feat:add psa-checker reusable workflow

amitchell-moz · amitchell-moz · commit 602a9f7f8531 · 2025-06-11T10:05:13.000-07:00
diff --git a/.github/workflows/psa-checker.yml b/.github/workflows/psa-checker.yml
@@ -0,0 +1,146 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+# Reusable workflow to render helm charts and check if they meet PSS level restricted
+
+name: render and diff helm charts
+on:
+  workflow_call:
+    inputs:
+      pss_level:
+        description: 'PSS level to check against'
+        default: 'restricted'
+        required: false
+        type: string
+
+env:
+  HEAD_REF: ${{ github.head_ref }}
+
+jobs:
+  get_changed_helm_charts:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix_charts: ${{ steps.find_changed_charts.outputs.matrix_changed_charts }}
+      charts: ${{ steps.find_changed_charts.outputs.changed_charts }}
+    steps:
+      - name: checkout repository
+        uses: actions/checkout@v4
+        with:
+         fetch-depth: '100'
+         persist-credentials: true # We are using these credentials in later steps
+
+      - name: find changed helm charts
+        id: find_changed_charts
+        run: |
+          git fetch origin ${GITHUB_BASE_REF}:${GITHUB_BASE_REF}
+          echo matrix_changed_charts=$(git diff --name-only ${GITHUB_BASE_REF}...HEAD -- '**/k8s/**/*.yaml' '**/k8s/**/*.yml' '**/k8s/**/*.tpl' '**/k8s/**/*.tmpl' | cut -d'/' -f1,2,3 | uniq | jq -R 'split("\n")' | jq -s 'flatten(1)') >> $GITHUB_OUTPUT
+          echo changed_charts=$(git diff --name-only ${GITHUB_BASE_REF}...HEAD -- '**/k8s/**/*.yaml' '**/k8s/**/*.yml' '**/k8s/**/*.tpl' '**/k8s/**/*.tmpl' | cut -d'/' -f1,2,3 | uniq) >> $GITHUB_OUTPUT
+        env:
+          GITHUB_BASE_REF: ${{ github.base_ref }}
+
+  render_head_ref_charts:
+    runs-on: ubuntu-latest
+    needs: get_changed_helm_charts
+    strategy:
+      matrix:
+        chart: ${{ fromJSON(needs.get_changed_helm_charts.outputs.matrix_charts) }}
+    steps:
+      - name: checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: true # We are using these credentials in later steps
+
+      - name: setup helm
+        uses: azure/setup-helm@29960d0f5f19214b88e1d9ba750a9914ab0f1a2f #v4.0.0
+
+      - name: render ${{ matrix.chart }} from head ref
+        id: render_head
+        run: |
+          mkdir -p shared/head-charts
+          git fetch origin "${HEAD_REF}"
+          git checkout "${HEAD_REF}" --
+          if [ -f "${MATRIX_CHART}/Chart.yaml" ]; then
+            helm dependency update "${MATRIX_CHART}"
+            values_files="${MATRIX_CHART}"/values-*
+            for values_file in $(basename -a $values_files); do
+              helm template "${MATRIX_CHART}" -f "${MATRIX_CHART}/values.yaml" -f "${MATRIX_CHART}/${values_file}" --output-dir "shared/head-charts/${MATRIX_CHART}/${values_file}"
+            done
+          fi
+          echo sanitized_name=$(echo "${MATRIX_CHART}" | sed 's/\//-/g') >> $GITHUB_OUTPUT
+        env:
+          MATRIX_CHART: ${{ matrix.chart }}
+      - name: upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: "shared-head-${{ steps.render_head.outputs.sanitized_name }}"
+          path: "shared"
+
+  render_base_ref_charts:
+    runs-on: ubuntu-latest
+    needs: get_changed_helm_charts
+    strategy:
+      matrix:
+        chart: ${{ fromJSON(needs.get_changed_helm_charts.outputs.matrix_charts) }}
+    steps:
+      - name: checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: true # We are using these credentials in later steps
+
+      - name: setup helm
+        uses: azure/setup-helm@29960d0f5f19214b88e1d9ba750a9914ab0f1a2f #v4.0.0
+
+      - name: render ${{ matrix.chart }} from base ref
+        id: render_base
+        run: |
+          mkdir -p shared/base-charts
+          git fetch origin $GITHUB_BASE_REF
+          git checkout  $GITHUB_BASE_REF --
+          if [ -f "${MATRIX_CHART}/Chart.yaml" ]; then
+            helm dependency update "${MATRIX_CHART}"
+            values_files="${MATRIX_CHART}"/values-*
+            for values_file in $(basename -a $values_files); do
+              helm template "${MATRIX_CHART}" -f "${MATRIX_CHART}/values.yaml" -f "${MATRIX_CHART}/${values_file}" --output-dir "shared/base-charts/${MATRIX_CHART}/${values_file}"
+            done
+          fi
+          echo sanitized_name=$(echo "${MATRIX_CHART}" | sed 's/\//-/g') >> $GITHUB_OUTPUT
+        env:
+          MATRIX_CHART: ${{ matrix.chart }}
+          GITHUB_BASE_REF: "${{ github.base_ref }}"
+
+      - name: upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: "shared-base-${{ steps.render_base.outputs.sanitized_name }}"
+          path: "shared"
+
+  check_pod_security_level:
+    runs-on: ubuntu-latest
+    needs:
+      - get_changed_helm_charts
+      - render_base_ref_charts
+      - render_head_ref_charts
+    steps:
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '>=1.18.0'
+      - run: go install github.com/mozilla/psa-checker@20becf1189cf776e45a2ea27ea329e2e01de381a
+      - name: setup helm
+        uses: azure/setup-helm@29960d0f5f19214b88e1d9ba750a9914ab0f1a2f #v4.0.0
+
+      - name: download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          pattern: shared-*
+          merge-multiple: true
+          path: "shared"
+      - name: run psa-checker
+        id: diff_helm_charts
+        run: |
+          for chart in ${CHARTS}; do
+              echo "$chart" | psa-checker --level ${{ inputs.pss_level }}  -f -
+            fi
+          done
+        env:
+          CHARTS: ${{ needs.get_changed_helm_charts.outputs.charts }}
