name: Validate Manifests on: pull_request: branches: [main] jobs: validate: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Install kubeconform run: | curl -sL https://github.com/yannh/kubeconform/releases/download/v0.6.7/kubeconform-linux-amd64.tar.gz \ | tar xz -C /usr/local/bin chmod +x /usr/local/bin/kubeconform - name: Schema validation (kubeconform) run: | find . -name '*.yaml' -o -name '*.yml' \ | grep -v '\.gitea/' \ | sort \ | xargs kubeconform \ -strict \ -ignore-missing-schemas \ -kubernetes-version 1.30.0 \ -summary - name: Install kubectl run: | K8S_VER=$(curl -sL https://dl.k8s.io/release/stable.txt) curl -sLO "https://dl.k8s.io/release/${K8S_VER}/bin/linux/amd64/kubectl" chmod +x kubectl && mv kubectl /usr/local/bin/kubectl - name: Server-side dry-run (CRD existence check) env: KUBECONFIG_DATA: ${{ secrets.KUBECONFIG }} run: | echo "$KUBECONFIG_DATA" | base64 -d > /tmp/kube.yaml # Apply all YAML files in sorted order — server-side dry-run rejects # any apiVersion/Kind whose CRD is not installed in the cluster. find . -name '*.yaml' -o -name '*.yml' \ | grep -v '\.gitea/' \ | sort \ | xargs -I{} kubectl apply \ --dry-run=server \ --kubeconfig /tmp/kube.yaml \ -f {} 2>&1 \ | tee /tmp/dryrun.log rm -f /tmp/kube.yaml # Fail if any "no kind is registered" or "no matches for kind" errors if grep -qE "no kind is registered|no matches for kind|unknown field" /tmp/dryrun.log; then echo "❌ Dry-run found unknown resources or fields — manifests reference CRDs not installed in the cluster" exit 1 fi echo "✅ All manifests passed server-side dry-run"