feat(repo): add deprecate-archived-plugins workflow from BCP

[christoph-jerolimov]

Hey, I just made a Pull Request!

Just duplicated the deprecate-archived-plugins workflow from BCP.

[rhdh-qodo-merge]

Review Summary by Qodo

Add deprecate-archived-plugins workflow automation

✨ Enhancement

Walkthroughs

Description

• Add automated workflow to deprecate archived plugins
• Implement bash script to process archived plugins list
• Trigger deprecation on archived-plugins.json changes
• Support dry-run mode for testing deprecations

Diagram

flowchart LR
  A["archived-plugins.json"] -->|triggers on push| B["deprecate-archived-plugins.yml"]
  B -->|runs| C["deprecate-archived-plugins.sh"]
  C -->|reads| A
  C -->|validates & deprecates| D["NPM Registry"]

Loading

File Changes

1. scripts/ci/deprecate-archived-plugins.sh ✨ Enhancement +59/-0

Bash script for automated plugin deprecation

• New bash script to automate package deprecation process
• Reads archived plugins from JSON configuration file
• Supports dry-run mode for testing without actual deprecation
• Validates packages exist before deprecating and generates descriptive messages

scripts/ci/deprecate-archived-plugins.sh

---

2. .github/workflows/deprecate-archived-plugins.yml ✨ Enhancement +26/-0

GitHub Actions workflow for plugin deprecation

• New GitHub Actions workflow triggered on archived-plugins.json changes
• Sets up Node.js environment with NPM registry authentication
• Executes deprecation script with NPM token for registry access

.github/workflows/deprecate-archived-plugins.yml

---

[rhdh-qodo-merge]

Code Review by Qodo

🐞 Bugs (3) 📘 Rule violations (0) 📎 Requirement gaps (0) 🎨 UX Issues (0)

1. Pipeline masks jq failure 🐞 Bug ☼ Reliability

Description

scripts/ci/deprecate-archived-plugins.sh uses set -e but pipes jq into a while loop without
pipefail, so missing/invalid JSON (or a missing file) can cause jq to fail while the script
still exits successfully. This can make the workflow report success while performing zero
deprecations, hiding operational failures.

Code

scripts/ci/deprecate-archived-plugins.sh[R3-28]

+set -e
+
+# Get script directory and archived file path
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+ARCHIVED_FILE="$(dirname "$(dirname "$SCRIPT_DIR")")/.github/archived-plugins.json"
+
+# Check if dry run (first argument)
+DRY_RUN=${1:-false}
+
+if [[ "$DRY_RUN" == "--dry-run" ]]; then
+    DRY_RUN=true
+    echo "DRY RUN MODE"
+else
+    DRY_RUN=false
+fi
+
+echo "Processing archived packages..."
+
+# Extract unique plugins from archived-plugins.json file
+# Format: package_name|workspace|plugin|reason
+jq -r '
+  .archived 
+  | unique_by(.pluginName) 
+  | .[] 
+  | "\(.pluginName)|\(.workspace)|\(.plugin)|\(.reason)"
+' "$ARCHIVED_FILE" | while IFS='|' read -r package_name workspace plugin reason; do

Evidence

The script enables set -e but the jq ... | while ... pipeline does not propagate jq failures
because the pipeline exit status is determined by the last command (while), allowing upstream
failures to be ignored without set -o pipefail or process substitution.

scripts/ci/deprecate-archived-plugins.sh[3-3]
scripts/ci/deprecate-archived-plugins.sh[23-28]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The deprecation script can silently succeed when `jq` fails (e.g., missing file, invalid JSON/query) because `set -e` does not catch failures inside a pipeline whose last command succeeds.

### Issue Context
The script currently does `jq ... "$ARCHIVED_FILE" | while ...; do ...; done`. In bash, without `set -o pipefail`, the pipeline status is the status of the `while` loop, not `jq`.

### Fix Focus Areas
- scripts/ci/deprecate-archived-plugins.sh[1-59]

### Suggested fix
- Switch to `set -euo pipefail`.
- Avoid piping into `while`; instead use process substitution:
 - `while ...; do ...; done < <(jq -r '...' "$ARCHIVED_FILE")`
- Optionally add an explicit file check before running jq:
 - `[[ -f "$ARCHIVED_FILE" ]] || { echo "Missing $ARCHIVED_FILE"; exit 1; }`

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. Actions not SHA pinned 🐞 Bug ⛨ Security

Description

The new workflow uses floating action tags (actions/checkout@v4, actions/setup-node@v4) instead
of pinning to immutable commit SHAs, which increases supply-chain risk for a workflow that runs with
an npm publish token. This is inconsistent with other workflows in this repo that pin actions to
SHAs.

