name: Validate Kubernetes Manifests on: push: paths: - '**.yml' - '**.yaml' - '!.gitea/workflows/**' - '!clusters/default/system-upgrade/crd.yml' jobs: kubeconform: runs-on: ubuntu-latest container: image: gitea.akshun-lab.cc/aggarwalakshun/kube-tools:1.1.0 steps: - name: Checkout code uses: actions/checkout@v6 with: fetch-depth: 0 - name: Get changed files id: changed-files uses: tj-actions/changed-files@v47 with: files: | **.yml !.gitea/workflows/** !clusters/default/system-upgrade/crd.yml - name: Validate Manifests if: steps.changed-files.outputs.any_changed == 'true' env: ALL_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }} shell: bash run: | set -o pipefail declare -A SCHEMA_MAP=( ["HelmRelease"]="helm.toolkit.fluxcd.io/helmrelease_v2.json" ["HelmRepository"]="source.toolkit.fluxcd.io/helmrepository_v1.json" ["L2Advertisement"]="metallb.io/l2advertisement_v1beta1.json" ["IPAddressPool"]="metallb.io/ipaddresspool_v1beta1.json" ["SealedSecret"]="bitnami.com/sealedsecret_v1alpha1.json" ["ClusterPolicy"]="nvidia.com/clusterpolicy_v1.json" ["Plan"]="upgrade.cattle.io/plan_v1.json" ) EXIT_CODE=0 for file in ${ALL_CHANGED_FILES}; do [ -z "$file" ] && continue echo "=== Validating: $file ===" yq e -o=json '. as $item ireduce ([]; . + [$item])' "$file" | \ jq -c '.[] | select(.kind != null)' | \ while read -r manifest; do KIND=$(echo "$manifest" | jq -r '.kind // ""') if [[ -n "$KIND" && -n "${SCHEMA_MAP[$KIND]}" ]]; then echo "Found $KIND - using custom schema" SCHEMA_URL="https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/${SCHEMA_MAP[$KIND]}" if ! echo "$manifest" | kubeconform \ -schema-location "$SCHEMA_URL" \ -output json \ -; then EXIT_CODE=1 fi else echo "Validating with default schemas" if ! echo "$manifest" | kubeconform \ -schema-location default \ -output json \ -; then EXIT_CODE=1 fi fi done echo "" done exit $EXIT_CODE