feat: add polaris approve/deny pr review workflow
This commit is contained in:
@@ -161,3 +161,115 @@ jobs:
|
||||
echo "GITEA_TOKEN not configured, skipping comment"
|
||||
cat summary.md
|
||||
fi
|
||||
|
||||
polaris-pr-review:
|
||||
name: Polaris PR Review
|
||||
runs-on: ubuntu-latest
|
||||
if: github.event_name == 'pull_request'
|
||||
container:
|
||||
image: catthehacker/ubuntu:act-latest
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Install tools
|
||||
run: |
|
||||
# Install kubectl
|
||||
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
|
||||
chmod +x kubectl
|
||||
mv kubectl /usr/local/bin/
|
||||
|
||||
# Install polaris
|
||||
wget https://github.com/FairwindsOps/polaris/releases/download/9.5.0/polaris_linux_amd64.tar.gz
|
||||
tar -xzf polaris_linux_amd64.tar.gz
|
||||
chmod +x polaris
|
||||
mv polaris /usr/local/bin/
|
||||
|
||||
# Install jq
|
||||
apt-get update && apt-get install -y jq
|
||||
|
||||
- name: Run Polaris and post review
|
||||
env:
|
||||
GITEA_TOKEN: ${{ secrets.POLARIS_GITEA_TOKEN }}
|
||||
PR_NUMBER: ${{ github.event.pull_request.number }}
|
||||
GITEA_API: ${{ github.server_url }}/api/v1/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/reviews
|
||||
run: |
|
||||
if [ ! -f "kustomization.yaml" ]; then
|
||||
echo "No root kustomization.yaml, skipping Polaris review"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
kubectl kustomize . > manifests.yaml
|
||||
if [ ! -s manifests.yaml ]; then
|
||||
echo "Manifests are empty, skipping"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
polaris audit --audit-path manifests.yaml --format json > polaris-results.json || true
|
||||
|
||||
DANGERS=$(jq '.Summary.Dangers // 0' polaris-results.json)
|
||||
WARNINGS=$(jq '.Summary.Warnings // 0' polaris-results.json)
|
||||
SCORE=$(jq '.Summary.Score // 0' polaris-results.json)
|
||||
|
||||
if [ "$DANGERS" -gt 0 ]; then
|
||||
REVIEW_STATE="REQUEST_CHANGES"
|
||||
VERDICT="BLOCKED: ${DANGERS} danger(s) detected. Score: ${SCORE}%"
|
||||
EXIT_CODE=1
|
||||
elif [ "$WARNINGS" -gt 0 ]; then
|
||||
REVIEW_STATE="COMMENT"
|
||||
VERDICT="WARNING: ${WARNINGS} warning(s) detected. Score: ${SCORE}%"
|
||||
EXIT_CODE=0
|
||||
else
|
||||
REVIEW_STATE="APPROVED"
|
||||
VERDICT="PASSED: No dangers or warnings. Score: ${SCORE}%"
|
||||
EXIT_CODE=0
|
||||
fi
|
||||
|
||||
DETAILS=$(jq -r '
|
||||
.Results[]? |
|
||||
.Name as $resName | .Kind as $resKind | .Namespace as $resNs |
|
||||
(
|
||||
(.PodResult?.Results[]? | {sev: .Severity, msg: .Message, check: .ID, target: "Pod"}),
|
||||
(.PodResult?.ContainerResults[]? | .Name as $contName | .Results[]? | {sev: .Severity, msg: .Message, check: .ID, target: $contName})
|
||||
) |
|
||||
select(.sev == "danger" or .sev == "warning") |
|
||||
"| \(.sev) | \($resKind)/\($resName) | \(.target) | \(.check) | \(.msg) |"
|
||||
' polaris-results.json | head -c 4000)
|
||||
|
||||
cat > review-body.md << INTERNAL_EOF
|
||||
## Polaris Audit Results
|
||||
|
||||
**${VERDICT}**
|
||||
|
||||
### Summary
|
||||
| Metric | Value |
|
||||
|--------|-------|
|
||||
| Score | ${SCORE}% |
|
||||
| Dangers | ${DANGERS} |
|
||||
| Warnings | ${WARNINGS} |
|
||||
|
||||
<details>
|
||||
<summary>Issues (click to expand)</summary>
|
||||
|
||||
| Severity | Resource | Container | Check | Message |
|
||||
|----------|----------|-----------|-------|---------|
|
||||
\${DETAILS}
|
||||
|
||||
</details>
|
||||
|
||||
---
|
||||
*Scanned by [Polaris](https://github.com/FairwindsOps/polaris)*
|
||||
INTERNAL_EOF
|
||||
|
||||
jq -n \
|
||||
--rawfile body review-body.md \
|
||||
--arg event "$REVIEW_STATE" \
|
||||
'{body: $body, event: $event}' > review-payload.json
|
||||
|
||||
curl -s -X POST \
|
||||
-H "Authorization: token ${GITEA_TOKEN}" \
|
||||
-H "Content-Type: application/json" \
|
||||
-d @review-payload.json \
|
||||
"${GITEA_API}" | jq .
|
||||
|
||||
exit $EXIT_CODE
|
||||
|
||||
Reference in New Issue
Block a user