From 1c5bc1115acf4a60409299ce05002d1c93df77a5 Mon Sep 17 00:00:00 2001 From: Chris Farhood <3+cpfarhood@noreply.git.farh.net> Date: Fri, 22 May 2026 15:40:07 +0000 Subject: [PATCH] Delete .gitea/workflows/best-practices.yaml --- .gitea/workflows/best-practices.yaml | 284 --------------------------- 1 file changed, 284 deletions(-) delete mode 100644 .gitea/workflows/best-practices.yaml diff --git a/.gitea/workflows/best-practices.yaml b/.gitea/workflows/best-practices.yaml deleted file mode 100644 index 9a6a668..0000000 --- a/.gitea/workflows/best-practices.yaml +++ /dev/null @@ -1,284 +0,0 @@ -name: Best Practices - -on: - push: - branches: - - main - pull_request: - branches: - - main - -jobs: - kube-score: - name: Kube-score Analysis - runs-on: ubuntu-latest - container: - image: catthehacker/ubuntu:act-latest - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Install kubectl and kube-score - run: | - # Install kubectl - curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" - chmod +x kubectl - mv kubectl /usr/local/bin/ - - # Install kube-score - wget https://github.com/zegl/kube-score/releases/download/v1.18.0/kube-score_1.18.0_linux_amd64.tar.gz - tar -xzf kube-score_1.18.0_linux_amd64.tar.gz - chmod +x kube-score - mv kube-score /usr/local/bin/ - - - name: Run kube-score - run: | - if [ -f "kustomization.yaml" ]; then - kubectl kustomize . | kube-score score - \ - --ignore-test pod-networkpolicy \ - --ignore-test deployment-has-poddisruptionbudget \ - --ignore-test container-security-context-readonlyrootfilesystem \ - --ignore-test container-image-tag \ - --ignore-test container-security-context-user-group-id \ - --ignore-test probe-not-identical \ - --ignore-test container-security-context \ - --ignore-test container-seccomp-profile \ - --ignore-test container-ephemeral-storage-request-and-limit \ - --ignore-test statefulset-has-poddisruptionbudget \ - --ignore-test container-security-context-privileged \ - --ignore-test container-security-context-privilege-escalation \ - --ignore-test pod-probes \ - --output-format ci - fi - - polaris: - name: Polaris Audit - runs-on: ubuntu-latest - container: - image: catthehacker/ubuntu:act-latest - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Install kubectl and polaris - run: | - # Install kubectl - curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" - chmod +x kubectl - mv kubectl /usr/local/bin/ - - # Install polaris - wget https://github.com/FairwindsOps/polaris/releases/download/9.5.0/polaris_linux_amd64.tar.gz - tar -xzf polaris_linux_amd64.tar.gz - chmod +x polaris - mv polaris /usr/local/bin/ - - - name: Run Polaris audit - run: | - if [ -f "kustomization.yaml" ]; then - kubectl kustomize . > manifests.yaml - polaris audit --audit-path manifests.yaml \ - --format pretty \ - --set-exit-code-on-danger \ - --set-exit-code-below-score 70 - fi - - resource-analysis: - name: Resource Usage Analysis - runs-on: ubuntu-latest - container: - image: catthehacker/ubuntu:act-latest - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Install kubectl and yq - run: | - curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" - chmod +x kubectl - mv kubectl /usr/local/bin/ - - wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O yq - chmod +x yq - mv yq /usr/local/bin/ - - - name: Analyze resource requests and limits - run: | - echo "# Resource Analysis Report" - echo "" - echo "## Applications Resource Configuration" - echo "" - echo "| Application | Container | CPU Request | CPU Limit | Memory Request | Memory Limit |" - echo "|-------------|-----------|-------------|-----------|----------------|--------------|" - - # Find all directories with kustomization.yaml - find . -maxdepth 2 -name "kustomization.yaml" | while read config; do - app_dir=$(dirname "$config") - if [ "$app_dir" != "." ]; then - manifests=$(kubectl kustomize "$app_dir" 2>/dev/null) - if [ -n "$manifests" ]; then - echo "$manifests" | yq eval-all ' - select(.kind == "Deployment" or .kind == "StatefulSet") | - .spec.template.spec.containers[] | - "| '"$app_dir"' | \(.name) | \(.resources.requests.cpu // "none") | \(.resources.limits.cpu // "none") | \(.resources.requests.memory // "none") | \(.resources.limits.memory // "none") |" - ' - 2>/dev/null || true - fi - fi - done - - pr-summary: - name: PR Summary Report - runs-on: ubuntu-latest - if: github.event_name == 'pull_request' - needs: [kube-score, polaris, resource-analysis] - container: - image: catthehacker/ubuntu:act-latest - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Generate PR summary - env: - GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }} - GITEA_API: ${{ github.server_url }}/api/v1/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments - run: | - cat > summary.md << EOF - ## Best Practices Validation Summary - - ✅ All validation checks completed - - ### Checks Run: - - **kube-score**: Kubernetes best practices analysis - - **Polaris**: Security and reliability audit - - **Resource Analysis**: CPU and memory configuration review - - See individual job logs for detailed results. - - --- - *Automated by Gitea Actions* - EOF - - if [ -n "${GITEA_TOKEN}" ]; then - jq -n --rawfile body summary.md '{body: $body}' > comment-payload.json - - curl -s -X POST \ - -H "Authorization: token ${GITEA_TOKEN}" \ - -H "Content-Type: application/json" \ - -d @comment-payload.json \ - "${GITEA_API}" || echo "Failed to post comment (token may not be configured)" - else - echo "GITEA_TOKEN not configured, skipping comment" - cat summary.md - fi - - polaris-pr-review: - name: Polaris PR Review - runs-on: ubuntu-latest - if: github.event_name == 'pull_request' - container: - image: catthehacker/ubuntu:act-latest - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Install tools - run: | - # Install kubectl - curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" - chmod +x kubectl - mv kubectl /usr/local/bin/ - - # Install polaris - wget https://github.com/FairwindsOps/polaris/releases/download/9.5.0/polaris_linux_amd64.tar.gz - tar -xzf polaris_linux_amd64.tar.gz - chmod +x polaris - mv polaris /usr/local/bin/ - - # Install jq - apt-get update && apt-get install -y jq - - - name: Run Polaris and post review - env: - GITEA_TOKEN: ${{ secrets.POLARIS_GITEA_TOKEN }} - PR_NUMBER: ${{ github.event.pull_request.number }} - GITEA_API: ${{ github.server_url }}/api/v1/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/reviews - run: | - if [ ! -f "kustomization.yaml" ]; then - echo "No root kustomization.yaml, skipping Polaris review" - exit 0 - fi - - kubectl kustomize . > manifests.yaml - if [ ! -s manifests.yaml ]; then - echo "Manifests are empty, skipping" - exit 0 - fi - - polaris audit --audit-path manifests.yaml --format json > polaris-results.json || true - - DANGERS=$(jq '.Summary.Dangers // 0' polaris-results.json) - WARNINGS=$(jq '.Summary.Warnings // 0' polaris-results.json) - SCORE=$(jq '.Summary.Score // 0' polaris-results.json) - - if [ "$DANGERS" -gt 0 ]; then - REVIEW_STATE="REQUEST_CHANGES" - VERDICT="BLOCKED: ${DANGERS} danger(s) detected. Score: ${SCORE}%" - EXIT_CODE=1 - elif [ "$WARNINGS" -gt 0 ]; then - REVIEW_STATE="COMMENT" - VERDICT="WARNING: ${WARNINGS} warning(s) detected. Score: ${SCORE}%" - EXIT_CODE=0 - else - REVIEW_STATE="APPROVED" - VERDICT="PASSED: No dangers or warnings. Score: ${SCORE}%" - EXIT_CODE=0 - fi - - DETAILS=$(jq -r ' - .Results[]? | - .Name as $resName | .Kind as $resKind | .Namespace as $resNs | - ( - (.PodResult?.Results[]? | {sev: .Severity, msg: .Message, check: .ID, target: "Pod"}), - (.PodResult?.ContainerResults[]? | .Name as $contName | .Results[]? | {sev: .Severity, msg: .Message, check: .ID, target: $contName}) - ) | - select(.sev == "danger" or .sev == "warning") | - "| \(.sev) | \($resKind)/\($resName) | \(.target) | \(.check) | \(.msg) |" - ' polaris-results.json | head -c 4000) - - cat > review-body.md << INTERNAL_EOF - ## Polaris Audit Results - - **${VERDICT}** - - ### Summary - | Metric | Value | - |--------|-------| - | Score | ${SCORE}% | - | Dangers | ${DANGERS} | - | Warnings | ${WARNINGS} | - -
- Issues (click to expand) - - | Severity | Resource | Container | Check | Message | - |----------|----------|-----------|-------|---------| - \${DETAILS} - -
- - --- - *Scanned by [Polaris](https://github.com/FairwindsOps/polaris)* - INTERNAL_EOF - - jq -n \ - --rawfile body review-body.md \ - --arg event "$REVIEW_STATE" \ - '{body: $body, event: $event}' > review-payload.json - - curl -s -X POST \ - -H "Authorization: token ${GITEA_TOKEN}" \ - -H "Content-Type: application/json" \ - -d @review-payload.json \ - "${GITEA_API}" | jq . - - exit $EXIT_CODE