Warn on unanchored VerificationPolicy resource patterns #2678
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ci | |
| on: [pull_request] | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull-request.number || github.ref }} | |
| cancel-in-progress: true | |
| defaults: | |
| run: | |
| shell: bash | |
| permissions: | |
| contents: read | |
| jobs: | |
| changes: | |
| name: categorize changes | |
| runs-on: ubuntu-latest | |
| outputs: | |
| non-docs: ${{ steps.detect.outputs.non-docs }} | |
| yaml: ${{ steps.detect.outputs.yaml }} | |
| steps: | |
| - name: Get base depth | |
| id: base-depth | |
| run: echo "base-depth=$(expr ${{ github.event.pull_request.commits }} + 1)" >> $GITHUB_OUTPUT | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| fetch-depth: ${{ steps.base-depth.outputs.base-depth }} | |
| persist-credentials: false | |
| - name: detect | |
| id: detect | |
| run: | | |
| git fetch origin ${GITHUB_BASE_REF} | |
| CHANGED_FILES=$(git diff --name-only ${{ github.event.pull_request.base.sha }}...${{ github.event.pull_request.head.sha }} | tr ' ' '\n') | |
| echo -e "Changed files:\n${CHANGED_FILES}" | |
| # If there are no changed files, non-docs and yaml are not set and remain false by default. | |
| # This ensures that jobs depending on these outputs do not run when there are no changes. | |
| if [[ -n "${CHANGED_FILES}" ]]; then | |
| NON_DOCS='false' | |
| YAML='false' | |
| while read -r file; do | |
| if [[ "$file" != *.md ]]; then | |
| NON_DOCS='true' | |
| break | |
| fi | |
| done <<< "${CHANGED_FILES}" | |
| while read -r file; do | |
| if [[ "$file" == *.yaml || "$file" == *.yml ]]; then | |
| YAML='true' | |
| break | |
| fi | |
| done <<< "${CHANGED_FILES}" | |
| echo "non-docs=${NON_DOCS}" | tee -a $GITHUB_OUTPUT | |
| echo "yaml=${YAML}" | tee -a $GITHUB_OUTPUT | |
| fi | |
| build: | |
| name: build | |
| runs-on: ubuntu-latest | |
| needs: [changes] | |
| if: ${{ needs.changes.outputs.non-docs == 'true' }} | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 | |
| with: | |
| go-version-file: "go.mod" | |
| - name: build | |
| run: | | |
| go build -v ./... | |
| buildFips: | |
| name: buildFips | |
| runs-on: ubuntu-latest | |
| needs: [changes] | |
| if: ${{ needs.changes.outputs.non-docs == 'true' }} | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 | |
| with: | |
| go-version-file: "go.mod" | |
| - name: build | |
| run: | | |
| go build -v -tags "disable_spire,disable_tls" ./cmd/entrypoint | |
| echo "Build finished with exit code: $?" | |
| linting: | |
| name: lint | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| checks: write # Used by golangci-lint to annotate code in the PR | |
| needs: [changes] | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 | |
| with: | |
| go-version-file: "go.mod" | |
| - name: gofmt | |
| if: ${{ needs.changes.outputs.non-docs == 'true' }} | |
| run: | | |
| gofmt_out=$(gofmt -d $(find * -name '*.go' ! -path 'vendor/*' ! -path 'third_party/*')) | |
| if [[ -n "$gofmt_out" ]]; then | |
| failed=1 | |
| fi | |
| echo "$gofmt_out" | |
| - name: golangci-lint | |
| uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0 | |
| if: ${{ needs.changes.outputs.non-docs == 'true' }} | |
| with: | |
| version: v2.8.0 | |
