diff --git a/.gitea/workflows/validate.yaml b/.gitea/workflows/validate.yaml new file mode 100644 index 0000000..666b109 --- /dev/null +++ b/.gitea/workflows/validate.yaml @@ -0,0 +1,58 @@ +name: Validate Manifests + +on: + pull_request: + branches: [main] + +jobs: + validate: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Install kubeconform + run: | + curl -sL https://github.com/yannh/kubeconform/releases/download/v0.6.7/kubeconform-linux-amd64.tar.gz \ + | tar xz -C /usr/local/bin + chmod +x /usr/local/bin/kubeconform + + - name: Schema validation (kubeconform) + run: | + find . -name '*.yaml' -o -name '*.yml' \ + | grep -v '\.gitea/' \ + | sort \ + | xargs kubeconform \ + -strict \ + -ignore-missing-schemas \ + -kubernetes-version 1.30.0 \ + -summary + + - name: Install kubectl + run: | + K8S_VER=$(curl -sL https://dl.k8s.io/release/stable.txt) + curl -sLO "https://dl.k8s.io/release/${K8S_VER}/bin/linux/amd64/kubectl" + chmod +x kubectl && mv kubectl /usr/local/bin/kubectl + + - name: Server-side dry-run (CRD existence check) + env: + KUBECONFIG_DATA: ${{ secrets.KUBECONFIG }} + run: | + echo "$KUBECONFIG_DATA" | base64 -d > /tmp/kube.yaml + # Apply all YAML files in sorted order — server-side dry-run rejects + # any apiVersion/Kind whose CRD is not installed in the cluster. + find . -name '*.yaml' -o -name '*.yml' \ + | grep -v '\.gitea/' \ + | sort \ + | xargs -I{} kubectl apply \ + --dry-run=server \ + --kubeconfig /tmp/kube.yaml \ + -f {} 2>&1 \ + | tee /tmp/dryrun.log + rm -f /tmp/kube.yaml + # Fail if any "no kind is registered" or "no matches for kind" errors + if grep -qE "no kind is registered|no matches for kind|unknown field" /tmp/dryrun.log; then + echo "❌ Dry-run found unknown resources or fields — manifests reference CRDs not installed in the cluster" + exit 1 + fi + echo "✅ All manifests passed server-side dry-run"