chore: adding psp-users CEL policy #1979
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| paths-ignore: | |
| - ".github/workflows/website.yaml" | |
| - "website/**" | |
| branches: [master] | |
| pull_request: | |
| paths-ignore: | |
| - ".github/workflows/website.yaml" | |
| - "website/**" | |
| branches: [master] | |
| permissions: | |
| contents: read | |
| jobs: | |
| website_script_unit_test: | |
| runs-on: ubuntu-latest | |
| name: "Test scripts" | |
| steps: | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - name: Unit test | |
| run: | | |
| make unit-test | |
| generate: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - name: Generate templates and docs | |
| run: | | |
| make generate generate-website-docs generate-artifacthub-artifacts | |
| git diff --exit-code || (echo "Please run 'make generate generate-website-docs generate-artifacthub-artifacts' to generate the templates and docs" && exit 1) | |
| - name: Validation | |
| run: | | |
| make validate | |
| build: | |
| needs: generate | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| matrix: | |
| os: [ "ubuntu-latest", "macos-latest" ] | |
| opa: [ "v0.44.0", "v0.57.1" ] | |
| name: Unit test on ${{ matrix.os }} opa ${{ matrix.opa }} | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - run: | | |
| binary=$([[ "$OSTYPE" == "darwin"* ]] && echo "opa_darwin_amd64" || echo "opa_linux_amd64") | |
| sudo curl -L -o /usr/local/bin/opa https://github.com/open-policy-agent/opa/releases/download/${{ matrix.opa }}/$binary | |
| sudo chmod +x /usr/local/bin/opa | |
| sh test.sh | |
| build_test: | |
| needs: generate | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| gatekeeper: [ "3.15.1", "3.16.3" ] | |
| engine: [ "cel", "rego" ] | |
| name: "Integration test on Gatekeeper ${{ matrix.gatekeeper }} for ${{ matrix.engine }} policies" | |
| steps: | |
| - name: Harden Runner | |
| if: ${{ !(matrix.gatekeeper == '3.15.1' && matrix.engine == 'cel') }} # remove this condition once 3.17 is out | |
| uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
| with: | |
| egress-policy: audit | |
| - name: Check out code into the Go module directory | |
| if: ${{ !(matrix.gatekeeper == '3.15.1' && matrix.engine == 'cel') }} | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - name: Bootstrap integration test | |
| if: ${{ !(matrix.gatekeeper == '3.15.1' && matrix.engine == 'cel') }} | |
| run: | | |
| mkdir -p $GITHUB_WORKSPACE/bin | |
| echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH | |
| make integration-bootstrap | |
| make deploy GATEKEEPER_VERSION=${{ matrix.gatekeeper }} POLICY_ENGINE=${{ matrix.engine }} | |
| - name: Run integration test | |
| if: ${{ !(matrix.gatekeeper == '3.15.1' && matrix.engine == 'cel') }} | |
| run: | | |
| make test-integration | |
| - name: Save logs | |
| if: ${{ !(matrix.gatekeeper == '3.15.1' && matrix.engine == 'cel') }} | |
| run: | | |
| kubectl logs -n gatekeeper-system -l control-plane=controller-manager --tail=-1 > logs-controller.json | |
| kubectl logs -n gatekeeper-system -l control-plane=audit-controller --tail=-1 > logs-audit.json | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
| if: ${{ always() }} | |
| with: | |
| name: logs-int-test-${{ matrix.gatekeeper }}-${{ matrix.engine }} | |
| path: | | |
| logs-*.json | |
| require_suites: | |
| runs-on: ubuntu-latest | |
| name: "Require a suite.yaml file alongside every template.yaml" | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - name: Run script | |
| run: | | |
| make require-suites | |
| require_sync: | |
| runs-on: ubuntu-latest | |
| name: "Require a sync.yaml file and metadata.gatekeeper.sh/requires-sync-data annotation for every template.yaml using data.inventory" | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - name: Run script | |
| run: | | |
| make require-sync | |
| gator-verify: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| engine: [ "cel", "rego" ] | |
| gatekeeper: [ "3.15.1", "3.16.3" ] | |
| name: "Verify assertions in suite.yaml files for ${{ matrix.engine }} policies" | |
| steps: | |
| - name: Harden Runner | |
| if: ${{ !(matrix.gatekeeper == '3.15.1' && matrix.engine == 'cel') }} # remove this condition once 3.17 is out | |
| uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| if: ${{ !(matrix.gatekeeper == '3.15.1' && matrix.engine == 'cel') }} | |
| - run: | | |
| make verify-gator-dockerized POLICY_ENGINE=${{ matrix.engine }} GATOR_VERSION=${{ matrix.gatekeeper }} | |
| if: ${{ !(matrix.gatekeeper == '3.15.1' && matrix.engine == 'cel') }} |