knative-service/.github/workflows/validation.yml at 60fc86242aa050a76bc5dd991a0c26dcec31393b · conforma/knative-service · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
# Copyright The Conforma Contributors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# SPDX-License-Identifier: Apache-2.0

name: PR Validation

on:
  pull_request:
    branches: [ main ]
    types: [opened, synchronize, reopened]

# Prevent multiple workflows from running simultaneously
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

env:
  GO_VERSION: '1.24.7'
  GOSEC_VERSION: 'c9453023c4e81ebdb6dde29e22d9cd5e2285fb16' # v2.22.8

permissions:
  contents: read  # Only read access needed for validation

jobs:
  test-and-validate:
    name: Test and Validate
    runs-on: ubuntu-latest
    timeout-minutes: 30

    steps:
    - name: Checkout code
      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

    - name: Set up Go
      uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
      with:
        go-version: ${{ env.GO_VERSION }}

    - name: Cache Go modules
      uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
      with:
        path: |
          ~/go/pkg/mod
          ~/.cache/go-build
        key: ${{ runner.os }}-go-${{ hashFiles('go.sum', 'tools/go.sum', 'acceptance/go.sum') }}
        restore-keys: |
          ${{ runner.os }}-go-

    - name: Download dependencies
      run: |
        go mod download
        go mod download -modfile tools/go.mod
        go mod download -modfile acceptance/go.mod

    - name: Format check
      run: |
        if [ "$(gofmt -s -l . | wc -l)" -gt 0 ]; then
          echo "❌ Code is not properly formatted. Run 'make fmt'"
          gofmt -s -l .
          exit 1
        fi
        echo "✅ Code is properly formatted"

    - name: License header check
      run: |
        echo "🔍 Checking license headers..."
        go run -modfile tools/go.mod github.com/google/addlicense -check -ignore '.github/ISSUE_TEMPLATE/**' -ignore '.github/PULL_REQUEST_TEMPLATE/**' -ignore '.github/dependabot.yml' -ignore 'vendor/**' -ignore 'node_modules/**' -ignore '*.md' -ignore '*.json' -ignore 'go.mod' -ignore 'go.sum' -ignore 'LICENSE' -ignore 'ko.yaml' -ignore '.ko.yaml' -ignore '.golangci.yml' -c 'The Conforma Contributors' -s -y 2025 .

    - name: Run tests with coverage
      run: |
        go test -v -race -coverprofile=coverage.out ./...
        COVERAGE=$(go tool cover -func=coverage.out | grep total | awk '{print $3}' | sed 's/%//')
        echo "Test coverage: $COVERAGE%"
        go tool cover -html=coverage.out -o coverage.html

    - name: Upload coverage reports
      uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
      if: always()
      with:
        files: ./coverage.out
        flags: unittests
        name: codecov-umbrella

    - name: Run linter
      uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
      with:
        version: latest
        args: --timeout=5m

    - name: Validate Kubernetes manifests
      run: |
        # Install kustomize
        curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash
        sudo mv kustomize /usr/local/bin/

        # Validate base configuration
        echo "🔍 Validating base Kubernetes manifests..."
        kustomize build config/base/ > /tmp/base-manifests.yaml

        # Validate dev configuration
        echo "🔍 Validating dev Kubernetes manifests..."
        kustomize build config/dev/ > /tmp/dev-manifests.yaml

        echo "✅ Kubernetes manifests are valid"

    - name: Test container build
      run: |
        set -euo pipefail
        echo "🔍 Testing container build..."

        # Install ko
        # Fixme: To use a newer version we need to update to golang 1.25
        go install github.com/google/ko@v0.18.0

        # Test build (don't push)
        KO_DOCKER_REPO=ko.local ko build --local ./cmd/trigger-vsa
        echo "✅ Container builds successfully"

    - name: Security scan with Gosec
      run: |
        set -euo pipefail
        echo "🔍 Running security scan..."
        go install github.com/securego/gosec/v2/cmd/gosec@${{ env.GOSEC_VERSION }}

        # Scan main module (excluding acceptance subdirectory)
        echo "Scanning main module..."
        gosec -fmt sarif -out gosec-main.sarif -stdout -verbose=text -exclude-dir=acceptance ./...

        # Scan acceptance module separately in its own context
        echo "Scanning acceptance module..."
        cd acceptance
        gosec -fmt sarif -out gosec-acceptance.sarif -stdout -verbose=text ./...
        cd ..

        # Merge SARIF files (optional - for unified reporting)
        echo "Merging security scan results..."
        cat gosec-main.sarif > gosec.sarif
        echo "✅ Security scan completed"

    - name: Save validation results
      if: always()
      run: |
        # Create results summary
        echo "## Validation Results" > validation-results.md
        echo "" >> validation-results.md

        if [ "${{ job.status }}" = "success" ]; then
          echo "✅ All validation checks passed!" >> validation-results.md
          echo "- Format check: ✅" >> validation-results.md
          echo "- License headers: ✅" >> validation-results.md
          echo "- Tests: ✅" >> validation-results.md
          echo "- Linting: ✅" >> validation-results.md
          echo "- Kubernetes manifests: ✅" >> validation-results.md
          echo "- Container build: ✅" >> validation-results.md
          echo "- Security scan: ✅" >> validation-results.md
        else
          echo "❌ Some validation checks failed!" >> validation-results.md
          echo "Please check the workflow logs for details." >> validation-results.md
        fi

        echo "pr_number=${{ github.event.number }}" > validation-context.txt
        echo "job_status=${{ job.status }}" >> validation-context.txt

    - name: Upload validation results
      if: always()
      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
      with:
        name: validation-results
        path: |
          validation-results.md
          validation-context.txt
        retention-days: 1