Add Kyverno manifest check #5
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Check Kyverno manifests | |
on: | |
pull_request: | |
branches: | |
- master | |
jobs: | |
check-for-kyverno: | |
runs-on: ubuntu-latest | |
outputs: | |
kyverno-found: ${{ steps.kyverno-check.outputs.found }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
# Fetch both the merge commit GitHub generates for the pull request | |
# and both its parents, i.e. the tip of the branch and the tip of master | |
fetch-depth: 2 | |
- name: Get list of changed files | |
id: changed-files | |
run: | | |
echo "changed-files=$(git diff --name-only --diff-filter=d HEAD^1 HEAD)" | \ | |
while IFS= read -r line; do printf 'changed-files=%q\n' "$line"; done >> "$GITHUB_OUTPUT" | |
- name: Check for kyverno in changed files | |
id: kyverno-check | |
run: | | |
files=$(echo "${{ steps.changed-files.outputs.changed-files }}" | tr ',' '\n') | |
echo "changed-files $files" | |
for file in "${files}"; do | |
echo ${file} | |
if [[ "${file}" == *"kyverno"* ]]; then | |
echo "Kyverno files changed: ${file}" | |
echo "::set-output name=found::true" | |
exit 0 | |
fi | |
done | |
echo "No Kyverno files changed" | |
echo "::set-output name=found::false" | |
compare-with-upstream: | |
needs: check-for-kyverno | |
if: needs.check-for-kyverno.outputs.kyverno-found == 'true' | |
runs-on: ubuntu-latest | |
defaults: | |
run: | |
working-directory: ./kyverno// | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
# with: | |
- name: install `kustomize-build-dirs` | |
run: | | |
curl \ | |
--location \ | |
--silent \ | |
https://github.com/utilitywarehouse/manifest-checkers/releases/download/v0.1.0/manifest-checkers_Linux_x86_64.tar.gz \ | |
| tar \ | |
--directory /usr/local/bin \ | |
--extract \ | |
--gzip \ | |
--file - \ | |
kustomize-build-dirs \ | |
- name: Ensure Kustomize | |
run: >- | |
command -v kustomize || | |
curl --silent --location https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv5.2.1/kustomize_v5.2.1_linux_amd64.tar.gz | | |
tar zx -C /usr/local/bin | |
- name: Run `kustomize build` | |
run: | | |
set -o pipefail | |
mkdir built-manifests/ | |
kustomize build deploy/ | yq eval "select(.kind != \"CustomResourceDefinition\")" > built-manifests/manifest1.yaml | |
- name: Update upsteam manifest | |
run: | | |
make get-upstream | |
- name: Run `kustomize build` with updated upstream | |
run: | | |
set -o pipefail | |
kustomize build deploy/ | yq eval "select(.kind != \"CustomResourceDefinition\")" > built-manifests/manifest2.yaml | |
- name: Compare both manifests | |
id: diff | |
run: | | |
diff_output="$(diff built-manifests/manifest1.yaml built-manifests/manifest2.yaml)" || true | |
if [ -n "$diff_output" ] | |
then | |
echo "diff-output<<EOF" >> "$GITHUB_OUTPUT" | |
awk -v max_length=25000 '{len+=length(); print} len >= max_length {exit(0)}' <<< "${diff_output}" >> "$GITHUB_OUTPUT" | |
echo -e "\n=============================================" >> "$GITHUB_OUTPUT" | |
if [[ ${#diff_output} -gt 25000 ]] | |
then | |
echo -e "(Diff output is truncated to 25000 characters)" >> "$GITHUB_OUTPUT" | |
fi | |
echo "EOF" >> "$GITHUB_OUTPUT" | |
fi | |
- name: Diff as PR comment | |
if: steps.diff.outputs.diff-output != '' | |
uses: marocchino/sticky-pull-request-comment@v2 | |
with: | |
header: k8s-diff | |
recreate: true | |
message: | | |
Post `kustomize build` diff: | |
```diff | |
${{ steps.diff.outputs.diff-output }} | |
``` |