Add Kyverno manifest check #20
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Check Kyverno manifests | |
| on: | |
| pull_request: | |
| branches: | |
| - master | |
| jobs: | |
| check-for-kyverno: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| kyverno-found: ${{ steps.kyverno-check.outputs.found }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| # Fetch both the merge commit GitHub generates for the pull request | |
| # and both its parents, i.e. the tip of the branch and the tip of master | |
| fetch-depth: 2 | |
| - name: Check for kyverno in changed files | |
| id: kyverno-check | |
| run: | | |
| changed_files="$(git diff --name-only --diff-filter=d HEAD^1 HEAD)" | |
| # Look for any files changed in kyverno directory | |
| while IFS= read -r file; do | |
| if [[ "${file}" == "kyverno"* ]]; then | |
| echo "::set-output name=found::true" | |
| exit 0 | |
| fi | |
| done <<< "${changed_files}" | |
| echo "::set-output name=found::false" | |
| compare-with-upstream: | |
| needs: check-for-kyverno | |
| if: needs.check-for-kyverno.outputs.kyverno-found == 'true' | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| working-directory: ./kyverno// | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Ensure Kustomize | |
| run: >- | |
| command -v kustomize || | |
| curl --silent --location https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv5.2.1/kustomize_v5.2.1_linux_amd64.tar.gz | | |
| tar zx -C /usr/local/bin | |
| - name: Run `kustomize build` | |
| run: | | |
| set -o pipefail | |
| mkdir built-manifests/ | |
| kustomize build deploy/ | yq eval "select(.kind != \"CustomResourceDefinition\")" > built-manifests/head.yaml | |
| - name: Get checkout info | |
| id: get-checkout-info | |
| run: | | |
| echo "master-sha=$(git rev-parse --verify HEAD^1)" >> "$GITHUB_OUTPUT" | |
| - name: Checkout master | |
| run: | | |
| git -c advice.detachedHead=false checkout --force "${{ steps.get-checkout-info.outputs.master-sha}}" | |
| - name: Run `kustomize build` across files in master | |
| run: | | |
| set -o pipefail | |
| kustomize build deploy/ | yq eval "select(.kind != \"CustomResourceDefinition\")" > built-manifests/master.yaml | |
| - name: Compare both manifests | |
| id: diff | |
| run: | | |
| diff_output="$(diff built-manifests/head.yaml built-manifests/master.yaml)" || true | |
| if [ -n "$diff_output" ] | |
| then | |
| echo "diff-output<<EOF" >> "$GITHUB_OUTPUT" | |
| awk -v max_length=25000 '{len+=length(); print} len >= max_length {exit(0)}' <<< "${diff_output}" >> "$GITHUB_OUTPUT" | |
| echo -e "\n=============================================" >> "$GITHUB_OUTPUT" | |
| if [[ ${#diff_output} -gt 25000 ]] | |
| then | |
| echo -e "(Diff output is truncated to 25000 characters)" >> "$GITHUB_OUTPUT" | |
| fi | |
| echo "EOF" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Diff as PR comment | |
| if: steps.diff.outputs.diff-output != '' | |
| uses: marocchino/sticky-pull-request-comment@v2 | |
| with: | |
| header: k8s-diff | |
| recreate: true | |
| message: | | |
| Post `kustomize build` diff: | |
| ```diff | |
| ${{ steps.diff.outputs.diff-output }} | |
| ``` |