feat: add reusable gitops-validate.yaml workflow#233
Merged
Conversation
Extract gitops-template's hand-maintained validate.yaml + basic.yml into a reusable workflow so the CI logic and action pins are maintained once, centrally (Renovate-tracked), instead of per-repo. Every repository built from the template can then replace those two workflows with a thin caller. The workflow ports the four jobs unchanged in behaviour — pre-commit, `./tools/test-all-ff validate`, the rendered-manifest dyff comment, and the `tests/ats` kind e2e — but modernises every action to its current node24 release and SHA-pins them, clearing the Node 20 and `set-output` deprecation warnings. Because a called workflow checks out the caller repo, the `tools/`/`tests/` layout resolves against the consumer with no extra wiring. Repo-specific values are inputs (defaulting to gitops-template's) and the e2e GPG key is a required secret. Relates to giantswarm/roadmap#4121. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
Author
|
Companion caller PR: giantswarm/gitops-template#139 (pinned to |
- Pass clusterctl_ver via env and use a shell variable in the install
step instead of interpolating `${{ inputs.clusterctl_ver }}` directly
into the `run:` block (zizmor template-injection / code-injection), which
also brings the line under the 200-char yamllint limit.
- Set `persist-credentials: false` on every actions/checkout (zizmor
artipacked / credential-persistence), matching yaml-diff.yaml.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
mproffitt
reviewed
Jul 2, 2026
| permissions: | ||
| contents: read | ||
| steps: | ||
| - run: sudo snap install shfmt |
There was a problem hiding this comment.
Is snap available in github ubuntu boxes?
Contributor
Author
There was a problem hiding this comment.
Yes. We are using this in other place for some time. From 2022 for example giantswarm/gitops-template@75c880d
ljakimczuk
approved these changes
Jul 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a reusable workflow
gitops-validate.yamlthat encapsulates the CI for GitOps repositories built fromgiantswarm/gitops-template. Today that logic lives in two hand-maintained workflows in gitops-template (validate.yaml+basic.yml), whose action pins have rotted into Node 20 /set-outputdeprecation warnings. Moving it here means the pins (and the eventual e2e fix) are maintained once, centrally (Renovate-tracked), and every template-derived repo can drop to a thin caller.Companion caller PR: giantswarm/gitops-template#TBD (points at this branch for verification, will switch to
@mainonce merged).Jobs (behaviour ported unchanged)
shfmt+ pre-commit hooks./tools/test-all-ff validate, posts the "Validation output log" comment./tools/test-all-ff templatefor the PR branch vsmain,dyffs them, posts the "Rendered manifest diff output log" commenttests/atspytest on a kind clusterA called workflow checks out the caller repo, so
tools//tests/resolve against the consumer with no extra wiring. Repo-specific values areinputs(defaults = gitops-template's) and the e2e GPG key is a requiredsecret.Modernisation
Every action bumped to its current node24 release and SHA-pinned (reusing the org's existing pins): checkout v7, setup-python v6.3, cache v6.1, install-binary-action v4.1, command-output v2, find-comment v4, create-or-update-comment v5, kind-action v1.14, pre-commit/action v3.0.1. This clears the Node 20 and
set-outputdeprecation warnings.Notes
test_on_kindis ported as-is and currently fails at theapptestctlbootstrap step (missing PodMonitor/VPA CRDs) — a pre-existing, separate bug, not introduced here. Extraction centralises the eventual fix.command-output@v2is interface-compatible with v1 (same patternhelm-render-diff.yamlalready uses).Test plan
test_on_kindfails only at the pre-existing bootstrap step.Relates to giantswarm/roadmap#4121.
🤖 Generated with Claude Code