Code

.github/workflows/deprecate-archived-plugins.yml[R14-20]

+      - uses: actions/checkout@v4
+
+      - name: Set up Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22.x
+          registry-url: 'https://registry.npmjs.org'

Evidence

The new workflow references actions by moving tags, while existing workflows in-repo pin the same
actions to specific commit SHAs, demonstrating the expected security posture in this repository.

.github/workflows/deprecate-archived-plugins.yml[14-20]
.github/workflows/release.yml[16-23]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The workflow uses floating action tags (`@v4`) which can change over time and weakens supply-chain security.

### Issue Context
Other workflows in this repository pin GitHub Actions to commit SHAs.

### Fix Focus Areas
- .github/workflows/deprecate-archived-plugins.yml[14-20]
- .github/workflows/release.yml[16-23]

### Suggested fix
- Replace `actions/checkout@v4` and `actions/setup-node@v4` with the same SHA-pinned versions used elsewhere in this repo (or update to current SHAs and pin them).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

3. Workflow permissions implicit 🐞 Bug ⛨ Security

Description

The workflow does not declare a permissions block, so GITHUB_TOKEN permissions are inherited
from the repo/org default and may be broader than needed for this job. This unnecessarily increases
the blast radius if any step is compromised while also handling NPM_TOKEN.

Code

.github/workflows/deprecate-archived-plugins.yml[R10-26]

+jobs:
+  deprecate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22.x
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Deprecate packages
+        run: ./scripts/ci/deprecate-archived-plugins.sh
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_CONFIG_REGISTRY: https://registry.npmjs.org

Evidence

The new workflow has no explicit permissions configuration, while other workflows in the repo
explicitly scope permissions, indicating a repo convention and reducing default-token risk.

.github/workflows/deprecate-archived-plugins.yml[1-26]
.github/workflows/validate-codeowners.yml[9-12]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
Missing explicit workflow `permissions` means the job uses the repository default `GITHUB_TOKEN` permissions, which may be broader than required.

### Issue Context
This job only needs to checkout repository contents; it does not appear to need write access to GitHub resources.

### Fix Focus Areas
- .github/workflows/deprecate-archived-plugins.yml[1-26]

### Suggested fix
Add a top-level permissions block, e.g.:
```yaml
permissions:
 contents: read
```
(Adjust only if additional permissions are truly required.)

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[rhdh-qodo-merge]

1. Pipeline masks jq failure 🐞 Bug ☼ Reliability

scripts/ci/deprecate-archived-plugins.sh uses set -e but pipes jq into a while loop without
pipefail, so missing/invalid JSON (or a missing file) can cause jq to fail while the script
still exits successfully. This can make the workflow report success while performing zero
deprecations, hiding operational failures.

Agent Prompt

### Issue description
The deprecation script can silently succeed when `jq` fails (e.g., missing file, invalid JSON/query) because `set -e` does not catch failures inside a pipeline whose last command succeeds.

### Issue Context
The script currently does `jq ... "$ARCHIVED_FILE" | while ...; do ...; done`. In bash, without `set -o pipefail`, the pipeline status is the status of the `while` loop, not `jq`.

### Fix Focus Areas
- scripts/ci/deprecate-archived-plugins.sh[1-59]

### Suggested fix
- Switch to `set -euo pipefail`.
- Avoid piping into `while`; instead use process substitution:
  - `while ...; do ...; done < <(jq -r '...' "$ARCHIVED_FILE")`
- Optionally add an explicit file check before running jq:
  - `[[ -f "$ARCHIVED_FILE" ]] || { echo "Missing $ARCHIVED_FILE"; exit 1; }`

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[hopehadfield]

Just a couple small changes but otherwise lgtm.

There's also a script in backstage/community-plugins that automates all the changes done in #2665, but it would need a number of changes for our repo. I'll move that over in future + add the instructions for archiving in our repo to capture the whole process, as I can imagine this won't be the last plugin we archive here😉

[christoph-jerolimov]

Thanks @hopehadfield, I saw that script but I expected that it wouldn't work directly. In general we should align our repo again.

I applied both recommendations, please take a look again. Thanks :)

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud