Skip to content
Check Kyverno manifests

Add Kyverno manifest check #1

Sign in to view logs

Add Kyverno manifest check

Add Kyverno manifest check #1

Workflow file for this run

.github/workflows/kyverno-checks.yaml at dac4f45
name: Check Kyverno manifests
on:
pull_request:
branches:
- master
jobs:
check-for-kyverno:
runs-on: ubuntu-latest
outputs:
kyverno-found: ${{ steps.kyverno-check.outputs.found }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Get list of changed files
id: changed-files
run: |
echo "changed-files=$(git diff --name-only --diff-filter=d HEAD^1 HEAD)" >> "$GITHUB_OUTPUT"
- name: Check for kyverno in changed files
id: kyverno-check
run: |
files=$(echo "${{ steps.changed-files.outputs.changed-files }}" | tr ',' '\n')
echo "changed-files $files"
for file in "${files}"; do
echo ${file}
if [[ "${file}" == *"kyverno"* ]]; then
echo "Kyverno files changed: ${file}"
echo "::set-output name=found::true"
exit 0
fi
done
echo "No Kyverno files changed"
echo "::set-output name=found::false"
compare-with-upstream:
needs: check-for-kyverno
if: needs.check-for-kyverno.outputs.kyverno-found == 'true'
runs-on: ubuntu-latest
defaults:
run:
working-directory: ./kyverno//
steps:
- name: Checkout
uses: actions/checkout@v4
# with:
- name: install `kustomize-build-dirs`
run: |
curl \
--location \
--silent \
https://github.com/utilitywarehouse/manifest-checkers/releases/download/v0.1.0/manifest-checkers_Linux_x86_64.tar.gz \
| tar \
--directory /usr/local/bin \
--extract \
--gzip \
--file - \
kustomize-build-dirs \
- name: Ensure Kustomize
run: >-
command -v kustomize ||
curl --silent --location https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv5.2.1/kustomize_v5.2.1_linux_amd64.tar.gz |
tar zx -C /usr/local/bin
- name: Run `kustomize build`
run: |
set -o pipefail
mkdir built-manifests/
kustomize build deploy/ | yq eval "select(.kind != \"CustomResourceDefinition\")" > built-manifests/manifest1.yaml
- name: Update upsteam manifest
run: |
make get-upstream
- name: Run `kustomize build` with updated upstream
run: |
set -o pipefail
kustomize build deploy/ | yq eval "select(.kind != \"CustomResourceDefinition\")" > built-manifests/manifest2.yaml
- name: Compare both manifests
id: diff
run: |
diff_output="$(diff built-manifests/manifest1.yaml built-manifests/manifest2.yaml)" || true
if [ -n "$diff_output" ]
then
echo "diff-output<<EOF" >> "$GITHUB_OUTPUT"
awk -v max_length=25000 '{len+=length(); print} len >= max_length {exit(0)}' <<< "${diff_output}" >> "$GITHUB_OUTPUT"
echo -e "\n=============================================" >> "$GITHUB_OUTPUT"
if [[ ${#diff_output} -gt 25000 ]]
then
echo -e "(Diff output is truncated to 25000 characters)" >> "$GITHUB_OUTPUT"
fi
echo "EOF" >> "$GITHUB_OUTPUT"
fi
- name: Diff as PR comment
if: steps.diff.outputs.diff-output != ''
uses: marocchino/sticky-pull-request-comment@v2
with:
header: k8s-diff
recreate: true
message: |
Post `kustomize build` diff:
```diff
${{ steps.diff.outputs.diff-output }}
```