ci: Add workflow to validate all kustomize builds#351
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThis PR adds a GitHub Actions workflow that validates kustomize builds on pull requests by installing kustomize, discovering non- ChangesKustomize Build Validation Workflow
Estimated Code Review Effort🎯 3 (Moderate) | ⏱️ ~20 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/validate-kustomize.yml:
- Around line 12-13: Update the checkout step to use a specific commit SHA for
actions/checkout and add persist-credentials: false to harden credential
exposure, and replace the mutable kustomize install call that invokes
kubernetes-sigs/kustomize/master/hack/install_kustomize.sh with a deterministic
installation of the pinned kustomize version (kustomize/v5.6.0) used by the repo
Makefile—e.g., download the v5.6.0 release binary or use a release-tagged action
instead of the master hack script so the workflow is reproducible and
version-aligned.
- Around line 15-18: The "Install kustomize" workflow step currently pipes the
install script from kubernetes-sigs/kustomize master, which is unpinned; change
this to fetch the kustomize v5.6.0 release artifact (or the install script from
the v5.6.0 tag) instead of master so CI matches the Makefile contract; update
the run step that currently curls "install_kustomize.sh | bash" to download the
v5.6.0 binary (or curl the install script URL pinned to v5.6.0) and then run the
same sudo mv kustomize /usr/local/bin/ to install it.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Enterprise
Run ID: fbf11a8b-c570-4f3c-953b-217265a3b18c
📒 Files selected for processing (1)
.github/workflows/validate-kustomize.yml
Francisco-xiq
force-pushed
the
ci/validate-kustomize-build
branch
from
27ae77d to
aa07da9
Compare
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (1)
.github/workflows/validate-kustomize.yml (1)
4-9: ⚡ Quick winAdd a least-privilege
permissionsblock.The workflow inherits the default
GITHUB_TOKENpermissions. Since it only checks out and validates, scope it to read-only.🔒 Suggested addition
on: pull_request: +permissions: + contents: read + jobs: validate-kustomize: runs-on: ubuntu-latest🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/validate-kustomize.yml around lines 4 - 9, The workflow currently uses the default GITHUB_TOKEN permissions; add a least-privilege permissions block at the workflow top-level to scope the token to read-only (e.g., set permissions: contents: read) so the validate-kustomize job (runs-on: ubuntu-latest) only has repository read access when triggered on pull_request; insert this permissions block alongside the existing on: pull_request declaration to restrict the GITHUB_TOKEN.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In @.github/workflows/validate-kustomize.yml:
- Around line 4-9: The workflow currently uses the default GITHUB_TOKEN
permissions; add a least-privilege permissions block at the workflow top-level
to scope the token to read-only (e.g., set permissions: contents: read) so the
validate-kustomize job (runs-on: ubuntu-latest) only has repository read access
when triggered on pull_request; insert this permissions block alongside the
existing on: pull_request declaration to restrict the GITHUB_TOKEN.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Enterprise
Run ID: 0758a104-b32e-4f80-8ca4-3d11595114ce
📒 Files selected for processing (1)
.github/workflows/validate-kustomize.yml
Francisco-xiq
force-pushed
the
ci/validate-kustomize-build
branch
2 times, most recently
from
66e4843 to
1f6963d
Compare
|
Updated the workflow to use For the actions/checkout SHA pin, I've noticed that all other workflows here use @v4, so I kept it consistent. Happy to change if the project wants to adopt another solution. |
Francisco-xiq
force-pushed
the
ci/validate-kustomize-build
branch
2 times, most recently
from
46789f3 to
beefc5e
Compare
ptoscano
left a comment
ptoscano
left a comment
There was a problem hiding this comment.
Thanks for the updates! This mostly LGTM, there are few minor things to fix.
Francisco-xiq
force-pushed
the
ci/validate-kustomize-build
branch
from
beefc5e to
3a849f8
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/validate-kustomize.yml:
- Around line 12-13: The checkout step currently uses actions/checkout@v6
without disabling credential persistence; update the Checkout sources step (the
actions/checkout@v6 usage) to include persist-credentials: false in its step
inputs so the GITHUB_TOKEN is not left in the workspace after checkout,
improving defense-in-depth.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Enterprise
Run ID: 50559e16-a3e0-429e-a8a7-12f99a4ed0b3
📒 Files selected for processing (1)
.github/workflows/validate-kustomize.yml
Signed-off-by: Francisco-Xiq <franciscopsf.contato@gmail.com> Signed-off-by: Francisco-xiq <franciscopsf.contato@gmail.com>
Francisco-xiq
force-pushed
the
ci/validate-kustomize-build
branch
from
3a849f8 to
7bc9494
Compare
|
|
@coderabbitai resume |
✅ Actions performedReviews resumed. |
2 participants
Summary
Adds a new GitHub Actions workflow to validate all
kustomization.yamlfiles in the repository on every pull request.This was suggested in #350, where a stale reference to a deleted file (
../default/manager_auth_proxy_patch.yaml) went undetected until manually tested. A kustomize validation step was suggested to solve this problemWhat it does
kustomization.yamlfiles in the repository (excludingvendor/)kustomize buildon each one to ensure all referenced files exist and the YAML is validTesting
Validated locally and in CI on a test PR that intentionally reintroduced the broken reference, the workflow correctly failed with a clear error message pointing to the problematic file.
Summary by CodeRabbit