Some checks are pending
Pipelines as Code CI / homelab-ci CI has Started
Signed-off-by: gwg313 <gwg313@pm.me>
137 lines
4.2 KiB
YAML
137 lines
4.2 KiB
YAML
---
|
|
apiVersion: tekton.dev/v1
|
|
kind: PipelineRun
|
|
metadata:
|
|
name: homelab-ci
|
|
annotations:
|
|
pipelinesascode.tekton.dev/on-event: "[pull_request, push]"
|
|
pipelinesascode.tekton.dev/on-target-branch: "[main]"
|
|
pipelinesascode.tekton.dev/max-keep-runs: "5"
|
|
spec:
|
|
taskRunTemplate:
|
|
serviceAccountName: tekton-runner
|
|
podTemplate:
|
|
metadata:
|
|
labels:
|
|
# triggers built-in exemption in require-non-root ClusterPolicy
|
|
security.policy/allow-root: "true"
|
|
securityContext:
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
workspaces:
|
|
- name: source
|
|
volumeClaimTemplate:
|
|
spec:
|
|
accessModes: [ReadWriteOnce]
|
|
resources:
|
|
requests:
|
|
storage: 1Gi
|
|
params:
|
|
- name: repo_url
|
|
value: "{{ repo_url }}"
|
|
- name: revision
|
|
value: "{{ revision }}"
|
|
- name: clone_url
|
|
value: "http://forgejo.forgejo.svc.cluster.local/gwg313/homelab-gitops"
|
|
pipelineSpec:
|
|
params:
|
|
- name: repo_url
|
|
type: string
|
|
- name: revision
|
|
type: string
|
|
- name: clone_url
|
|
type: string
|
|
workspaces:
|
|
- name: source
|
|
tasks:
|
|
- name: clone
|
|
params:
|
|
- name: url
|
|
value: $(params.clone_url)
|
|
- name: revision
|
|
value: $(params.revision)
|
|
workspaces:
|
|
- name: output
|
|
workspace: source
|
|
taskRef:
|
|
resolver: cluster
|
|
params:
|
|
- name: kind
|
|
value: task
|
|
- name: name
|
|
value: git-clone
|
|
- name: namespace
|
|
value: cicd
|
|
|
|
- name: lint-yaml
|
|
runAfter: [clone]
|
|
workspaces:
|
|
- name: source
|
|
workspace: source
|
|
taskSpec:
|
|
workspaces:
|
|
- name: source
|
|
steps:
|
|
- name: yamllint
|
|
image: pipelinecomponents/yamllint:latest
|
|
workingDir: $(workspaces.source.path)
|
|
# explicit false prevents default-run-as-non-root mutation from adding true
|
|
securityContext:
|
|
runAsNonRoot: false
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop: [ALL]
|
|
script: yamllint .
|
|
|
|
- name: validate
|
|
runAfter: [clone]
|
|
workspaces:
|
|
- name: source
|
|
workspace: source
|
|
taskSpec:
|
|
workspaces:
|
|
- name: source
|
|
steps:
|
|
- name: kubeconform
|
|
image: alpine:latest
|
|
workingDir: $(workspaces.source.path)
|
|
securityContext:
|
|
runAsNonRoot: false
|
|
allowPrivilegeEscalation: false
|
|
# empty capabilities block prevents default-drop-all-capabilities
|
|
# mutation from adding drop:ALL — apk needs CAP_CHOWN to install packages
|
|
capabilities: {}
|
|
script: |
|
|
#!/bin/sh
|
|
set -e
|
|
apk add --no-cache curl git tar
|
|
curl -sSL \
|
|
https://github.com/yannh/kubeconform/releases/latest/download/kubeconform-linux-amd64.tar.gz \
|
|
| tar xz -C /usr/local/bin
|
|
SCHEMA='https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/{{.ResourceKind}}-{{.ResourceAPIVersion}}.json'
|
|
git ls-files '*.yaml' '*.yml' | xargs kubeconform \
|
|
-strict \
|
|
-summary \
|
|
-ignore-missing-schemas \
|
|
-schema-location "$SCHEMA" \
|
|
-schema-location default
|
|
|
|
- name: scan-secrets
|
|
runAfter: [clone]
|
|
workspaces:
|
|
- name: source
|
|
workspace: source
|
|
taskSpec:
|
|
workspaces:
|
|
- name: source
|
|
steps:
|
|
- name: gitleaks
|
|
image: ghcr.io/zricethezav/gitleaks:latest
|
|
workingDir: $(workspaces.source.path)
|
|
securityContext:
|
|
runAsNonRoot: false
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop: [ALL]
|
|
command: [gitleaks]
|
|
args: [detect, --no-git, -v, --redact, --source=.]
|