-
Notifications
You must be signed in to change notification settings - Fork 330
153 lines (139 loc) Β· 5.63 KB
/
workflow.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
name: CI
on:
push:
paths-ignore:
- ".github/workflows/website.yaml"
- "website/**"
branches: [master]
pull_request:
paths-ignore:
- ".github/workflows/website.yaml"
- "website/**"
branches: [master]
permissions:
contents: read
jobs:
website_script_unit_test:
runs-on: ubuntu-latest
name: "Test scripts"
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Unit test
run: |
make unit-test
generate:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Generate templates and docs
run: |
make generate generate-website-docs generate-artifacthub-artifacts
git diff --exit-code || (echo "Please run 'make generate generate-website-docs generate-artifacthub-artifacts' to generate the templates and docs" && exit 1)
- name: Validation
run: |
make validate
build:
needs: generate
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ "ubuntu-latest", "macos-latest" ]
opa: [ "v0.44.0", "v0.57.1" ]
name: Unit test on ${{ matrix.os }} opa ${{ matrix.opa }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- run: |
binary=$([[ "$OSTYPE" == "darwin"* ]] && echo "opa_darwin_amd64" || echo "opa_linux_amd64")
sudo curl -L -o /usr/local/bin/opa https://github.com/open-policy-agent/opa/releases/download/${{ matrix.opa }}/$binary
sudo chmod +x /usr/local/bin/opa
sh test.sh
build_test:
needs: generate
runs-on: ubuntu-latest
strategy:
matrix:
gatekeeper: [ "3.17.1", "3.18.1" ]
engine: [ "cel", "rego" ]
name: "Integration test on Gatekeeper ${{ matrix.gatekeeper }} for ${{ matrix.engine }} policies"
steps:
- name: Harden Runner
if: ${{ !(matrix.gatekeeper == '3.15.1' && matrix.engine == 'cel') }} # remove this condition once 3.17 is out
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Check out code into the Go module directory
if: ${{ !(matrix.gatekeeper == '3.15.1' && matrix.engine == 'cel') }}
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Bootstrap integration test
if: ${{ !(matrix.gatekeeper == '3.15.1' && matrix.engine == 'cel') }}
run: |
mkdir -p $GITHUB_WORKSPACE/bin
echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
make integration-bootstrap
make deploy GATEKEEPER_VERSION=${{ matrix.gatekeeper }} POLICY_ENGINE=${{ matrix.engine }}
- name: Run integration test
if: ${{ !(matrix.gatekeeper == '3.15.1' && matrix.engine == 'cel') }}
run: |
make test-integration
- name: Save logs
if: ${{ !(matrix.gatekeeper == '3.15.1' && matrix.engine == 'cel') }}
run: |
kubectl logs -n gatekeeper-system -l control-plane=controller-manager --tail=-1 > logs-controller.json
kubectl logs -n gatekeeper-system -l control-plane=audit-controller --tail=-1 > logs-audit.json
- name: Upload artifacts
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
if: ${{ always() }}
with:
name: logs-int-test-${{ matrix.gatekeeper }}-${{ matrix.engine }}
path: |
logs-*.json
require_suites:
runs-on: ubuntu-latest
name: "Require a suite.yaml file alongside every template.yaml"
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Run script
run: |
make require-suites
require_sync:
runs-on: ubuntu-latest
name: "Require a sync.yaml file and metadata.gatekeeper.sh/requires-sync-data annotation for every template.yaml using data.inventory"
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Run script
run: |
make require-sync
gator-verify:
runs-on: ubuntu-latest
strategy:
matrix:
engine: [ "cel", "rego" ]
gatekeeper: [ "3.15.1", "3.16.3" ]
name: "Verify assertions in suite.yaml files for ${{ matrix.engine }} policies"
steps:
- name: Harden Runner
if: ${{ !(matrix.gatekeeper == '3.15.1' && matrix.engine == 'cel') }} # remove this condition once 3.17 is out
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
if: ${{ !(matrix.gatekeeper == '3.15.1' && matrix.engine == 'cel') }}
- run: |
make verify-gator-dockerized POLICY_ENGINE=${{ matrix.engine }} GATOR_VERSION=${{ matrix.gatekeeper }}
if: ${{ !(matrix.gatekeeper == '3.15.1' && matrix.engine == 'cel') }}