chore: adding vap testing #2029
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
push: | |
paths-ignore: | |
- ".github/workflows/website.yaml" | |
- "website/**" | |
branches: [master] | |
pull_request: | |
paths-ignore: | |
- ".github/workflows/website.yaml" | |
- "website/**" | |
branches: [master] | |
permissions: | |
contents: read | |
jobs: | |
website_script_unit_test: | |
runs-on: ubuntu-latest | |
name: "Test scripts" | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Unit test | |
run: | | |
make unit-test | |
generate: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
with: | |
egress-policy: audit | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Generate templates and docs | |
run: | | |
make generate generate-website-docs generate-artifacthub-artifacts | |
git diff --exit-code || (echo "Please run 'make generate generate-website-docs generate-artifacthub-artifacts' to generate the templates and docs" && exit 1) | |
- name: Validation | |
run: | | |
make validate | |
build: | |
needs: generate | |
runs-on: ${{ matrix.os }} | |
strategy: | |
matrix: | |
os: [ "ubuntu-latest", "macos-latest" ] | |
opa: [ "v0.44.0", "v0.57.1" ] | |
name: Unit test on ${{ matrix.os }} opa ${{ matrix.opa }} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
with: | |
egress-policy: audit | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- run: | | |
binary=$([[ "$OSTYPE" == "darwin"* ]] && echo "opa_darwin_amd64" || echo "opa_linux_amd64") | |
sudo curl -L -o /usr/local/bin/opa https://github.com/open-policy-agent/opa/releases/download/${{ matrix.opa }}/$binary | |
sudo chmod +x /usr/local/bin/opa | |
sh test.sh | |
build_test: | |
needs: generate | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
gatekeeper: [ "3.17.1", "3.18.1" ] | |
engine: [ "cel", "rego"] | |
name: "Integration test on Gatekeeper ${{ matrix.gatekeeper }} for ${{ matrix.engine }} policies" | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
with: | |
egress-policy: audit | |
- name: Check out code into the Go module directory | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Bootstrap integration test | |
run: | | |
mkdir -p $GITHUB_WORKSPACE/bin | |
echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH | |
make integration-bootstrap | |
make deploy GATEKEEPER_VERSION=${{ matrix.gatekeeper }} POLICY_ENGINE=${{ matrix.engine }} | |
- name: Run integration test | |
run: | | |
make test-integration POLICY_ENGINE=${{ matrix.engine }} | |
- name: Save logs | |
run: | | |
kubectl logs -n gatekeeper-system -l control-plane=controller-manager --tail=-1 > logs-controller.json | |
kubectl logs -n gatekeeper-system -l control-plane=audit-controller --tail=-1 > logs-audit.json | |
- name: Upload artifacts | |
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 | |
if: ${{ always() }} | |
with: | |
name: logs-int-test-${{ matrix.gatekeeper }}-${{ matrix.engine }} | |
path: | | |
logs-*.json | |
build_test_VAP: | |
needs: generate | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
gatekeeper: [ "3.17.1", "3.18.1" ] | |
name: "Integration test on Gatekeeper ${{ matrix.gatekeeper }} with VAP" | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
with: | |
egress-policy: audit | |
- name: Check out code into the Go module directory | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Bootstrap integration test | |
run: | | |
mkdir -p $GITHUB_WORKSPACE/bin | |
echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH | |
make integration-bootstrap | |
make deploy GATEKEEPER_VERSION=${{ matrix.gatekeeper }} ENABLE_VAP=true | |
- name: Run integration test | |
run: | | |
make test-integration ENABLE_VAP=true | |
- name: Save logs | |
run: | | |
kubectl logs -n gatekeeper-system -l control-plane=controller-manager --tail=-1 > logs-controller.json | |
kubectl logs -n gatekeeper-system -l control-plane=audit-controller --tail=-1 > logs-audit.json | |
- name: Upload artifacts | |
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 | |
if: ${{ always() }} | |
with: | |
name: logs-int-test-${{ matrix.gatekeeper }}-with-vap | |
path: | | |
logs-*.json | |
require_suites: | |
runs-on: ubuntu-latest | |
name: "Require a suite.yaml file alongside every template.yaml" | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
with: | |
egress-policy: audit | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Run script | |
run: | | |
make require-suites | |
require_sync: | |
runs-on: ubuntu-latest | |
name: "Require a sync.yaml file and metadata.gatekeeper.sh/requires-sync-data annotation for every template.yaml using data.inventory" | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
with: | |
egress-policy: audit | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Run script | |
run: | | |
make require-sync | |
gator-verify: | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
engine: [ "cel", "rego" ] | |
gatekeeper: [ "3.17.1", "3.18.1" ] | |
name: "Verify assertions in suite.yaml files for ${{ matrix.engine }} policies" | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
with: | |
egress-policy: audit | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- run: | | |
make verify-gator-dockerized POLICY_ENGINE=${{ matrix.engine }} GATOR_VERSION=${{ matrix.gatekeeper }} |