Merge branch 'main' into adding-lint-commit-and-husky-to-root-configuration

Signed-off-by: Dibyanshu Pal Kushwaha <dibyanshupkushwaha@gmail.com>

Author: dibyanshu-pal-kushwaha

.github/workflows/app-artifacts-embedded.yml

@@ -0,0 +1,66 @@
+name: Build and upload embedded binaries
+
+on:
+  workflow_dispatch:
+    inputs:
+      buildBranch:
+        description: 'Headlamp ref/branch/tag'
+        required: true
+        default: 'main'
+      version:
+        description: 'Version for the binaries (defaults to app/package.json version)'
+        required: false
+        default: ''
+
+permissions:
+  contents: read
+
+jobs:
+  build-embedded:
+    permissions:
+      actions: write # needed to upload artifacts
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      with:
+        ref: ${{ github.event.inputs.buildBranch }}
+    - name: Setup nodejs
+      uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+      with:
+        node-version: 20.x
+        cache: 'npm'
+        cache-dependency-path: |
+          frontend/package-lock.json
+    - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      with:
+        go-version: '1.24.*'
+        cache-dependency-path: |
+          backend/go.sum
+    - name: Get version
+      id: get-version
+      run: |
+        if [ -n "${{ github.event.inputs.version }}" ]; then
+          VERSION="${{ github.event.inputs.version }}"
+        else
+          VERSION=$(node -p "require('./app/package.json').version")
+        fi
+        echo "version=$VERSION" >> $GITHUB_OUTPUT
+        echo "Building embedded binaries with version: $VERSION"
+    - name: Build frontend
+      run: |
+        make frontend
+    - name: Prepare backend for embedding
+      run: |
+        make backend-embed-prepare
+    - name: Build embedded binaries
+      run: |
+        make backend-embed-all-compressed VERSION=${{ steps.get-version.outputs.version }}
+    - name: Upload embedded binaries
+      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+      with:
+        name: embedded-binaries
+        path: ./backend/dist/*.tar.gz
+        if-no-files-found: error
+        retention-days: 2
+

.github/workflows/backend-test.yml

@@ -76,6 +76,10 @@ jobs:
           rm ~/.config/Headlamp/kubeconfigs/config
         shell: bash
 
+      - name: Run fuzz tests
+        run: npm run backend:fuzz
+        shell: bash
+
       - name: Upload coverage report as artifact
         id: upload-artifact
         uses: actions/upload-artifact@84480863f228bb9747b473957fcc9e309aa96097 # v4.4.2

.github/workflows/draft-release.yml

@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 0
 
@@ -48,7 +48,7 @@ jobs:
           echo "EOF" >> $GITHUB_OUTPUT
 
       - name: Create Release Coordination Issue
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         with:
           github-token: ${{ github.token }}
           script: |

.github/workflows/helm-chart-release.yml

@@ -76,6 +76,7 @@ jobs:
         with:
           config: .github/cr.yaml
           mark_as_latest: false # only headlamp is set to latest
+          skip_existing: true # skip package upload if release already exists
 
       - name: Push Charts to GHCR
         run: |

AGENTS.md

@@ -194,6 +194,10 @@ backend-embed-linux-386:
 backend-test:
 	cd backend && go test -v -p 1 ./...
 
+.PHONY: backend-fuzz
+backend-fuzz:
+	npm run backend:fuzz
+
 .PHONY: backend-coverage
 backend-coverage:
 	cd backend && go test -v -p 1 -coverprofile=coverage.out ./...

