-release): remove invalid --json flag from gh pr create
2026-05-13 12:33:00 +00:00
pr-validation.yaml
fix: update runner label from local-ubuntu-latest to runners-privilegedescalation
2026-03-19 20:11:51 +00:00
README.md
fix: address QA findings on detect-pipeline workflow
2026-05-11 22:25:45 +00:00
renovate.yaml
fix: add trailing newline at EOF in renovate.yaml
2026-05-13 13:06:43 +00:00
stale-release-cleanup.yaml
fix: use refs/remotes/origin for branch scanning in stale-release-cleanup
2026-04-22 18:15:30 +00:00

README.md

GitHub Actions Workflows

This directory contains reusable and repo-specific GitHub Actions workflows for the privilegedescalation organization.

Available Tools on Runners

Always Available

  • curl - HTTP client (use this instead of gh CLI for API calls)
  • jq - JSON processor
  • bash - Shell
  • git - Version control
  • docker / podman - Container runtime (depending on runner)

NOT Available (must install if needed)

  • gh CLI - GitHub CLI is not pre-installed on runners. Use curl with the GitHub API instead.

Best Practices

GitHub API Calls

Instead of using gh CLI (which is not installed), use curl with the GitHub API:

- name: Set PR label
  env:
    GH_TOKEN: ${{ github.token }}
    REPO: ${{ github.repository }}
    PR_NUMBER: ${{ github.event.pull_request.number }}
  run: |
    curl -sf \
      -X POST \
      -H "Authorization: Bearer ${GH_TOKEN}" \
      -H "Accept: application/vnd.github.v3+json" \
      "https://api.github.com/repos/${REPO}/issues/${PR_NUMBER}/labels" \
      -d '{"labels":["label-name"]}'

Workflow Validation

Run actionlint locally before pushing:

actionlint -color .github/workflows/*.yaml

Reusable Workflows

  • plugin-ci.yaml - Standard CI for Headlamp plugins
  • plugin-e2e.yaml - E2E testing for Headlamp plugins
  • dual-approval-check.yaml - Checks for CTO and QA approval
  • detect-pr-pipeline.yaml - Detects Pipeline A vs Pipeline B based on changed files

Workflow Naming Convention

  • Use kebab-case: my-workflow.yaml
  • Be descriptive: plugin-ci.yaml not ci.yaml
  • For reusable workflows, keep the name clear about its purpose

Required Gates

All PRs must pass:

  1. actionlint validation (workflow YAML syntax)
  2. Shell script validation (if scripts are used)
  3. Any repo-specific CI checks

Common Patterns

Getting Changed Files

Use tj-actions/changed-files:

- name: Get changed files
  id: changed-files
  uses: tj-actions/changed-files@v47
  with:
    files_separator: '\n'

Setting Job Outputs

- name: Set output
  id: detect
  run: |
    echo "pipeline-type=pipeline-a" >> $GITHUB_OUTPUT

Access in downstream jobs: ${{ jobs.job-name.outputs.pipeline-type }}

Reference in New Issue View Git Blame Copy Permalink