yamllint is now pre-installed in the runner-tools Docker image. Removes fragile pip install step that was failing silently. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
60 lines
1.7 KiB
YAML
60 lines
1.7 KiB
YAML
name: PR Checks
|
|
|
|
on:
|
|
pull_request:
|
|
branches:
|
|
- main
|
|
|
|
jobs:
|
|
validate-and-scan:
|
|
name: Validate & Security Scan
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: YAML Lint
|
|
run: |
|
|
echo "=== YAML Lint ==="
|
|
yamllint -d "{extends: relaxed, rules: {line-length: {max: 200}}}" \
|
|
environments/ argocd-apps/ apps/
|
|
echo "YAML lint passed"
|
|
|
|
- name: Validate ArgoCD Manifests
|
|
run: |
|
|
echo "=== Validating ArgoCD app manifests ==="
|
|
kubeconform -summary -strict \
|
|
-skip Application,AppProject \
|
|
-ignore-missing-schemas \
|
|
argocd-apps/ 2>&1
|
|
echo "Manifest validation passed"
|
|
|
|
- name: Secret Detection (gitleaks)
|
|
run: |
|
|
echo "=== Secret Detection ==="
|
|
gitleaks detect --source . --verbose --no-git 2>&1 || {
|
|
echo "::error::Gitleaks found potential secrets!"
|
|
exit 1
|
|
}
|
|
|
|
- name: Helm Unit Tests
|
|
run: |
|
|
echo "=== Helm Unit Tests ==="
|
|
if command -v helm &>/dev/null && helm plugin list | grep -q unittest; then
|
|
helm unittest charts/web-app 2>&1
|
|
else
|
|
echo "helm-unittest not available, skipping (advisory)"
|
|
fi
|
|
|
|
- name: Trivy Config Scan
|
|
run: |
|
|
echo "=== Trivy K8s Config Scan ==="
|
|
trivy config . \
|
|
--severity HIGH,CRITICAL \
|
|
--exit-code 0 \
|
|
--format table \
|
|
--skip-check-update 2>&1
|
|
echo "Trivy config scan complete (advisory mode)"
|