Add Conftest policy bundle and CI enforcement for GitOps manifests #11
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: app-gitops-guardrails | |
| on: | |
| pull_request: | |
| branches: [ main ] | |
| paths: | |
| - 'applications/**' | |
| - '.github/workflows/app-gitops-guardrails.yml' | |
| permissions: | |
| contents: read | |
| jobs: | |
| app-policy-checks: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Validate Kubernetes manifests with kubeconform | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| curl -sSL -o kubeconform.tar.gz \ | |
| https://github.com/yannh/kubeconform/releases/latest/download/kubeconform-linux-amd64.tar.gz | |
| tar -xzf kubeconform.tar.gz kubeconform | |
| mapfile -t manifest_files < <(find applications/gitops/base -type f \( -name '*.yaml' -o -name '*.yml' \) | sort) | |
| if [ "${#manifest_files[@]}" -eq 0 ]; then | |
| echo "No Kubernetes manifests found in applications/gitops/base" | |
| exit 1 | |
| fi | |
| ./kubeconform -strict -summary "${manifest_files[@]}" | |
| - name: Policy checks with Conftest | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| curl -sSL -o conftest.tar.gz \ | |
| https://github.com/open-policy-agent/conftest/releases/latest/download/conftest_$(uname -s)_$(uname -m).tar.gz | |
| tar -xzf conftest.tar.gz conftest | |
| mapfile -t manifest_files < <(find applications/gitops/base -type f \( -name '*.yaml' -o -name '*.yml' \) | sort) | |
| if [ "${#manifest_files[@]}" -eq 0 ]; then | |
| echo "No Kubernetes manifests found in applications/gitops/base" | |
| exit 1 | |
| fi | |
| ./conftest test "${manifest_files[@]}" -p applications/policy |