ci: Add GitHub Actions workflow and Dependabot config

[NAME-ASHWANIYADAV]

Type of change

• ⚙️ CI / tooling

What this PR does

Introduces a CI pipeline that runs on every push to main and all pull requests.
The pipeline executes: build → typecheck → lint → format check → test.

Also includes:

• .gitignore fix: adds !.github exception so the workflow directory is tracked
• Dependabot config for automated npm and GitHub Actions dependency updates
• Concurrency control to cancel stale CI runs
• Build artifact upload (14-day retention)
• All actions pinned to exact commit SHAs for supply-chain security

Test plan

Automated checks

• npm run build
• npm run tsc
• npm run lint
• npm run format -- --check

[markmandel]

I don't know github actions super well (or headlamp plugins) -- what are we uploading here, and, I guess also - why? (not saying it's bad -- just curious as to the reasoning)

[NAME-ASHWANIYADAV]

Hey @markmandel , it uploads the compiled plugin so reviewers can download the ZIP and drop it directly into their Headlamp plugins folder to test instantly, without needing to clone the code and run npm build themselves
its saves time and efforts to use terminal to review any pr

[lacroixthomas]

I like the idea, I'm just wondering if this should be part of another PR related to the release process ?
https://headlamp.dev/docs/latest/development/plugins/publishing/
Otherwise I'm fine with it

[NAME-ASHWANIYADAV]

@lacroixthomas, thanks for the link!
Should I remove the artifact upload from this PR and handle it in a separate release workflow PR instead 🤔?
Let me know what works best🚀

[lacroixthomas]

I'm actually fine to keep it, I just wonder if this could be an "issue" about storage if it's too big as it would be ran each time 🤔 Even though it would only be kept for 14 days

I pretty like the idea about it, but I would maybe say that let's not keep it for the time being and see with the flow, if we see that it would make sense to directly use this zip or if people would actually build it locally (as they would need a cluster either way to set it up etc / maybe minikube or so if it's just a test)

I don't really mind actually, I'm easy on this one, what do you think about it @markmandel ?

[markmandel]

Yeah, let's keep it - I like the idea. Makes testing PRs that people make also easy 👍🏻

I assume we also have a way to approve that the workflow runs that runs this? We shouldn't have it run automatically on every PR.

[NAME-ASHWANIYADAV]

I have updated the workflow to split the artifact upload into a separate job that requires a GitHub Environment (environment: artifact-upload)
Now, the build, lint, and test jobs will run automatically on every PR, but the actual artifact upload step will pause and require a maintainer to manually approve it (especially for fork PRs). We just need to create an artifact-upload environment in the repo settings and add maintainers as required reviewers.

Here is the official GitHub documentation on how this works: Using environments for deployment - Required reviewers

[markmandel]

Oh, I wasn't specifically worried about the upload -- I meant tests too 👍🏻 sorry that wasn't clear.

Unfortunately, we get people who do nefarious things (uploading malicious code, knowing it will run in a GitHub Action, which may have access to certain secrets etc) -- so having a workflow gated to just those people who are writers to the repository is a definite must for us.

https://docs.github.com/en/actions/how-tos/manage-workflow-runs/approve-runs-from-forks (which it sounds like you across already)

So - the whole things should be treated as not-trusted and require some human eyes before checking out code and running any kind of code or packaging it. It can be a single approval though for the entire workflow.

[NAME-ASHWANIYADAV]

Hey @markmandel, makes total sense!

I have updated the workflow:
a) I have merged everything back into a single job (no separate environment gating)
b) Added a comment pointing to the repo-level setting (Require approval for all outside collaborators) which safely gates the entire workflow for fork PRs
c) Squashed everything into a single clean commit

[NAME-ASHWANIYADAV]

i hope it is good now pls review and tell if it needs any changes