Skip to content

build-definitions update #7554

build-definitions update

build-definitions update #7554

Workflow file for this run

name: Check Kubernetes YAMLs with kube-linter
on:
# Note that both `push` and `pull_request` triggers should be present for GitHub to consistently present kube-linter
# SARIF reports.
pull_request:
branches: [ main ]
jobs:
scan:
permissions: write-all
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
# This prepares directory where github/codeql-action/upload-sarif@v1 looks up report files by default.
- name: Create ../results directory for SARIF report files
shell: bash
run: mkdir -p ../results kustomizedfiles
- name: Setup Kustomize
uses: multani/action-setup-kustomize@v1
with:
version: 5.1.1
- name: Run kustomize build
run: |
find argo-cd-apps components -name 'kustomization.yaml' \
! -path '*/k-components/*' \
! -path 'components/repository-validator/staging/*' \
! -path 'components/repository-validator/production/*' \
| \
xargs -I {} -n1 -P8 bash -c 'dir=$(dirname "{}"); output_file=$(echo $dir | tr / -)-kustomization.yaml; if ! log=$(kustomize build "$dir" -o "kustomizedfiles/$output_file" 2>&1); then echo "Error when running kustomize build for $dir: $log" && exit 1;fi'
- name: Scan yaml files with kube-linter
uses: stackrox/[email protected]
id: kube-linter-action-scan
with:
# version 0.6.6 contains a new liveness check. We do have a few liveness issue already so use previous version for now
# Once we fix all issues, we will revert to use latest again.
version: v0.6.5
# Adjust this directory to the location where your kubernetes resources and helm charts are located.
directory: kustomizedfiles
# The following two settings make kube-linter produce scan analysis in SARIF format which would then be
# made available in GitHub UI via upload-sarif action below.
format: sarif
output-file: ../results/kube-linter.sarif
# The following line prevents aborting the workflow immediately in case your files fail kube-linter checks.
# This allows the following upload-sarif action to still upload the results to your GitHub repo.
continue-on-error: true
- name: Upload SARIF report files to GitHub
uses: github/codeql-action/upload-sarif@v2
# Ensure the workflow eventually fails if files did not pass kube-linter checks.
- name: Verify kube-linter-action succeeded
shell: bash
run: |
echo "If this step fails, kube-linter found issues. Check the output of the scan step above."
[[ "${{ steps.kube-linter-action-scan.outcome }}" == "success" ]]