Makefile

@@ -3,11 +3,11 @@ aliases:
     - joaquimrocha
     - illume
     - sniok
+    - yolossn
   headlamp-reviewers:
     - joaquimrocha
     - illume
     - sniok
     - ashu8912
-    - yolossn
     - vyncent-t
     - skoeva

OWNERS_ALIASES

@@ -16,7 +16,10 @@
     "copy-plugins": "npx --no-install shx rm -rf build/.plugins && mkdirp build/.plugins && copyfiles ../.plugins build/.plugins",
     "dev": "npm run compile-electron && cross-env ELECTRON_DEV=1 electron .",
     "dev-only-app": "npm run compile-electron && cross-env ELECTRON_DEV=1 ELECTRON_START_URL=http://localhost:3000 EXTERNAL_SERVER=true electron .",
+    "format": "cd .. && npm run frontend:format",
     "i18n": "npx --no-install i18next ./electron/main.ts -c ./electron/i18next-parser.config.js",
+    "lint": "cd .. && npm run frontend:lint",
+    "lint-fix": "cd .. && npm run frontend:lint:fix",
     "package": "npm run build && electron-builder build --publish never",
     "package-msi": "npm run build && node windows/msi/build.js",
     "prod-deps": "mkdirp prod_deps && cd ./prod_deps && copyfiles -f ../package.json ../package-lock.json . && npm i --only=prod && cd .. && npx --no-install shx rm -rf ./prod_deps/node_modules/.bin",

app/package.json

@@ -0,0 +1,83 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package auth_test
+
+import (
+	"regexp"
+	"testing"
+	"unicode/utf8"
+
+	"github.com/kubernetes-sigs/headlamp/backend/pkg/auth"
+)
+
+// FuzzSanitizeClusterName tests the SanitizeClusterName function with various inputs
+// to ensure it handles edge cases, special characters, and maintains its invariants.
+func FuzzSanitizeClusterName(f *testing.F) {
+	// Seed corpus with known interesting test cases
+	f.Add("my-cluster")
+	f.Add("my_cluster")
+	f.Add("cluster123")
+	f.Add("my-cluster@#$%")
+	f.Add("")
+	f.Add("very-long-cluster-name-that-exceeds-fifty-characters-limit")
+	f.Add("special!@#$%^&*()chars")
+	f.Add("unicode-日本語-cluster")
+	f.Add("spaces in name")
+	f.Add("trailing-dash-")
+	f.Add("-leading-dash")
+	f.Add("___underscores___")
+	f.Add("UPPERCASE")
+	f.Add("MixedCase123")
+
+	validCharsRegex := regexp.MustCompile(`^[a-zA-Z0-9\-_]*$`)
+
+	f.Fuzz(func(t *testing.T, input string) {
+		result := auth.SanitizeClusterName(input)
+
+		// Invariant 1: Result should never be longer than 50 characters
+		if len(result) > 50 {
+			t.Errorf("SanitizeClusterName(%q) returned result with length %d, expected <= 50", input, len(result))
+		}
+
+		// Invariant 2: Result should only contain alphanumeric characters, hyphens, and underscores
+		if !validCharsRegex.MatchString(result) {
+			t.Errorf("SanitizeClusterName(%q) = %q contains invalid characters", input, result)
+		}
+
+		// Invariant 3: Result should be a valid UTF-8 string
+		if !utf8.ValidString(result) {
+			t.Errorf("SanitizeClusterName(%q) = %q is not valid UTF-8", input, result)
+		}
+
+		// Invariant 4: If input is empty, result should be empty
+		if input == "" && result != "" {
+			t.Errorf("SanitizeClusterName(%q) = %q, expected empty string", input, result)
+		}
+
+		// Invariant 5: Result should be idempotent - sanitizing the result again should give the same result
+		result2 := auth.SanitizeClusterName(result)
+		if result != result2 {
+			t.Errorf("SanitizeClusterName is not idempotent: first=%q, second=%q", result, result2)
+		}
+
+		// Invariant 6: Result length should never exceed input length (sanitization only removes characters)
+		if len(input) > 0 && len(result) > len(input) {
+			t.Errorf("SanitizeClusterName(%q) returned result longer than input: input_len=%d, result_len=%d",
+				input, len(input), len(result))
+		}
+	})
+}

backend/pkg/auth/cookies_fuzz_test.go

@@ -0,0 +1,2 @@
+go test fuzz v1
+string("my-cluster@#$%")