Initial CI automation on test for GitOps operator support for xKS #1188
+53
−0
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| name: Build, Deploy and Test on kind | ||
|
|
||
| on: | ||
| pull_request: | ||
| branches: | ||
| - '*' | ||
|
|
||
| env: | ||
| IMG: gitops-operator:test | ||
|
|
||
| jobs: | ||
| deploy-test: | ||
| name: Build image, deploy to kind cluster and run tests | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
There was a problem hiding this comment. 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win Pin GitHub Actions to immutable commit SHAs Lines 17, 20, 25, and 40 use floating tags ( Suggested fix pattern- - name: Checkout code
- uses: actions/checkout@v4
+ - name: Checkout code
+ uses: actions/checkout@<full-commit-sha>
- - name: Setup Go
- uses: actions/setup-go@v5
+ - name: Setup Go
+ uses: actions/setup-go@<full-commit-sha>
- - name: Log in to Quay.io
- uses: docker/login-action@v3
+ - name: Log in to Quay.io
+ uses: docker/login-action@<full-commit-sha>
- - name: Create kind cluster
- uses: helm/kind-action@v1
+ - name: Create kind cluster
+ uses: helm/kind-action@<full-commit-sha>Also applies to: 20-20, 25-25, 40-40 🧰 Tools🪛 zizmor (1.26.1)[warning] 16-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false (artipacked) [error] 17-17: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) 🤖 Prompt for AI AgentsSource: Linters/SAST tools |
||
|
|
||
| - name: Setup Go | ||
| uses: actions/setup-go@v5 | ||
| with: | ||
| go-version-file: 'go.mod' | ||
|
|
||
| - name: Create kind cluster | ||
| uses: helm/kind-action@v1 | ||
| with: | ||
| cluster_name: gitops-test | ||
|
|
||
| - name: Build manager image | ||
| run: | | ||
| # comment out prometheus from config/default/kustomization.yaml | ||
| sed -i 's|^- ../prometheus|#- ../prometheus|' config/default/kustomization.yaml | ||
| make docker-build IMG=${{ env.IMG }} | ||
|
|
||
| - name: Load image into kind | ||
| run: | | ||
| kind load docker-image ${{ env.IMG }} --name gitops-test | ||
|
|
||
| - name: Install CRDs | ||
| run: | | ||
| make install | ||
|
|
||
| - name: Deploy operator | ||
| run: | | ||
| make deploy IMG=${{ env.IMG }} | ||
|
|
||
| - name: Verify Controller Manager deployment is available | ||
| run: | | ||
| kubectl get deployment -n openshift-gitops-operator | ||
| kubectl describe deployment -n openshift-gitops-operator | ||
| kubectl wait --for=condition=available --timeout=120s \ | ||
| deployment/openshift-gitops-operator-controller-manager \ | ||
| -n openshift-gitops-operator | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Disable credential persistence in checkout step
Line 17 uses
actions/checkoutwith default credential persistence. That leaves the GitHub token in local git config for subsequent steps, which is unnecessary for this workflow and expands credential exposure risk.Suggested fix
- name: Checkout code uses: actions/checkout@v4 + with: + persist-credentials: false📝 Committable suggestion
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 16-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 17-17: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Source: Linters/SAST tools