| args: --new-from-merge-base=origin/${{ github.base_ref }} --timeout=10m | |
| - name: yamllint | |
| if: ${{ needs.changes.outputs.yaml == 'true' }} | |
| run: | | |
| apt-get update && apt-get install -y yamllint | |
| make yamllint | |
| - name: check-license | |
| if: ${{ needs.changes.outputs.non-docs == 'true' }} | |
| run: | | |
| go install github.com/google/go-licenses@v1.0.0 | |
| go-licenses check ./... | |
| tests: | |
| needs: [build] | |
| name: test | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 | |
| with: | |
| go-version-file: "go.mod" | |
| - name: unit-test | |
| run: | | |
| make test-unit-verbose-and-race | |
| generated: | |
| needs: [build] | |
| name: Check generated code | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 | |
| with: | |
| go-version-file: "go.mod" | |
| - name: generated | |
| run: | | |
| ./hack/verify-codegen.sh | |
| multi-arch-build: | |
| needs: [build] | |
| name: Multi-arch build | |
| runs-on: ubuntu-latest | |
| env: | |
| KOCACHE: /tmp/ko-cache | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 | |
| with: | |
| go-version-file: "go.mod" | |
| - name: Cache ko build cache | |
| uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 | |
| with: | |
| path: /tmp/ko-cache | |
| key: ${{ runner.os }}-${{ runner.arch }}-ko-${{ hashFiles('go.sum') }} | |
| restore-keys: | | |
| ${{ runner.os }}-${{ runner.arch }}-ko- | |
| - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9 | |
| - name: ko-resolve | |
| run: | | |
| # Use the repository's .ko.yaml for consistent base images | |
| KO_DOCKER_REPO=example.com ko resolve -l 'app.kubernetes.io/component!=resolvers' --platform=all --push=false -R -f config 1>/dev/null | |
| KO_DOCKER_REPO=example.com ko resolve --platform=all --push=false -f config/resolvers 1>/dev/null | |
| e2e-tests: | |
| needs: [build] | |
| uses: ./.github/workflows/e2e-matrix.yml | |
| ci-summary: | |
| name: CI summary | |
| needs: [build, buildFips, linting, tests, generated, multi-arch-build, e2e-tests] | |
| runs-on: ubuntu-latest | |
| if: always() | |
| steps: | |
| - name: Check CI results | |
| run: | | |
| results=( | |
| "build=${NEEDS_BUILD_RESULT}" | |
| "buildFips=${NEEDS_BUILDFIPS_RESULT}" | |
| "linting=${NEEDS_LINTING_RESULT}" | |
| "tests=${NEEDS_TESTS_RESULT}" | |
| "generated=${NEEDS_GENERATED_RESULT}" | |
| "multi-arch-build=${NEEDS_MULTI_ARCH_BUILD_RESULT}" | |
| "e2e-tests=${NEEDS_E2E_TESTS_RESULT}" | |
| ) | |
| failed=0 | |
| for r in "${results[@]}"; do | |
| name="${r%%=*}" | |
| result="${r#*=}" | |
| echo "${name}: ${result}" | |
| if [ "$result" != "success" ] && [ "$result" != "skipped" ]; then | |
| failed=1 | |
| fi | |
| done | |
| if [ "$failed" -eq 1 ]; then | |
| echo "" | |
| echo "Some CI jobs failed or were cancelled" | |
| exit 1 | |
| fi | |
| echo "" | |
| echo "All CI checks passed" | |
| env: | |
| NEEDS_BUILD_RESULT: ${{ needs.build.result }} | |
| NEEDS_BUILDFIPS_RESULT: ${{ needs.buildFips.result }} | |
| NEEDS_LINTING_RESULT: ${{ needs.linting.result }} | |
| NEEDS_TESTS_RESULT: ${{ needs.tests.result }} | |
| NEEDS_GENERATED_RESULT: ${{ needs.generated.result }} | |
| NEEDS_MULTI_ARCH_BUILD_RESULT: ${{ needs.multi-arch-build.result }} | |
| NEEDS_E2E_TESTS_RESULT: ${{ needs.e2e-tests.result }} |