Skip to content
CI: Dry-run validation

migrate image tags from docker-compose.yaml to .env #8

Sign in to view logs

migrate image tags from docker-compose.yaml to .env

migrate image tags from docker-compose.yaml to .env #8

Workflow file for this run

.github/workflows/ci-dryrun.yaml at 7a4f42f
###############################################################################
# CI Dry-Run — Validates templates and demo
#
# Runs on push to main, PRs, and manual dispatch.
# Catches regressions in YAML syntax, shell scripts, version extraction,
# GHCR tag discovery, and the release-PR logic.
###############################################################################
name: "CI: Dry-run validation"
on:
push:
branches: [main]
pull_request:
workflow_dispatch:
jobs:
lint-yaml:
name: Lint YAML
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install yq
run: |
sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/download/v4.44.6/yq_linux_amd64
sudo chmod +x /usr/local/bin/yq
- name: Validate all YAML files
run: |
status=0
while IFS= read -r f; do
if yq e '.' "$f" > /dev/null 2>&1; then
echo "OK: $f"
else
echo "FAIL: $f"
status=1
fi
done < <(find templates demo -name '*.yaml' -o -name '*.yml' | sort)
exit $status
lint-shell:
name: Lint Shell
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run shellcheck on deployment scripts
run: |
shellcheck templates/gitops-ci/deployment.sh
shellcheck demo/projects/demo-app/deployment.sh
test-version-extraction:
name: Test version extraction
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Extract and assert versions from demo .env
run: |
ENV_FILE="demo/projects/demo-app/.env"
source "${ENV_FILE}"
echo "backend=${BACKEND_TAG} frontend=${FRONTEND_TAG}"
errors=0
if [[ "${BACKEND_TAG}" != "0.24.0" ]]; then
echo "FAIL: BACKEND_TAG=${BACKEND_TAG}, expected 0.24.0"
errors=$((errors + 1))
fi
if [[ "${FRONTEND_TAG}" != "0.23.0" ]]; then
echo "FAIL: FRONTEND_TAG=${FRONTEND_TAG}, expected 0.23.0"
errors=$((errors + 1))
fi
if [[ $errors -gt 0 ]]; then
echo "::error::${errors} version extraction assertion(s) failed"
exit 1
fi
echo "All version extraction assertions passed"
test-ghcr-tag:
name: Test GHCR tag discovery
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Discover latest trivy tag
id: discover
uses: ./templates/gitops-ci/.github/actions/ghcr-latest-tag
with:
image: "aquasecurity/trivy"
token: ${{ secrets.GITHUB_TOKEN }}
- name: Assert tag is non-empty semver
env:
TAG: ${{ steps.discover.outputs.tag }}
run: |
echo "Discovered tag: ${TAG}"
if [[ -z "${TAG}" ]]; then
echo "::error::GHCR tag discovery returned empty"
exit 1
fi
if [[ ! "${TAG}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "::error::Tag '${TAG}' is not a valid semver"
exit 1
fi
echo "Tag '${TAG}' is valid semver"
test-release-pr-dryrun:
name: Test release PR (dry-run)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Discover latest tag
id: discover
uses: ./templates/gitops-ci/.github/actions/ghcr-latest-tag
with:
image: "aquasecurity/trivy"
token: ${{ secrets.GITHUB_TOKEN }}
- name: Compare with demo .env
env:
LATEST_TAG: ${{ steps.discover.outputs.tag }}
run: |
ENV_FILE="demo/projects/demo-app/.env"
source "${ENV_FILE}"
currentTag="${BACKEND_TAG}"
echo "Current pinned: ${currentTag}"
echo "Latest on GHCR: ${LATEST_TAG}"
if [[ "${currentTag}" == "${LATEST_TAG}" ]]; then
echo "Tags match — no PR would be created"
else
echo "Tags differ — a release PR would update ${currentTag} -> ${LATEST_TAG}"
# Show what the updated .env would look like
cp "${ENV_FILE}" /tmp/env-updated
sed -i "s/^BACKEND_TAG=.*/BACKEND_TAG=${LATEST_TAG}/" /tmp/env-updated
sed -i "s/^FRONTEND_TAG=.*/FRONTEND_TAG=${LATEST_TAG}/" /tmp/env-updated
echo "--- Diff ---"
diff "${ENV_FILE}" /tmp/env-updated || true
fi