ci: Add workflow to validate all kustomize builds

[Francisco-xiq]

Summary

Adds a new GitHub Actions workflow to validate all kustomization.yaml files in the repository on every pull request.

This was suggested in #350, where a stale reference to a deleted file (../default/manager_auth_proxy_patch.yaml) went undetected until manually tested. A kustomize validation step was suggested to solve this problem

What it does

• Finds all kustomization.yaml files in the repository (excluding vendor/)
• Runs kustomize build on each one to ensure all referenced files exist and the YAML is valid
• Reports all failures at once instead of stopping at the first error

Testing

Validated locally and in CI on a test PR that intentionally reintroduced the broken reference, the workflow correctly failed with a clear error message pointing to the problematic file.

Summary by CodeRabbit

• Chores
  • Added an automated pull-request check that validates kustomize configurations on PRs: it scans each kustomization directory (excluding vendored paths), runs a build validation per directory, reports per-directory success or failure, creates annotations for failing files, and fails the check if any validations fail.

[coderabbitai]

Warning

Review limit reached

@Francisco-xiq, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 57 minutes and 38 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: a96edae5-6f1f-45a6-9dcd-da1a8f504643

📥 Commits

Reviewing files that changed from the base of the PR and between 46789f3 and beefc5e.

📒 Files selected for processing (1)

• .github/workflows/validate-kustomize.yml

📝 Walkthrough

Walkthrough

This PR adds a new GitHub Actions workflow that validates kustomize configuration builds. The workflow runs on pull requests, installs kustomize, discovers all kustomization.yaml files (excluding vendor/), executes kustomize build in each directory, reports per-directory results, and fails the job if any build fails.

Changes

Kustomize Build Validation Workflow

Layer / File(s)	Summary
Kustomize validation and build verification .github/workflows/validate-kustomize.yml	Workflow installs kustomize, discovers all kustomization.yaml files excluding vendor/, runs kustomize build per directory, logs success/failure messages, emits error annotations on build failure, and exits non-zero if any validation fails.

Estimated Code Review Effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically summarizes the main change: adding a GitHub Actions workflow to validate kustomize builds across the repository.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/validate-kustomize.yml:
- Around line 12-13: Update the checkout step to use a specific commit SHA for
actions/checkout and add persist-credentials: false to harden credential
exposure, and replace the mutable kustomize install call that invokes
kubernetes-sigs/kustomize/master/hack/install_kustomize.sh with a deterministic
installation of the pinned kustomize version (kustomize/v5.6.0) used by the repo
Makefile—e.g., download the v5.6.0 release binary or use a release-tagged action
instead of the master hack script so the workflow is reproducible and
version-aligned.
- Around line 15-18: The "Install kustomize" workflow step currently pipes the
install script from kubernetes-sigs/kustomize master, which is unpinned; change
this to fetch the kustomize v5.6.0 release artifact (or the install script from
the v5.6.0 tag) instead of master so CI matches the Makefile contract; update
the run step that currently curls "install_kustomize.sh | bash" to download the
v5.6.0 binary (or curl the install script URL pinned to v5.6.0) and then run the
same sudo mv kustomize /usr/local/bin/ to install it.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: fbf11a8b-c570-4f3c-953b-217265a3b18c

📥 Commits

Reviewing files that changed from the base of the PR and between dd35b5c and 27ae77d.

📒 Files selected for processing (1)

• .github/workflows/validate-kustomize.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify workflow action pinning and checkout credential persistence settings.
set -euo pipefail

echo "== uses: lines (show if pinned to full SHA) =="
rg -n '^\s*uses:\s*' .github/workflows

echo
echo "== checkout steps and nearby context =="
rg -n -C3 'actions/checkout@' .github/workflows

echo
echo "Expected:"
echo " - checkout uses full commit SHA (40-hex)"
echo " - checkout step includes: persist-credentials: false"

Repository: ansible/eda-server-operator

Length of output: 5271

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

file=".github/workflows/validate-kustomize.yml"

echo "== validate-kustomize.yml (line count) =="
wc -l "$file" || true

echo
echo "== validate-kustomize.yml (lines 1-120) =="
nl -ba "$file" | sed -n '1,120p'

echo
echo "== validate-kustomize.yml: checkout block context =="
nl -ba "$file" | sed -n '1,60p'

echo
echo "== validate-kustomize.yml: kustomize install commands context =="
rg -n "install_kustomize\.sh|kustomize" "$file" || true

echo
echo "== validate-kustomize.yml: vendor exclusion context =="
rg -n "vendor" "$file" || true

echo
echo "== Makefile: kustomize pin (if present) =="
rg -n "kustomize.*v|KUSTOMIZE" Makefile **/Makefile 2>/dev/null || true

