Add PR development builds feature with Sigstore signing, auto-refresh UI, build history selection, failed build detection, and accessibility testing

.github/workflows/app-artifacts-linux.yml

@@ -17,6 +17,7 @@ jobs:
     permissions:
       actions: write # needed to upload artifacts
       contents: write
+      id-token: write # needed for Sigstore keyless signing
     steps:
     - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       with:
@@ -34,24 +35,41 @@ jobs:
     - name: Rename AppImage 64bit version
       run: |
         FILE_PATH=$(echo app/dist/Headlamp*x86_64*.AppImage); mv ${FILE_PATH} $(echo ${FILE_PATH}|sed s/x86_64/x64/)
+    - name: Install Cosign
+      uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+    - name: Sign Linux artifacts with Cosign
+      run: |
+        cd app/dist
+        for file in Headlamp*.tar.* Headlamp*.AppImage headlamp*.deb; do
+          if [ -f "$file" ]; then
+            echo "Signing $file"
+            cosign sign-blob --yes --bundle "${file}.cosign.bundle" "$file"
+          fi
+        done
     - name: Upload Tarball artifacts
       uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
       with:
         name: Tarballs
-        path: ./app/dist/Headlamp*.tar.*
+        path: |
+          ./app/dist/Headlamp*.tar.*
+          ./app/dist/Headlamp*.tar.*.cosign.bundle
         if-no-files-found: error
         retention-days: 1
     - name: Upload AppImage artifacts
       uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
       with:
         name: AppImages
-        path: ./app/dist/Headlamp*.AppImage
+        path: |
+          ./app/dist/Headlamp*.AppImage
+          ./app/dist/Headlamp*.AppImage.cosign.bundle
         if-no-files-found: error
         retention-days: 1
     - name: Upload Debian artifacts
       uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
       with:
         name: Debian
-        path: ./app/dist/headlamp*.deb
+        path: |
+          ./app/dist/headlamp*.deb
+          ./app/dist/headlamp*.deb.cosign.bundle
         if-no-files-found: error
         retention-days: 1

.github/workflows/app-artifacts-mac.yml

@@ -21,6 +21,7 @@ jobs:
     permissions:
       contents: read
       actions: write # needed to upload artifacts
+      id-token: write # needed for Sigstore keyless signing
     steps:
     - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       with:
@@ -63,11 +64,24 @@ jobs:
       if: ${{ ! inputs.signBinaries }}
       run: |
         make app-mac
+    - name: Install Cosign
+      uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+    - name: Sign Mac artifacts with Cosign
+      run: |
+        cd app/dist
+        for file in Headlamp*.dmg; do
+          if [ -f "$file" ]; then
+            echo "Signing $file"
+            cosign sign-blob --yes --bundle "${file}.cosign.bundle" "$file"
+          fi
+        done
     - name: Upload artifact
       uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
       with:
         name: dmgs
-        path: ./app/dist/Headlamp*.dmg
+        path: |
+          ./app/dist/Headlamp*.dmg
+          ./app/dist/Headlamp*.dmg.cosign.bundle
         if-no-files-found: error
         retention-days: 1
   notarize:
@@ -139,7 +153,9 @@ jobs:
       uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
       with:
         name: dmgs
-        path: ./dmgs/Headlamp*.dmg
+        path: |
+          ./dmgs/Headlamp*.dmg
+          ./dmgs/Headlamp*.dmg.cosign.bundle
         if-no-files-found: error
         overwrite: true
         retention-days: 2
@@ -212,7 +228,9 @@ jobs:
       uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
       with:
         name: dmgs
-        path: ./dmgs/Headlamp*.dmg
+        path: |
+          ./dmgs/Headlamp*.dmg
+          ./dmgs/Headlamp*.dmg.cosign.bundle
         if-no-files-found: error
         overwrite: true
         retention-days: 2

.github/workflows/app-artifacts-win.yml

@@ -18,7 +18,7 @@ permissions:
 jobs:
   build-windows:
     permissions:
-      id-token: write # For fetching an OpenID Connect (OIDC) token
+      id-token: write # For fetching an OpenID Connect (OIDC) token and Sigstore keyless signing
       contents: read
       actions: write # needed to upload artifacts
     runs-on: windows-2022
@@ -88,10 +88,26 @@ jobs:
         }
         make app-win
 
+    - name: Install Cosign
+      uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+
+    - name: Sign Windows artifacts with Cosign
+      shell: pwsh
+      working-directory: headlamp
+      run: |
+        cd app/dist
+        Get-ChildItem -Filter "Headlamp*.*" | ForEach-Object {
+          $file = $_.Name
+          Write-Host "Signing $file"
+          cosign sign-blob --yes --bundle "$file.cosign.bundle" $file
+        }
+
     - name: Upload artifact
       uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
       with:
         name: Win exes
-        path: ./headlamp/app/dist/Headlamp*.*
+        path: |
+          ./headlamp/app/dist/Headlamp*.*
+          ./headlamp/app/dist/Headlamp*.*.cosign.bundle
         if-no-files-found: error
         retention-days: 2

