remove source attribution from READMEs #7
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ############################################################################### | |
| # CI Dry-Run — Validates templates and demo | |
| # | |
| # Runs on push to main, PRs, and manual dispatch. | |
| # Catches regressions in YAML syntax, shell scripts, version extraction, | |
| # GHCR tag discovery, and the release-PR logic. | |
| ############################################################################### | |
| name: "CI: Dry-run validation" | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| workflow_dispatch: | |
| jobs: | |
| lint-yaml: | |
| name: Lint YAML | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install yq | |
| run: | | |
| sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/download/v4.44.6/yq_linux_amd64 | |
| sudo chmod +x /usr/local/bin/yq | |
| - name: Validate all YAML files | |
| run: | | |
| status=0 | |
| while IFS= read -r f; do | |
| if yq e '.' "$f" > /dev/null 2>&1; then | |
| echo "OK: $f" | |
| else | |
| echo "FAIL: $f" | |
| status=1 | |
| fi | |
| done < <(find templates demo -name '*.yaml' -o -name '*.yml' | sort) | |
| exit $status | |
| lint-shell: | |
| name: Lint Shell | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Run shellcheck on deployment scripts | |
| run: | | |
| shellcheck templates/gitops-ci/deployment.sh | |
| shellcheck demo/projects/demo-app/deployment.sh | |
| test-version-extraction: | |
| name: Test version extraction | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install yq | |
| run: | | |
| sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/download/v4.44.6/yq_linux_amd64 | |
| sudo chmod +x /usr/local/bin/yq | |
| - name: Extract and assert versions from demo compose | |
| run: | | |
| COMPOSE="demo/projects/demo-app/docker-compose.yaml" | |
| # Method 1: rev | cut (used in deployment workflow) | |
| BACKEND_REV=$(yq e '.services.backend.image' "$COMPOSE" | rev | cut -d: -f1 | rev) | |
| FRONTEND_REV=$(yq e '.services.frontend.image' "$COMPOSE" | rev | cut -d: -f1 | rev) | |
| # Method 2: ${##*:} (used in release PR workflow) | |
| backendImage=$(yq e '.services.backend.image' "$COMPOSE" | tr -d '"') | |
| frontendImage=$(yq e '.services.frontend.image' "$COMPOSE" | tr -d '"') | |
| BACKEND_PE=${backendImage##*:} | |
| FRONTEND_PE=${frontendImage##*:} | |
| echo "rev|cut — backend=${BACKEND_REV} frontend=${FRONTEND_REV}" | |
| echo '##*: — backend='"${BACKEND_PE}"' frontend='"${FRONTEND_PE}" | |
| errors=0 | |
| for method in REV PE; do | |
| bvar="BACKEND_${method}" | |
| fvar="FRONTEND_${method}" | |
| if [[ "${!bvar}" != "0.24.0" ]]; then | |
| echo "FAIL: ${bvar}=${!bvar}, expected 0.24.0" | |
| errors=$((errors + 1)) | |
| fi | |
| if [[ "${!fvar}" != "0.23.0" ]]; then | |
| echo "FAIL: ${fvar}=${!fvar}, expected 0.23.0" | |
| errors=$((errors + 1)) | |
| fi | |
| done | |
| if [[ $errors -gt 0 ]]; then | |
| echo "::error::${errors} version extraction assertion(s) failed" | |
| exit 1 | |
| fi | |
| echo "All version extraction assertions passed" | |
| test-ghcr-tag: | |
| name: Test GHCR tag discovery | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Discover latest trivy tag | |
| id: discover | |
| uses: ./templates/gitops-ci/.github/actions/ghcr-latest-tag | |
| with: | |
| image: "aquasecurity/trivy" | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Assert tag is non-empty semver | |
| env: | |
| TAG: ${{ steps.discover.outputs.tag }} | |
| run: | | |
| echo "Discovered tag: ${TAG}" | |
| if [[ -z "${TAG}" ]]; then | |
| echo "::error::GHCR tag discovery returned empty" | |
| exit 1 | |
| fi | |
| if [[ ! "${TAG}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then | |
| echo "::error::Tag '${TAG}' is not a valid semver" | |
| exit 1 | |
| fi | |
| echo "Tag '${TAG}' is valid semver" | |
| test-release-pr-dryrun: | |
| name: Test release PR (dry-run) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install yq | |
| run: | | |
| sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/download/v4.44.6/yq_linux_amd64 | |
| sudo chmod +x /usr/local/bin/yq | |
| - name: Discover latest tag | |
| id: discover | |
| uses: ./templates/gitops-ci/.github/actions/ghcr-latest-tag | |
| with: | |
| image: "aquasecurity/trivy" | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Compare with demo compose | |
| env: | |
| LATEST_TAG: ${{ steps.discover.outputs.tag }} | |
| run: | | |
| COMPOSE="demo/projects/demo-app/docker-compose.yaml" | |
| backendImage=$(yq e '.services.backend.image' "$COMPOSE" | tr -d '"') | |
| currentTag=${backendImage##*:} | |
| echo "Current pinned: ${currentTag}" | |
| echo "Latest on GHCR: ${LATEST_TAG}" | |
| if [[ "${currentTag}" == "${LATEST_TAG}" ]]; then | |
| echo "Tags match — no PR would be created" | |
| else | |
| echo "Tags differ — a release PR would update ${currentTag} -> ${LATEST_TAG}" | |
| # Show what the updated compose would look like | |
| cp "$COMPOSE" /tmp/compose-updated.yaml | |
| yq -i ".services.backend.image = \"ghcr.io/aquasecurity/trivy:${LATEST_TAG}\"" /tmp/compose-updated.yaml | |
| yq -i ".services.frontend.image = \"ghcr.io/aquasecurity/trivy:${LATEST_TAG}\"" /tmp/compose-updated.yaml | |
| echo "--- Diff ---" | |
| diff "$COMPOSE" /tmp/compose-updated.yaml || true | |
| fi |