Repository: ansible/eda-server-operator

Length of output: 263

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

file=".github/workflows/validate-kustomize.yml"

echo "== validate-kustomize.yml: exists/size =="
ls -l "$file" || true
echo
echo "== validate-kustomize.yml: content (with line numbers via cat -n) =="
cat -n "$file"

echo
echo "== validate-kustomize.yml: checkout step uses: lines (with context) =="
rg -n -C3 "Checkout sources|actions/checkout@" "$file" || true

echo
echo "== validate-kustomize.yml: persist-credentials lines (if any) =="
rg -n "persist-credentials" "$file" || true

echo
echo "== validate-kustomize.yml: kustomize install commands (if any) =="
rg -n "install_kustomize\.sh|kustomize" "$file" || true

echo
echo "== locate Makefile(s) =="
ls -l Makefile || true
echo
echo "== Makefile: kustomize pin (if present) =="
rg -n "kustomize.*v|KUSTOMIZE" Makefile .github/workflows 2>/dev/null || true

Repository: ansible/eda-server-operator

Length of output: 3671

---

Harden checkout + make kustomize install reproducible/version-aligned

• At Line 13, uses: actions/checkout@v4 is not SHA-pinned, and the step omits persist-credentials: false.

Suggested patch

       - name: Checkout sources
-        uses: actions/checkout@v4
+        uses: actions/checkout@<PINNED_SHA>
+        with:
+          persist-credentials: false

• At Lines 17-18, kustomize is installed by executing the mutable kubernetes-sigs/kustomize/master/hack/install_kustomize.sh script; this isn’t reproducible and doesn’t match the repo’s Makefile pin to kustomize/v5.6.0.

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 12-13: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 13-13: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/validate-kustomize.yml around lines 12 - 13, Update the
checkout step to use a specific commit SHA for actions/checkout and add
persist-credentials: false to harden credential exposure, and replace the
mutable kustomize install call that invokes
kubernetes-sigs/kustomize/master/hack/install_kustomize.sh with a deterministic
installation of the pinned kustomize version (kustomize/v5.6.0) used by the repo
Makefile—e.g., download the v5.6.0 release binary or use a release-tagged action
instead of the master hack script so the workflow is reproducible and
version-aligned.

[Francisco-xiq]

Working on that

[coderabbitai]

@Francisco-xiq, sounds great! When you're ready, here's a quick reference for both fixes:

1. Pin actions/checkout to a SHA – you can grab the latest v4 SHA from the releases page and add persist-credentials: false:

   - name: Checkout sources
     uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
     with:
       persist-credentials: false

2. Install the same kustomize version pinned in the Makefile (v5.6.0) instead of pulling from master:

   - name: Install kustomize
     run: |
       curl -sSLo kustomize.tar.gz \
         "https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv5.6.0/kustomize_v5.6.0_linux_amd64.tar.gz"
       tar -xzf kustomize.tar.gz
       sudo mv kustomize /usr/local/bin/kustomize
       kustomize version

Feel free to ping me once you push the update and I'll re-review. 🐇

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/validate-kustomize.yml (1)

4-9: ⚡ Quick win

Add a least-privilege permissions block.

The workflow inherits the default GITHUB_TOKEN permissions. Since it only checks out and validates, scope it to read-only.

🔒 Suggested addition

 on:
   pull_request:

+permissions:
+  contents: read
+
 jobs:
   validate-kustomize:
     runs-on: ubuntu-latest

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/validate-kustomize.yml around lines 4 - 9, The workflow
currently uses the default GITHUB_TOKEN permissions; add a least-privilege
permissions block at the workflow top-level to scope the token to read-only
(e.g., set permissions: contents: read) so the validate-kustomize job (runs-on:
ubuntu-latest) only has repository read access when triggered on pull_request;
insert this permissions block alongside the existing on: pull_request
declaration to restrict the GITHUB_TOKEN.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/validate-kustomize.yml:
- Around line 4-9: The workflow currently uses the default GITHUB_TOKEN
permissions; add a least-privilege permissions block at the workflow top-level
to scope the token to read-only (e.g., set permissions: contents: read) so the
validate-kustomize job (runs-on: ubuntu-latest) only has repository read access
when triggered on pull_request; insert this permissions block alongside the
existing on: pull_request declaration to restrict the GITHUB_TOKEN.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 0758a104-b32e-4f80-8ca4-3d11595114ce

📥 Commits

Reviewing files that changed from the base of the PR and between 27ae77d and aa07da9.

📒 Files selected for processing (1)

• .github/workflows/validate-kustomize.yml

[Francisco-xiq]

Updated the workflow to use make kustomize so the CI stays in sync with whatever version the Makefile pins no duplication needed.

For the actions/checkout SHA pin, I've noticed that all other workflows here use @v4, so I kept it consistent. Happy to change if the project wants to adopt another solution.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud