From 8e22d5b94b2a3ab4b078ed8e9c247e6564070b08 Mon Sep 17 00:00:00 2001 From: Graham Beckley Date: Wed, 3 Dec 2025 13:33:16 -0500 Subject: [PATCH 1/2] chore: Add missing documentation for reusable workflows Assisted-by: Claude Sonnet 4.5 (model ID: claude-sonnet-4-5-20250929) --- .../workflows/docs/diff-rendered-charts.md | 43 ++++++++++ .github/workflows/docs/psa-checker.md | 63 +++++++++++++++ .../workflows/docs/validate-k8s-manifests.md | 81 +++++++++++++++++++ README.md | 3 + 4 files changed, 190 insertions(+) create mode 100644 .github/workflows/docs/diff-rendered-charts.md create mode 100644 .github/workflows/docs/psa-checker.md create mode 100644 .github/workflows/docs/validate-k8s-manifests.md diff --git a/.github/workflows/docs/diff-rendered-charts.md b/.github/workflows/docs/diff-rendered-charts.md new file mode 100644 index 0000000..4b24d6f --- /dev/null +++ b/.github/workflows/docs/diff-rendered-charts.md @@ -0,0 +1,43 @@ +# Render and Diff Helm Charts Reusable Workflow + +Renders Helm charts from both the base and head refs of a pull request and posts a diff as a PR comment showing what changes will be deployed. + +## Overview + +- Detects changed Helm charts in pull requests +- Renders charts with all values files (supports multi-layer configurations) +- Posts a unified diff as a PR comment + +## Usage + +Call this workflow from your repository's pull request workflow: + +```yaml +name: Review Helm Chart Changes + +on: + pull_request: + paths: + - '**/k8s/**' + +jobs: + diff-charts: + uses: mozilla-it/deploy-actions/.github/workflows/diff-rendered-charts.yml@main +``` + +## Example Output + +When changes are detected, a comment will be posted to the PR: + +```diff +Changes found in Helm charts. + +Changes found in chart: apps/my-service/k8s +--- shared/base-charts/apps/my-service/k8s/values-prod/my-service/templates/deployment.yaml ++++ shared/head-charts/apps/my-service/k8s/values-prod/my-service/templates/deployment.yaml +@@ -15,7 +15,7 @@ + containers: + - name: my-service +- image: my-service:v1.0.0 ++ image: my-service:v1.1.0 +``` diff --git a/.github/workflows/docs/psa-checker.md b/.github/workflows/docs/psa-checker.md new file mode 100644 index 0000000..af9b701 --- /dev/null +++ b/.github/workflows/docs/psa-checker.md @@ -0,0 +1,63 @@ +# Pod Security Standards Checker Reusable Workflow + +Validates that Helm charts meet Kubernetes [Pod Security Standards (PSS)](https://kubernetes.io/docs/concepts/security/pod-security-standards/) using the [psa-checker](https://github.com/mozilla/psa-checker) tool. + +## Overview + +Checks rendered Helm chart manifests against a specified Pod Security Standard level (`privileged`, `baseline`, or `restricted`). + +## Inputs + +| Name | Required | Type | Default | Description | +| ----------- | -------- | ------ | -------------- | -------------------------------------------------------- | +| `pss_level` | false | string | `"restricted"` | PSS level to check against: `privileged`, `baseline`, or `restricted` | + +## Prerequisites + +**IMPORTANT**: This workflow requires rendered chart artifacts from the `validate-k8s-manifests` workflow. Use `needs: validate_k8s_manifests` when calling this workflow. + +## Usage + +### Basic usage with default (restricted) level + +```yaml +name: Validate Kubernetes Manifests + +on: + pull_request: + paths: + - '**/k8s/**' + +jobs: + validate: + uses: mozilla-it/deploy-actions/.github/workflows/validate-k8s-manifests.yml@main + + check-pss: + needs: validate + uses: mozilla-it/deploy-actions/.github/workflows/psa-checker.yml@main +``` + +### Custom PSS level + +```yaml +name: Validate Kubernetes Manifests + +on: + pull_request: + paths: + - '**/k8s/**' + +jobs: + validate: + uses: mozilla-it/deploy-actions/.github/workflows/validate-k8s-manifests.yml@main + + check-pss: + needs: validate + uses: mozilla-it/deploy-actions/.github/workflows/psa-checker.yml@main + with: + pss_level: baseline +``` + +## Troubleshooting + +If validation fails, review the workflow output to identify violations and consult the [Pod Security Standards documentation](https://kubernetes.io/docs/concepts/security/pod-security-standards/) for requirements. diff --git a/.github/workflows/docs/validate-k8s-manifests.md b/.github/workflows/docs/validate-k8s-manifests.md new file mode 100644 index 0000000..04ece01 --- /dev/null +++ b/.github/workflows/docs/validate-k8s-manifests.md @@ -0,0 +1,81 @@ +# Render Helm Charts and Validate Kubernetes Manifests Reusable Workflow + +Renders Helm charts and validates the resulting Kubernetes manifests using [kubeconform](https://github.com/yannh/kubeconform). Posts validation failures as PR comments and uploads rendered manifests as artifacts for use by other workflows. + +## Inputs + +| Name | Required | Type | Default | Description | +| -------- | -------- | ------- | ------- | ---------------------------------------- | +| `strict` | false | boolean | `false` | Run kubeconform with strict validation | + +### Strict Mode + +When `strict: true`, kubeconform will reject resources with unknown fields and enforce stricter schema validation. + +## Usage + +### Basic validation + +```yaml +name: Validate Kubernetes Manifests + +on: + pull_request: + paths: + - '**/k8s/**' + +jobs: + validate: + uses: mozilla-it/deploy-actions/.github/workflows/validate-k8s-manifests.yml@main +``` + +### Strict validation + +```yaml +name: Validate Kubernetes Manifests + +on: + pull_request: + paths: + - '**/k8s/**' + +jobs: + validate: + uses: mozilla-it/deploy-actions/.github/workflows/validate-k8s-manifests.yml@main + with: + strict: true +``` + +### With pod security checking + +```yaml +name: Validate Kubernetes Manifests + +on: + pull_request: + paths: + - '**/k8s/**' + +jobs: + validate: + uses: mozilla-it/deploy-actions/.github/workflows/validate-k8s-manifests.yml@main + + check-pss: + needs: validate + uses: mozilla-it/deploy-actions/.github/workflows/psa-checker.yml@main +``` + +## Example Output + +When validation fails, a comment is posted to the PR: + +```text +Kubernetes Manifest Validation: 2 resources found - Valid: 0, Invalid: 2, Errors: 0, Skipped: 0 + +apps/my-service/k8s/values-prod/my-service/templates/deployment.yaml - Deployment my-service failed validation: missing required field "selector" in io.k8s.api.apps.v1.Deployment +apps/my-service/k8s/values-prod/my-service/templates/service.yaml - Service my-service failed validation: Invalid value: "LoadBalancerr": spec.type +``` + +## Artifacts + +Rendered manifests are uploaded as artifacts with the pattern `k8s-manifests-*` and can be consumed by other workflows like `psa-checker`. diff --git a/README.md b/README.md index 92aa59a..cdebabd 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,9 @@ This repository contains GitHub Actions Composite Actions used for Deployment Au ## Workflows * [build-and-push](./.github/workflows/docs/build-and-push.md) +* [diff-rendered-charts](./.github/workflows/docs/diff-rendered-charts.md) +* [psa-checker](./.github/workflows/docs/psa-checker.md) +* [validate-k8s-manifests](./.github/workflows/docs/validate-k8s-manifests.md) ## Releases & Tags From 38bcdf671bf190d26bc48db31a9c5dc60ba597a8 Mon Sep 17 00:00:00 2001 From: Graham Beckley Date: Wed, 3 Dec 2025 13:33:28 -0500 Subject: [PATCH 2/2] chore: Bump dependabot cooldown to 7 days --- .github/dependabot.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 4eaf0cf..3f293ce 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -3,6 +3,6 @@ updates: - package-ecosystem: "github-actions" directory: "/" cooldown: - default-days: 5 + default-days: 7 schedule: interval: weekly