feat: add polaris approve/deny pr review workflow

.gitea/workflows/best-practices.yaml

@@ -161,3 +161,115 @@ jobs:
             echo "GITEA_TOKEN not configured, skipping comment"
             cat summary.md
           fi
+
+  polaris-pr-review:
+    name: Polaris PR Review
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    container:
+      image: catthehacker/ubuntu:act-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install tools
+        run: |
+          # Install kubectl
+          curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
+          chmod +x kubectl
+          mv kubectl /usr/local/bin/
+
+          # Install polaris
+          wget https://github.com/FairwindsOps/polaris/releases/download/9.5.0/polaris_linux_amd64.tar.gz
+          tar -xzf polaris_linux_amd64.tar.gz
+          chmod +x polaris
+          mv polaris /usr/local/bin/
+
+          # Install jq
+          apt-get update && apt-get install -y jq
+
+      - name: Run Polaris and post review
+        env:
+          GITEA_TOKEN: ${{ secrets.POLARIS_GITEA_TOKEN }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          GITEA_API: ${{ github.server_url }}/api/v1/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/reviews
+        run: |
+          if [ ! -f "kustomization.yaml" ]; then
+            echo "No root kustomization.yaml, skipping Polaris review"
+            exit 0
+          fi
+
+          kubectl kustomize . > manifests.yaml
+          if [ ! -s manifests.yaml ]; then
+             echo "Manifests are empty, skipping"
+             exit 0
+          fi
+
+          polaris audit --audit-path manifests.yaml --format json > polaris-results.json || true
+
+          DANGERS=$(jq '.Summary.Dangers // 0' polaris-results.json)
+          WARNINGS=$(jq '.Summary.Warnings // 0' polaris-results.json)
+          SCORE=$(jq '.Summary.Score // 0' polaris-results.json)
+
+          if [ "$DANGERS" -gt 0 ]; then
+             REVIEW_STATE="REQUEST_CHANGES"
+             VERDICT="BLOCKED: ${DANGERS} danger(s) detected. Score: ${SCORE}%"
+             EXIT_CODE=1
+          elif [ "$WARNINGS" -gt 0 ]; then
+             REVIEW_STATE="COMMENT"
+             VERDICT="WARNING: ${WARNINGS} warning(s) detected. Score: ${SCORE}%"
+             EXIT_CODE=0
+          else
+             REVIEW_STATE="APPROVED"
+             VERDICT="PASSED: No dangers or warnings. Score: ${SCORE}%"
+             EXIT_CODE=0
+          fi
+          
+          DETAILS=$(jq -r '
+            .Results[]? | 
+            .Name as $resName | .Kind as $resKind | .Namespace as $resNs | 
+            (
+              (.PodResult?.Results[]? | {sev: .Severity, msg: .Message, check: .ID, target: "Pod"}),
+              (.PodResult?.ContainerResults[]? | .Name as $contName | .Results[]? | {sev: .Severity, msg: .Message, check: .ID, target: $contName})
+            ) | 
+            select(.sev == "danger" or .sev == "warning") |
+            "| \(.sev) | \($resKind)/\($resName) | \(.target) | \(.check) | \(.msg) |"
+          ' polaris-results.json | head -c 4000)
+
+          cat > review-body.md << INTERNAL_EOF
+          ## Polaris Audit Results
+
+          **${VERDICT}**
+
+          ### Summary
+          | Metric | Value |
+          |--------|-------|
+          | Score | ${SCORE}% |
+          | Dangers | ${DANGERS} |
+          | Warnings | ${WARNINGS} |
+
+          <details>
+          <summary>Issues (click to expand)</summary>
+
+          | Severity | Resource | Container | Check | Message |
+          |----------|----------|-----------|-------|---------|
+          \${DETAILS}
+
+          </details>
+
+          ---
+          *Scanned by [Polaris](https://github.com/FairwindsOps/polaris)*
+          INTERNAL_EOF
+
+          jq -n \
+            --rawfile body review-body.md \
+            --arg event "$REVIEW_STATE" \
+            '{body: $body, event: $event}' > review-payload.json
+
+          curl -s -X POST \
+            -H "Authorization: token ${GITEA_TOKEN}" \
+            -H "Content-Type: application/json" \
+            -d @review-payload.json \
+            "${GITEA_API}" | jq .
+
+          exit $EXIT_CODE