.github/workflows/push-release-assets.yml

@@ -24,6 +24,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write # need to write to releases and download artifacts
+      id-token: write # needed for Sigstore keyless signing
     steps:
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
@@ -83,6 +84,26 @@ jobs:
             exit 0
           fi
 
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+
+      - name: Sign artifacts with Cosign for release
+        run: |
+          cd ./flattened-artifacts
+          # Sign only the actual binary artifacts (not existing .cosign.bundle files)
+          for file in Headlamp*.*; do
+            # Skip if file is already a cosign bundle
+            if [[ "$file" != *.cosign.bundle ]]; then
+              # Skip if cosign bundle already exists (from PR builds)
+              if [ ! -f "${file}.cosign.bundle" ]; then
+                echo "Signing $file for release"
+                cosign sign-blob --yes --bundle "${file}.cosign.bundle" "$file"
+              else
+                echo "Signature already exists for $file"
+              fi
+            fi
+          done
+
       - name: Prepare GPG key
         run: |
           gpg_dir=.cr-gpg

README.md

@@ -75,6 +75,37 @@ We maintain a list of the [Kubernetes platforms](./docs/platforms.md) we have
 tested Headlamp with. We invite you to add any missing platforms you have
 tested, or comment if there are any regressions in the existing ones.
 
+## Security & Verification
+
+### Signature Verification
+
+All Headlamp desktop application artifacts (releases and PR builds) are signed using [Sigstore](https://www.sigstore.dev/) keyless signing with GitHub Actions OIDC identity. This provides cryptographic verification that binaries were built by official GitHub Actions workflows.
+
+#### Verifying Release Artifacts
+
+You can verify the authenticity of Headlamp releases using the Cosign CLI:
+
+```bash
+# Install Cosign (https://docs.sigstore.dev/cosign/installation/)
+# macOS: brew install sigstore/tap/cosign
+# Linux/Windows: See https://docs.sigstore.dev/cosign/installation/
+
+# Download artifact and signature bundle
+wget https://github.com/kubernetes-sigs/headlamp/releases/download/v0.40.0/Headlamp-0.40.0.AppImage
+wget https://github.com/kubernetes-sigs/headlamp/releases/download/v0.40.0/Headlamp-0.40.0.AppImage.cosign.bundle
+
+# Verify signature
+cosign verify-blob \
+  --bundle Headlamp-0.40.0.AppImage.cosign.bundle \
+  --certificate-identity "https://github.com/kubernetes-sigs/headlamp/.github/workflows/push-release-assets.yml@refs/tags/v0.40.0" \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+  Headlamp-0.40.0.AppImage
+```
+
+Successful verification confirms the artifact was built by the official release workflow.
+
+For more information about signature verification, including how to verify PR artifacts, see the [PR Development Builds documentation](./docs/development/prBuilds.md#signature-verification).
+
 ## Extensions / Plugins
 
 Please see [headlamp plugins on Artifact Hub](https://artifacthub.io/packages/search?kind=21&sort=relevance&page=1) for a list of plugins published.

app/.gitignore

@@ -13,3 +13,5 @@
 electron/windowSize.test.js
 electron/env-paths.js
 electron/runCmd.test.js
+/electron/prBuilds.js
+/electron/prBuilds.test.js

app/README.md

@@ -38,3 +38,29 @@ Note, it runs the development servers for the backend and the frontend as well.
 - `npm start`: Starts the app in dev mode along with the backend server, and the frontend development server.
 - `npm run test`: Runs the tests. See the \*.test.js files in the electron/ folder.
 - `npm run tsc`: Runs the type checker.
+
+## Environment Variables
+
+The Headlamp desktop app supports several environment variables to control its behavior:
+
+- `HEADLAMP_ENABLE_APP_DEV_BUILDS`: Set to `false` to disable the PR builds feature. This feature allows testing development builds from pull requests. **Default:** enabled (set to `false` to disable)
+- `HEADLAMP_CHECK_FOR_UPDATES`: Set to `false` to disable automatic update checks. **Default:** `true`
+- `HEADLAMP_MAX_PORT_ATTEMPTS`: Maximum number of ports to try when starting the backend server. **Default:** `100`
+- `ELECTRON_DEV`: Set to `1` for development mode. Used internally by `npm run dev`.
+- `ELECTRON_START_URL`: Override the frontend URL. Used for development.
+- `EXTERNAL_SERVER`: Set to `true` to use an external backend server instead of starting one.
+
+Example usage:
+
+```bash
+# Disable PR builds feature (macOS/Linux)
+export HEADLAMP_ENABLE_APP_DEV_BUILDS=false
+./Headlamp
+
+# Windows PowerShell
+$env:HEADLAMP_ENABLE_APP_DEV_BUILDS="false"
+.\Headlamp.exe
+```
+
+For more information about the PR builds feature, see the [PR Builds documentation](../docs/development/prBuilds.md).
+