generated from iits-consulting/helm-chart-repo-gh-pages-template
-
Notifications
You must be signed in to change notification settings - Fork 7
86 lines (73 loc) · 2.18 KB
/
check_charts.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
name: Check Charts
on:
pull_request:
branches:
- '**'
push:
branches:
- 'main'
env:
HELM_VERSION: v3.14.4
jobs:
find-charts:
name: Find Charts
runs-on: ubuntu-latest
outputs:
charts: "${{ steps.get-all-charts.outputs.charts }}"
steps:
- uses: actions/checkout@v4
- name: Echo changed files
id: get-all-charts
env:
ALL_CHARTS: false
run: |
echo charts="[$(ls -w 0 -Q -m charts/)]" >> $GITHUB_OUTPUT
check-charts:
name: Check
needs: find-charts
strategy:
matrix:
chart: ${{fromJSON(needs.find-charts.outputs.charts)}}
permissions:
contents: write
security-events: write
actions: read
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Configure Git
run: |
git config user.name "$GITHUB_ACTOR"
git config user.email "[email protected]"
- name: Setup Helm
uses: azure/[email protected]
with:
version: ${{ env.HELM_VERSION }}
- name: Create default trigy ignore files
run: |
./create-trigy-ignore.sh
- name: Trivy Scan ${{ matrix.chart }}
uses: aquasecurity/[email protected]
with:
scan-type: 'config'
format: 'sarif'
scan-ref: 'charts/${{matrix.chart}}'
output: 'trivy-results.sarif'
severity: 'MEDIUM,HIGH,CRITICAL'
trivyignores: 'charts/${{matrix.chart}}/.trivyignore'
- name: Lint ${{ matrix.chart }}
run: |
helm dependency update charts/${{ matrix.chart }}
helm lint charts/${{ matrix.chart }} --strict
- name: KubeConform ${{ matrix.chart }}
run: |
helm plugin install https://github.com/jtyr/kubeconform-helm
helm -f kubeconform-values.yaml kubeconform --ignore-missing-schemas --summary charts/${{ matrix.chart }}
- name: Upload Trivy scan results for ${{ matrix.chart }}
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-results.sarif'