Add Conftest policy bundle and CI enforcement for GitOps manifests #12
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: app-gitops-guardrails | |
| on: | |
| pull_request: | |
| branches: [ main ] | |
| paths: | |
| - 'applications/**' | |
| - '.github/workflows/app-gitops-guardrails.yml' | |
| permissions: | |
| contents: read | |
| jobs: | |
| app-policy-checks: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Go for policy toolchain | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.22' | |
| - name: Validate Kubernetes manifests with kubeconform | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| go install github.com/yannh/kubeconform/cmd/kubeconform@latest | |
| export PATH="$PATH:$(go env GOPATH)/bin" | |
| mapfile -t manifest_files < <(find applications/gitops/base -type f \( -name '*.yaml' -o -name '*.yml' \) | sort) | |
| if [ "${#manifest_files[@]}" -eq 0 ]; then | |
| echo "No Kubernetes manifests found in applications/gitops/base" | |
| exit 1 | |
| fi | |
| kubeconform -strict -summary "${manifest_files[@]}" | |
| - name: Policy checks with Conftest | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| go install github.com/open-policy-agent/conftest@latest | |
| export PATH="$PATH:$(go env GOPATH)/bin" | |
| mapfile -t manifest_files < <(find applications/gitops/base -type f \( -name '*.yaml' -o -name '*.yml' \) | sort) | |
| if [ "${#manifest_files[@]}" -eq 0 ]; then | |
| echo "No Kubernetes manifests found in applications/gitops/base" | |
| exit 1 | |
| fi | |
| conftest test "${manifest_files[@]}" -p applications/policy |