From 7e66e879a43e7f88dbb2b22e2ba048f7e499a94e Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Sun, 8 Feb 2026 09:37:13 -0500 Subject: [PATCH] feat: add polaris approve/deny pr review workflow --- .gitea/workflows/best-practices.yaml | 112 +++++++++++++++++++++++++++ 1 file changed, 112 insertions(+) diff --git a/.gitea/workflows/best-practices.yaml b/.gitea/workflows/best-practices.yaml index 96da358..903b946 100644 --- a/.gitea/workflows/best-practices.yaml +++ b/.gitea/workflows/best-practices.yaml @@ -161,3 +161,115 @@ jobs: echo "GITEA_TOKEN not configured, skipping comment" cat summary.md fi + + polaris-pr-review: + name: Polaris PR Review + runs-on: ubuntu-latest + if: github.event_name == 'pull_request' + container: + image: catthehacker/ubuntu:act-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Install tools + run: | + # Install kubectl + curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" + chmod +x kubectl + mv kubectl /usr/local/bin/ + + # Install polaris + wget https://github.com/FairwindsOps/polaris/releases/download/9.5.0/polaris_linux_amd64.tar.gz + tar -xzf polaris_linux_amd64.tar.gz + chmod +x polaris + mv polaris /usr/local/bin/ + + # Install jq + apt-get update && apt-get install -y jq + + - name: Run Polaris and post review + env: + GITEA_TOKEN: ${{ secrets.POLARIS_GITEA_TOKEN }} + PR_NUMBER: ${{ github.event.pull_request.number }} + GITEA_API: ${{ github.server_url }}/api/v1/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/reviews + run: | + if [ ! -f "kustomization.yaml" ]; then + echo "No root kustomization.yaml, skipping Polaris review" + exit 0 + fi + + kubectl kustomize . > manifests.yaml + if [ ! -s manifests.yaml ]; then + echo "Manifests are empty, skipping" + exit 0 + fi + + polaris audit --audit-path manifests.yaml --format json > polaris-results.json || true + + DANGERS=$(jq '.Summary.Dangers // 0' polaris-results.json) + WARNINGS=$(jq '.Summary.Warnings // 0' polaris-results.json) + SCORE=$(jq '.Summary.Score // 0' polaris-results.json) + + if [ "$DANGERS" -gt 0 ]; then + REVIEW_STATE="REQUEST_CHANGES" + VERDICT="BLOCKED: ${DANGERS} danger(s) detected. Score: ${SCORE}%" + EXIT_CODE=1 + elif [ "$WARNINGS" -gt 0 ]; then + REVIEW_STATE="COMMENT" + VERDICT="WARNING: ${WARNINGS} warning(s) detected. Score: ${SCORE}%" + EXIT_CODE=0 + else + REVIEW_STATE="APPROVED" + VERDICT="PASSED: No dangers or warnings. Score: ${SCORE}%" + EXIT_CODE=0 + fi + + DETAILS=$(jq -r ' + .Results[]? | + .Name as $resName | .Kind as $resKind | .Namespace as $resNs | + ( + (.PodResult?.Results[]? | {sev: .Severity, msg: .Message, check: .ID, target: "Pod"}), + (.PodResult?.ContainerResults[]? | .Name as $contName | .Results[]? | {sev: .Severity, msg: .Message, check: .ID, target: $contName}) + ) | + select(.sev == "danger" or .sev == "warning") | + "| \(.sev) | \($resKind)/\($resName) | \(.target) | \(.check) | \(.msg) |" + ' polaris-results.json | head -c 4000) + + cat > review-body.md << INTERNAL_EOF + ## Polaris Audit Results + + **${VERDICT}** + + ### Summary + | Metric | Value | + |--------|-------| + | Score | ${SCORE}% | + | Dangers | ${DANGERS} | + | Warnings | ${WARNINGS} | + +
+ Issues (click to expand) + + | Severity | Resource | Container | Check | Message | + |----------|----------|-----------|-------|---------| + \${DETAILS} + +
+ + --- + *Scanned by [Polaris](https://github.com/FairwindsOps/polaris)* + INTERNAL_EOF + + jq -n \ + --rawfile body review-body.md \ + --arg event "$REVIEW_STATE" \ + '{body: $body, event: $event}' > review-payload.json + + curl -s -X POST \ + -H "Authorization: token ${GITEA_TOKEN}" \ + -H "Content-Type: application/json" \ + -d @review-payload.json \ + "${GITEA_API}" | jq . + + exit $EXIT_CODE