Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-14 20:48:35 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 132
fleet/.github/workflows/pr-helm.yaml
Guillaume Ross e6c6b7e840
Added explicit read permissions + tweaked permissions (#4843) 
* Added explicit read permissions + tweaked permissions

As a part of #4698 - this should fix the remaining warnings we get from the OSSF scorecard in relation to github workflows. They now all have explicit read permissions with more granular permissions granted in jobs.

* Update tfsec.yml

New workflow that I had not fixed in this PR.
2022-03-28 16:20:31 -04:00

91 lines
3.6 KiB
YAML
Raw Blame History

name: pr-helm
on:
pull_request:
paths:
- 'charts/**'
- '.github/workflows/pr-helm.yaml'
- '.github/scripts/helm-check-expected.sh'
- 'tools/ci/helm-values/**'
-
permissions:
contents: read
jobs:
sanity-check:
strategy:
matrix:
kube-version: [1.16.0, 1.17.0, 1.18.0] # kubeval is currently lagging behind the active schema versions, so these are the ones we can test against. see https://github.com/instrumenta/kubernetes-json-schema/issues/26
runs-on: ubuntu-20.04
steps:
- name: checkout
uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
- name: create temp dir
run: mkdir -p helm-temp
- name: helm template -- default values
run: |
helm template \
--namespace fleet \
--release-name fleet \
--values charts/fleet/values.yaml \
charts/fleet \
> helm-temp/output-defaults.yaml
- name: helm template -- other configurations
run: |
VALUES_FILES=$(find tools/ci/helm-values -type f)
for FILE_PATH in ${VALUES_FILES}; do
FILE=$(echo ${FILE_PATH} | rev | cut -d"/" -f1 | rev)
REL_NAME=$(echo ${FILE} | cut -d"." -f1)
helm template \
--namespace ${REL_NAME} \
--release-name ${REL_NAME} \
--values ${FILE_PATH} \
charts/fleet \
> helm-temp/${FILE}
done
- name: kubeval sanity check
uses: instrumenta/kubeval-action@5915e4adba5adccac07cb156b82e54c3fed74921 # master
with:
files: helm-temp
version: ${{ matrix.kube-version }}
- name: install yq
env:
YQ_VERSION: 4.4.1
run: |
curl -LO https://github.com/mikefarah/yq/releases/download/v$YQ_VERSION/yq_linux_amd64
curl -LO https://github.com/mikefarah/yq/releases/download/v$YQ_VERSION/checksums
echo "$(grep linux_amd64 checksums | awk '{print $19}') yq_linux_amd64" > sha256
sha256sum --check sha256
chmod +x yq_linux_amd64
mkdir -p ${HOME}/.bin
mv yq_linux_amd64 ${HOME}/.bin/yq
echo PATH=${PATH}:${HOME}/.bin >> $GITHUB_ENV
- name: check default values
run: |
.github/scripts/helm-check-expected.sh \
"helm-temp/output-defaults.yaml" \
'FLEET_FILESYSTEM_STATUS_LOG_FILE FLEET_FILESYSTEM_RESULT_LOG_FILE FLEET_FILESYSTEM_ENABLE_LOG_ROTATION FLEET_FILESYSTEM_ENABLE_LOG_COMPRESSION' \
'fleet-tls osquery-logs'
- name: check pubsub values
run: |
.github/scripts/helm-check-expected.sh \
"helm-temp/logger-pubsub.yaml" \
'FLEET_PUBSUB_PROJECT FLEET_PUBSUB_STATUS_TOPIC FLEET_PUBSUB_RESULT_TOPIC' \
'fleet-tls'
- name: check firehose accesskey values
run: |
.github/scripts/helm-check-expected.sh \
"helm-temp/logger-firehose-accesssid.yaml" \
'FLEET_FIREHOSE_REGION FLEET_FIREHOSE_STATUS_STREAM FLEET_FIREHOSE_RESULT_STREAM FLEET_FIREHOSE_ACCESS_KEY_ID FLEET_FIREHOSE_SECRET_ACCESS_KEY' \
'fleet-tls'
- name: check firehose sts values
run: |
.github/scripts/helm-check-expected.sh \
"helm-temp/logger-firehose-sts.yaml" \
'FLEET_FIREHOSE_REGION FLEET_FIREHOSE_STATUS_STREAM FLEET_FIREHOSE_RESULT_STREAM FLEET_FIREHOSE_STS_ASSUME_ROLE_ARN' \
'fleet-tls'
- name: check mysql tls enabled values
run: |
.github/scripts/helm-check-expected.sh \
"helm-temp/enable-mysql-tls.yaml" \
'FLEET_MYSQL_TLS_CA FLEET_MYSQL_TLS_CERT FLEET_MYSQL_TLS_KEY FLEET_MYSQL_TLS_CONFIG FLEET_MYSQL_TLS_SERVER_NAME' \
'fleet-tls osquery-logs mysql-tls'
Reference in a new issue View git blame Copy permalink