fix(psa-checker): only fail if PSS violations are found (#116)

amitchell-moz · web-flow · commit 1f9b33678875 · 2025-12-08T15:45:40.000-08:00
## Description Modify psa-checker to only fail if PSS violations are found. Currently it will fail if a chart doesn't render, which tends to confuse users; this PR makes it so that will print a warning & pass the job, which is how the validate & helmdiff jobs behave. --- Old behavior: - Fail when one chart passes and one fails to render: https://github.com/mozilla/webservices-infra/actions/runs/19875028211/job/56960262267?pr=8635 - Fail in platform-shared: https://github.com/mozilla/global-platform-admin/actions/runs/20036540116/job/57459570627 New behavior: - Pass when one chart validates and one chart didn't render: https://github.com/mozilla/webservices-infra/actions/runs/20045553210/job/57490211960 - Pass when platform-shared fails to render (like it always does): https://github.com/mozilla/global-platform-admin/actions/runs/20045710877/job/57490735774?pr=4926 Also validated that it still properly fails when PSS violations are found: https://github.com/mozilla/webservices-infra/actions/runs/20045602041/job/57490375853?pr=8726 ## Related Tickets & Documents * MZCLD-1376 * SREIN-766
diff --git a/.github/workflows/psa-checker.yml b/.github/workflows/psa-checker.yml
@@ -54,22 +54,25 @@ jobs:
       - name: download artifacts
         uses: actions/download-artifact@v6
         with:
-          pattern: "k8s-manifests-*"
+          pattern: k8s-manifests-*
           merge-multiple: true
           path: "shared"
       - name: run psa-checker
         id: psa_check
         shell: bash # sets the flags --noprofile --norc -eo pipefail
         env:
           PSS_LEVEL: ${{ inputs.pss_level }}
-          CHART_DIR: ${{ matrix.chart }}
+          CHART: ${{ matrix.chart }}
         run: |
-          # Loop over templates from each environment dir and check PSS levels
+          # Check pod security levels for templates in each chart
           docker pull $PSA_CHECKER_IMAGE:$PSA_CHECKER_SHA # Pull before run so the output is less messy
-          cd "shared/charts/$CHART_DIR/"
-          for ENV_DIR in */; do
-            find $ENV_DIR -type f -exec cat {} + \
+          echo "Checking PSS level for ${CHART}..."
+          if [ -d "shared/charts/${CHART}" ]; then
+            find "shared/charts/${CHART}" -type f -exec cat {} + \
               | docker run -i --rm $PSA_CHECKER_IMAGE:$PSA_CHECKER_SHA --level "$PSS_LEVEL" -f - \
               | grep -v "Non standard" \
               | grep -v "Kind not"
-          done
+          else
+            # Fail only if PSS violations are found - if chart failed to render just print a warning
+            echo "Warning: Rendered output for ${CHART} not found."
+          fi
