fix(flux): maintain a copy of CRDs and the ClusterRole in deploy/kustomize/base #2027
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| permissions: | |
| contents: read | |
| name: PR Validation | |
| on: | |
| pull_request: | |
| merge_group: | |
| jobs: | |
| file-checks: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Clone the code | |
| uses: actions/checkout@v4 #v3.2.0 | |
| - name: reviewdog | |
| uses: reviewdog/action-setup@3f401fe1d58fe77e10d665ab713057375e39b887 # v1.3.0 | |
| with: | |
| reviewdog_version: latest | |
| - name: Trailing Whitespace | |
| shell: bash | |
| env: | |
| REVIEWDOG_GITHUB_API_TOKEN: ${{ github.token }} | |
| run: | | |
| set -e | |
| pushd "${GITHUB_WORKSPACE}/" || exit 1 | |
| echo '::group:: Flagging trailing whitespace with reviewdog 🐶 ...' | |
| # Don't fail because of grep | |
| set +o pipefail | |
| # Exclude generated and vendored files, plus some legacy | |
| # paths until we update all .gitattributes | |
| git ls-files | | |
| git check-attr --stdin linguist-generated | grep -Ev ': (set|true)$' | cut -d: -f1 | | |
| git check-attr --stdin linguist-vendored | grep -Ev ': (set|true)$' | cut -d: -f1 | | |
| git check-attr --stdin ignore-lint | grep -Ev ': (set|true)$' | cut -d: -f1 | | |
| grep -Ev '^(vendor/|third_party/|LICENSES/|.git|bundle/|embeds/grafonnet-lib/)' | | |
| grep -v api.md | | |
| xargs grep -nE " +$" | | |
| reviewdog -efm="%f:%l:%m" \ | |
| -name="trailing whitespace" \ | |
| -reporter="github-pr-check" \ | |
| -filter-mode="added" \ | |
| -fail-on-error="true" \ | |
| -level="error" | |
| echo '::endgroup::' | |
| popd | |
| - name: EOF newline | |
| shell: bash | |
| env: | |
| REVIEWDOG_GITHUB_API_TOKEN: ${{ github.token }} | |
| run: | | |
| set -e | |
| pushd "${GITHUB_WORKSPACE}/" || exit 1 | |
| git status | |
| echo '::group:: Flagging missing EOF newlines with reviewdog 🐶 ...' | |
| # Don't fail because of misspell | |
| set +o pipefail | |
| # Lint exclude rule: | |
| # - nothing in vendor/ | |
| # - nothing in third_party | |
| # - nothing in .git/ | |
| # - no *.ai (Adobe Illustrator) files. | |
| LINT_FILES=$(git ls-files | | |
| git check-attr --stdin linguist-generated | grep -Ev ': (set|true)$' | cut -d: -f1 | | |
| git check-attr --stdin linguist-vendored | grep -Ev ': (set|true)$' | cut -d: -f1 | | |
| git check-attr --stdin ignore-lint | grep -Ev ': (set|true)$' | cut -d: -f1 | | |
| grep -Ev '^(vendor/|third_party/|LICENSES/|.git|embeds/grafonnet-lib/)' | | |
| grep -v '\.ai$' | | |
| grep -v '\.svg$') | |
| for x in $LINT_FILES; do | |
| # Based on https://stackoverflow.com/questions/34943632/linux-check-if-there-is-an-empty-line-at-the-end-of-a-file | |
| if [[ -f $x && ! ( -s "$x" && -z "$(tail -c 1 $x)" ) ]]; then | |
| # We add 1 to `wc -l` here because of this limitation (from the man page): | |
| # Characters beyond the final <newline> character will not be included in the line count. | |
| echo $x:$((1 + $(wc -l $x | tr -s ' ' | cut -d' ' -f 1))): Missing newline | |
| fi | |
| done | | |
| reviewdog -efm="%f:%l: %m" \ | |
| -name="EOF Newline" \ | |
| -reporter="github-pr-check" \ | |
| -filter-mode="added" \ | |
| -fail-on-error="true" \ | |
| -level="error" | |
| echo '::endgroup::' | |
| popd | |
| go-lint: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Clone repo | |
| uses: actions/checkout@v4 #v3.2.0 | |
| - name: Setup go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: "go.mod" | |
| - name: golangci-lint | |
| uses: golangci/golangci-lint-action@v6.0.1 | |
| with: | |
| version: "v1.57.2" | |
| - name: Verify golangci-lint config | |
| run: | | |
| golangci-lint config verify | |
| test: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Clone repo | |
| uses: actions/checkout@v4 #v3.2.0 | |
| - name: Setup go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: "go.mod" | |
| - name: Run test | |
| run: | | |
| make test | |
| - name: Check if working tree is dirty | |
| run: | | |
| if [[ $(git status --porcelain) ]]; then | |
| git diff | |
| echo '::error::run make test and commit changes' | |
| exit 1 | |
| fi | |
| helm: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Clone repo | |
| uses: actions/checkout@v4 #v3.2.0 | |
| - name: Setup go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: "go.mod" | |
| - name: Run helm-template | |
| run: | | |
| helm template deploy/helm/grafana-operator/ | |
| - name: Run helm-lint | |
| run: | | |
| helm lint deploy/helm/grafana-operator/ | |
| - name: Run helm-docs | |
| run: | | |
| make helm/docs | |
| - name: Check if working tree is dirty | |
| run: | | |
| if [[ $(git status --porcelain) ]]; then | |
| git diff | |
| echo '::error::run make helm/docs and commit changes' | |
| exit 1 | |
| fi | |
| kustomize: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Clone repo | |
| uses: actions/checkout@v4 #v3.2.0 | |
| - name: Setup go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: "go.mod" | |
| - name: Install kustomize | |
| run: | | |
| make kustomize | |
| - name: Check if overlays can be successfully built | |
| run: | | |
| for d in deploy/kustomize/overlays/*/ ; do | |
| kustomize build "$d" --load-restrictor LoadRestrictionsNone > /dev/null | |
| done | |
| trivy: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Clone repo | |
| uses: actions/checkout@v4 #v3.2.0 | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| scan-type: "fs" | |
| scan-ref: "." | |
| format: "table" | |
| exit-code: "1" | |
| ignore-unfixed: true | |
| severity: "CRITICAL,HIGH" |