Skip to content

Forbidden sysctls cel #1934

Forbidden sysctls cel

Forbidden sysctls cel #1934

Workflow file for this run

name: CI
on:
push:
paths-ignore:
- ".github/workflows/website.yaml"
- "website/**"
branches: [master]
pull_request:
paths-ignore:
- ".github/workflows/website.yaml"
- "website/**"
branches: [master]
permissions:
contents: read
jobs:
website_script_unit_test:
runs-on: ubuntu-latest
name: "Test scripts"
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Unit test
run: |
make unit-test
generate:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Generate templates and docs
run: |
make generate generate-website-docs generate-artifacthub-artifacts
git diff --exit-code || (echo "Please run 'make generate generate-website-docs generate-artifacthub-artifacts' to generate the templates and docs" && exit 1)
- name: Validation
run: |
make validate
build:
needs: generate
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ "ubuntu-latest", "macos-latest" ]
opa: [ "v0.44.0", "v0.57.1" ]
name: Unit test on ${{ matrix.os }} opa ${{ matrix.opa }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- run: |
binary=$([[ "$OSTYPE" == "darwin"* ]] && echo "opa_darwin_amd64" || echo "opa_linux_amd64")
sudo curl -L -o /usr/local/bin/opa https://github.com/open-policy-agent/opa/releases/download/${{ matrix.opa }}/$binary
sudo chmod +x /usr/local/bin/opa
sh test.sh
build_test:
needs: generate
runs-on: ubuntu-latest
strategy:
matrix:
gatekeeper: [ "3.15.1", "3.16.3" ]
engine: [ "cel", "rego" ]
name: "Integration test on Gatekeeper ${{ matrix.gatekeeper }} for ${{ matrix.engine }} policies"
steps:
- name: Harden Runner
if: ${{ !(matrix.gatekeeper == '3.15.1' && matrix.engine == 'cel') }} # remove this condition once 3.17 is out
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
- name: Check out code into the Go module directory
if: ${{ !(matrix.gatekeeper == '3.15.1' && matrix.engine == 'cel') }}
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Bootstrap integration test
if: ${{ !(matrix.gatekeeper == '3.15.1' && matrix.engine == 'cel') }}
run: |
mkdir -p $GITHUB_WORKSPACE/bin
echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
make integration-bootstrap
make deploy GATEKEEPER_VERSION=${{ matrix.gatekeeper }} POLICY_ENGINE=${{ matrix.engine }}
- name: Run integration test
if: ${{ !(matrix.gatekeeper == '3.15.1' && matrix.engine == 'cel') }}
run: |
make test-integration
- name: Save logs
if: ${{ !(matrix.gatekeeper == '3.15.1' && matrix.engine == 'cel') }}
run: |
kubectl logs -n gatekeeper-system -l control-plane=controller-manager --tail=-1 > logs-controller.json
kubectl logs -n gatekeeper-system -l control-plane=audit-controller --tail=-1 > logs-audit.json
- name: Upload artifacts
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
if: ${{ always() }}
with:
name: logs-int-test-${{ matrix.gatekeeper }}-${{ matrix.engine }}
path: |
logs-*.json
require_suites:
runs-on: ubuntu-latest
name: "Require a suite.yaml file alongside every template.yaml"
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Run script
run: |
make require-suites
require_sync:
runs-on: ubuntu-latest
name: "Require a sync.yaml file and metadata.gatekeeper.sh/requires-sync-data annotation for every template.yaml using data.inventory"
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Run script
run: |
make require-sync
gator-verify:
runs-on: ubuntu-latest
strategy:
matrix:
engine: [ "cel", "rego" ]
gatekeeper: [ "3.15.1", "3.16.3" ]
name: "Verify assertions in suite.yaml files for ${{ matrix.engine }} policies"
steps:
- name: Harden Runner
if: ${{ !(matrix.gatekeeper == '3.15.1' && matrix.engine == 'cel') }} # remove this condition once 3.17 is out
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
if: ${{ !(matrix.gatekeeper == '3.15.1' && matrix.engine == 'cel') }}
- run: |
make verify-gator-dockerized POLICY_ENGINE=${{ matrix.engine }} GATOR_VERSION=${{ matrix.gatekeeper }}
if: ${{ !(matrix.gatekeeper == '3.15.1' && matrix.engine == 'cel') }}