ci: add consolidated GitOps test workflow with validation#1287
ci: add consolidated GitOps test workflow with validation#1287
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
github-project-automation
bot
moved this from 🫴 Ready
to 🚀 In Finalization
in 🌊 Project Board
There was a problem hiding this comment.
Pull request overview
This PR appears intended to trigger/verify CI behavior related to a KSail validate fix and reusable workflow changes, but the only repository change included is a no-op formatting change to the README.
Changes:
- Add a trailing blank line to
README.md.
devantler
changed the title
Calls the ci-gitops-test reusable workflow which now includes manifest validation as an early step before cluster provisioning.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Nikolai Emil Damm <ned@devantler.tech>
- Pin devantler-tech/ksail/.github/actions/ksail-cluster from @main to @4cc958abae21913e32d6effbcc8c02bd1fe5a4f9 - Add environment: ci to the test job for secret protection
Signed-off-by: Nikolai Emil Damm <nikolaiemildamm@icloud.com>
| persist-credentials: false | ||
|
|
||
| - name: 🧪 System Test | ||
| uses: devantler-tech/ksail/.github/actions/ksail-cluster@4cc958abae21913e32d6effbcc8c02bd1fe5a4f9 # main |
There was a problem hiding this comment.
uses: references in this repo appear to be pinned to a commit SHA with an inline comment indicating the released version (e.g., # v1.9.7, # v1.22.5). Here the action is pinned to a SHA but the comment says # main, which is misleading because it looks like a moving ref. Consider updating the comment to the actual release/tag for that SHA (or removing the comment) to keep dependency provenance clear and consistent.
| uses: devantler-tech/ksail/.github/actions/ksail-cluster@4cc958abae21913e32d6effbcc8c02bd1fe5a4f9 # main | |
| uses: devantler-tech/ksail/.github/actions/ksail-cluster@4cc958abae21913e32d6effbcc8c02bd1fe5a4f9 |
| environment: ci | ||
| steps: | ||
| - name: 📑 Checkout | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: | ||
| persist-credentials: false | ||
|
|
||
| - name: 🧪 System Test | ||
| uses: devantler-tech/ksail/.github/actions/ksail-cluster@4cc958abae21913e32d6effbcc8c02bd1fe5a4f9 # main | ||
| with: | ||
| distribution: Talos | ||
| provider: Docker | ||
| init: "false" | ||
| validate: "true" | ||
| sops-age-key: ${{ secrets.SOPS_AGE_KEY }} | ||
| hosts-file: ${{ vars.HOSTS_FILE }} | ||
| root-ca-cert-file: ${{ vars.ROOT_CA_CERT_FILE }} |
There was a problem hiding this comment.
This workflow runs on pull_request but depends on secrets.SOPS_AGE_KEY and environment vars (HOSTS_FILE, ROOT_CA_CERT_FILE). For PRs from forks, GitHub does not provide repository secrets/variables, so this job will likely fail (or run with empty inputs). If forked PRs are expected, gate the job to non-fork PRs or split out a secretless validation job that still runs for forks.
| name: CI | ||
| on: | ||
| pull_request: | ||
| branches: [main] | ||
|
|
There was a problem hiding this comment.
The PR description says this adds a .github/workflows/ci-gitops-test.yaml workflow calling the consolidated ci-gitops-test reusable workflow, but the actual change adds .github/workflows/ci.yaml and runs the ksail-cluster composite action directly. Either update the PR description to match the implemented approach, or adjust the workflow to call the intended reusable workflow so the change is traceable and consistent with the stated design.
Purpose
Add a CI workflow that calls the consolidated
ci-gitops-testreusable workflow, which now includes manifest validation as an early step (before cluster provisioning).Changes
.github/workflows/ci-gitops-test.yamlcalling the reusable workflow withVALIDATE: trueRelated
ci-gitops-validate.yamlreusable workflow has been removedci-gitops-test.yamlvia theksail-clustercomposite action'svalidateinputWhat gets tested
ksail workload validate— validates K8s manifests before any cluster provisioning