From b5d4f723bf291e2f1952047873f8bf3024f29158 Mon Sep 17 00:00:00 2001
From: aggarwalakshun <aggarwalakshun@gmail.com>
Date: Sun, 28 Dec 2025 06:28:59 +0530
Subject: [PATCH] add kubeconform workflow

---
 .gitea/workflows/kubeconform.yml | 84 ++++++++++++++++++++++++++++++++
 1 file changed, 84 insertions(+)
 create mode 100644 .gitea/workflows/kubeconform.yml

diff --git a/.gitea/workflows/kubeconform.yml b/.gitea/workflows/kubeconform.yml
new file mode 100644
index 0000000..f6d0823
--- /dev/null
+++ b/.gitea/workflows/kubeconform.yml
@@ -0,0 +1,84 @@
+name: Validate Kubernetes Manifests
+
+on:
+  push:
+    paths:
+      - '**.yml'
+      - '**.yaml'
+      - '!.gitea/workflows/**'
+      - '!clusters/default/system-upgrade/crd.yml'
+
+jobs:
+  kubeconform:
+    runs-on: ubuntu-latest
+    container:
+      image: gitea.akshun-lab.cc/aggarwalakshun/kube-tools:1.1.0
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v47
+        with:
+          files: |
+            **.yml
+            !.gitea/workflows/**
+            !clusters/default/system-upgrade/crd.yml
+
+      - name: Validate Manifests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        env:
+          ALL_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
+        shell: bash
+        run: |
+          set -o pipefail
+
+          declare -A SCHEMA_MAP=(
+            ["HelmRelease"]="helm.toolkit.fluxcd.io/helmrelease_v2.json"
+            ["HelmRepository"]="source.toolkit.fluxcd.io/helmrepository_v1.json"
+            ["L2Advertisement"]="metallb.io/l2advertisement_v1beta1.json"
+            ["IPAddressPool"]="metallb.io/ipaddresspool_v1beta1.json"
+            ["SealedSecret"]="bitnami.com/sealedsecret_v1alpha1.json"
+            ["ClusterPolicy"]="nvidia.com/clusterpolicy_v1.json"
+            ["Plan"]="upgrade.cattle.io/plan_v1.json"
+          )
+
+          EXIT_CODE=0
+
+          for file in ${ALL_CHANGED_FILES}; do
+            [ -z "$file" ] && continue
+            echo "=== Validating: $file ==="
+
+            yq e -o=json '. as $item ireduce ([]; . + [$item])' "$file" | \
+              jq -c '.[] | select(.kind != null)' | \
+              while read -r manifest; do
+                KIND=$(echo "$manifest" | jq -r '.kind // ""')
+
+                if [[ -n "$KIND" && -n "${SCHEMA_MAP[$KIND]}" ]]; then
+                  echo "Found $KIND - using custom schema"
+                  SCHEMA_URL="https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/${SCHEMA_MAP[$KIND]}"
+
+                  if ! echo "$manifest" | kubeconform \
+                      -schema-location "$SCHEMA_URL" \
+                      -output json \
+                      -; then
+                    EXIT_CODE=1
+                  fi
+                else
+                  echo "Validating with default schemas"
+                  if ! echo "$manifest" | kubeconform \
+                      -schema-location default \
+                      -output json \
+                      -; then
+                    EXIT_CODE=1
+                  fi
+                fi
+              done
+
+            echo ""
+          done
+
+          exit $EXIT_CODE