Skip to content

feat: add reusable gitops-validate.yaml workflow#233

Merged
weatherhog merged 2 commits into
mainfrom
feat/gitops-validate
Jul 2, 2026
Merged

feat: add reusable gitops-validate.yaml workflow#233
weatherhog merged 2 commits into
mainfrom
feat/gitops-validate

Conversation

@weatherhog

Copy link
Copy Markdown
Contributor

Summary

Adds a reusable workflow gitops-validate.yaml that encapsulates the CI for GitOps repositories built from giantswarm/gitops-template. Today that logic lives in two hand-maintained workflows in gitops-template (validate.yaml + basic.yml), whose action pins have rotted into Node 20 / set-output deprecation warnings. Moving it here means the pins (and the eventual e2e fix) are maintained once, centrally (Renovate-tracked), and every template-derived repo can drop to a thin caller.

Companion caller PR: giantswarm/gitops-template#TBD (points at this branch for verification, will switch to @main once merged).

Jobs (behaviour ported unchanged)

  • check-pre-commitshfmt + pre-commit hooks
  • validate./tools/test-all-ff validate, posts the "Validation output log" comment
  • get-diff (PR-only) — renders ./tools/test-all-ff template for the PR branch vs main, dyffs them, posts the "Rendered manifest diff output log" comment
  • test_on_kindtests/ats pytest on a kind cluster

A called workflow checks out the caller repo, so tools//tests/ resolve against the consumer with no extra wiring. Repo-specific values are inputs (defaults = gitops-template's) and the e2e GPG key is a required secret.

Modernisation

Every action bumped to its current node24 release and SHA-pinned (reusing the org's existing pins): checkout v7, setup-python v6.3, cache v6.1, install-binary-action v4.1, command-output v2, find-comment v4, create-or-update-comment v5, kind-action v1.14, pre-commit/action v3.0.1. This clears the Node 20 and set-output deprecation warnings.

Notes

  • test_on_kind is ported as-is and currently fails at the apptestctl bootstrap step (missing PodMonitor/VPA CRDs) — a pre-existing, separate bug, not introduced here. Extraction centralises the eventual fix.
  • command-output@v2 is interface-compatible with v1 (same pattern helm-render-diff.yaml already uses).

Test plan

  • Verified via the companion gitops-template caller PR pointed at this branch: pre-commit / validate / get-diff pass and post their comments; no Node20 / set-output warnings; test_on_kind fails only at the pre-existing bootstrap step.

Relates to giantswarm/roadmap#4121.

🤖 Generated with Claude Code

Extract gitops-template's hand-maintained validate.yaml + basic.yml into a
reusable workflow so the CI logic and action pins are maintained once,
centrally (Renovate-tracked), instead of per-repo. Every repository built
from the template can then replace those two workflows with a thin caller.

The workflow ports the four jobs unchanged in behaviour — pre-commit,
`./tools/test-all-ff validate`, the rendered-manifest dyff comment, and the
`tests/ats` kind e2e — but modernises every action to its current node24
release and SHA-pins them, clearing the Node 20 and `set-output` deprecation
warnings. Because a called workflow checks out the caller repo, the
`tools/`/`tests/` layout resolves against the consumer with no extra wiring.
Repo-specific values are inputs (defaulting to gitops-template's) and the
e2e GPG key is a required secret.

Relates to giantswarm/roadmap#4121.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@weatherhog weatherhog requested a review from a team as a code owner July 2, 2026 09:35
Comment thread .github/workflows/gitops-validate.yaml Fixed
Comment thread .github/workflows/gitops-validate.yaml Fixed
Comment thread .github/workflows/gitops-validate.yaml Fixed
Comment thread .github/workflows/gitops-validate.yaml Fixed
Comment thread .github/workflows/gitops-validate.yaml Fixed
Comment thread .github/workflows/gitops-validate.yaml Fixed
@weatherhog

Copy link
Copy Markdown
Contributor Author

Companion caller PR: giantswarm/gitops-template#139 (pinned to @feat/gitops-validate for verification; will switch to @main after this merges).

- Pass clusterctl_ver via env and use a shell variable in the install
  step instead of interpolating `${{ inputs.clusterctl_ver }}` directly
  into the `run:` block (zizmor template-injection / code-injection), which
  also brings the line under the 200-char yamllint limit.
- Set `persist-credentials: false` on every actions/checkout (zizmor
  artipacked / credential-persistence), matching yaml-diff.yaml.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
permissions:
contents: read
steps:
- run: sudo snap install shfmt

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is snap available in github ubuntu boxes?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. We are using this in other place for some time. From 2022 for example giantswarm/gitops-template@75c880d

@weatherhog weatherhog merged commit 1ae82aa into main Jul 2, 2026
5 checks passed
@weatherhog weatherhog deleted the feat/gitops-validate branch July 2, 2026 10:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants