From 300efb3175b381887bb3f5a34dcabf417fbd3c02 Mon Sep 17 00:00:00 2001
From: Dustin Lactin <dlactin@mozilla.com>
Date: Thu, 27 Nov 2025 09:19:36 -0700
Subject: [PATCH] feat(validate-k8s-manifests): added optional strict flag,
 updated kubeconform version

---
 .github/workflows/validate-k8s-manifests.yml | 25 +++++++++++++++-----
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/validate-k8s-manifests.yml b/.github/workflows/validate-k8s-manifests.yml
index 3a553e1..b6150f6 100644
--- a/.github/workflows/validate-k8s-manifests.yml
+++ b/.github/workflows/validate-k8s-manifests.yml
@@ -8,11 +8,17 @@
 name: render helm charts and validate k8s manifests
 on:
   workflow_call:
+    inputs:
+      strict:
+        required: false
+        description: "Run kubeconform with strict validation"
+        default: false
+        type: boolean
 
 env:
   HEAD_REF: ${{ github.head_ref }}
-  KUBECONFORM_VERSION: "0.6.7"
-  KUBECONFORM_SHA256: "95f14e87aa28c09d5941f11bd024c1d02fdc0303ccaa23f61cef67bc92619d73"
+  KUBECONFORM_VERSION: "0.7.0"
+  KUBECONFORM_SHA256: "c31518ddd122663b3f3aa874cfe8178cb0988de944f29c74a0b9260920d115d3"
   KUBECONFORM_BASE_URL: "https://github.com/yannh/kubeconform/releases/download"
   KUBECONFORM_SCHEMA_LOCATION: "https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json"
   KUBECONFORM_CUSTOM_SCHEMA_LOCATION: "https://raw.githubusercontent.com/mozilla/mozcloud/main/crdSchemas/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json"
@@ -110,7 +116,17 @@ jobs:
 
       - name: validate k8s manifests
         id: validate_k8s_manifests
+        env:
+          STRICT: ${{ inputs.strict }}
+          CHARTS: ${{ needs.get_changed_helm_charts.outputs.charts }}
         run: |
+          set -euo pipefail
+
+          # Optional strict flag
+          STRICT_FLAG=""
+          if [ "${STRICT}" = "true" ]; then
+            STRICT_FLAG="-strict"
+          fi
           # To support multi-chart tenants we need to normalize the kubeconform output
           # We are populating it with the standard kubeconform structure, but will append to these values during subsequent runs
           echo '{"summary":{"valid":0,"invalid":0,"errors":0,"skipped":0},"resources":[]}' > kubeconform.json
@@ -124,6 +140,7 @@ jobs:
 
               # Always run kubeconform and capture output, even if it fails
               /usr/local/bin/kubeconform \
+                ${STRICT_FLAG} \
                 -schema-location default \
                 -schema-location "${KUBECONFORM_SCHEMA_LOCATION}" \
                 -schema-location "${KUBECONFORM_CUSTOM_SCHEMA_LOCATION}" \
@@ -158,8 +175,6 @@ jobs:
           done
 
           echo "kubeconform_exit_code=$exit_code" >> $GITHUB_OUTPUT
-        env:
-          CHARTS: ${{ needs.get_changed_helm_charts.outputs.charts }}
 
       - name: minimize previous kubeconform comments
         uses: actions/github-script@v8
@@ -215,8 +230,6 @@ jobs:
               return `${r.filename} - ${r.kind} ${r.name} failed validation: ${r.msg}`;
             }).join('\n');
 
-            const fullOutput = `<details><summary>Show full output</summary>\n\n\`\`\`text\n${errorDetails}\n\`\`\`\n</details>`;
-
             const sepEnd = "\n```\n</details>\n\nNote: Continued in next comment.";
             const sepStart = "Continued from previous comment:\n<details><summary>Show full output</summary>\n\n```text\n";
             const comStart = `${summaryLine}\n\n<details><summary>Show full output</summary>\n\n\`\`\`text\n`;