homelab-gitops/.tekton/ci.yaml
gwg313 145721146e
Some checks are pending
Pipelines as Code CI / homelab-ci CI has Started
add pac
Signed-off-by: gwg313 <gwg313@pm.me>
2026-06-28 23:33:25 -04:00

137 lines
4.2 KiB
YAML

---
apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
name: homelab-ci
annotations:
pipelinesascode.tekton.dev/on-event: "[pull_request, push]"
pipelinesascode.tekton.dev/on-target-branch: "[main]"
pipelinesascode.tekton.dev/max-keep-runs: "5"
spec:
taskRunTemplate:
serviceAccountName: tekton-runner
podTemplate:
metadata:
labels:
# triggers built-in exemption in require-non-root ClusterPolicy
security.policy/allow-root: "true"
securityContext:
seccompProfile:
type: RuntimeDefault
workspaces:
- name: source
volumeClaimTemplate:
spec:
accessModes: [ReadWriteOnce]
resources:
requests:
storage: 1Gi
params:
- name: repo_url
value: "{{ repo_url }}"
- name: revision
value: "{{ revision }}"
- name: clone_url
value: "http://forgejo.forgejo.svc.cluster.local/gwg313/homelab-gitops"
pipelineSpec:
params:
- name: repo_url
type: string
- name: revision
type: string
- name: clone_url
type: string
workspaces:
- name: source
tasks:
- name: clone
params:
- name: url
value: $(params.clone_url)
- name: revision
value: $(params.revision)
workspaces:
- name: output
workspace: source
taskRef:
resolver: cluster
params:
- name: kind
value: task
- name: name
value: git-clone
- name: namespace
value: cicd
- name: lint-yaml
runAfter: [clone]
workspaces:
- name: source
workspace: source
taskSpec:
workspaces:
- name: source
steps:
- name: yamllint
image: pipelinecomponents/yamllint:latest
workingDir: $(workspaces.source.path)
# explicit false prevents default-run-as-non-root mutation from adding true
securityContext:
runAsNonRoot: false
allowPrivilegeEscalation: false
capabilities:
drop: [ALL]
script: yamllint .
- name: validate
runAfter: [clone]
workspaces:
- name: source
workspace: source
taskSpec:
workspaces:
- name: source
steps:
- name: kubeconform
image: alpine:latest
workingDir: $(workspaces.source.path)
securityContext:
runAsNonRoot: false
allowPrivilegeEscalation: false
# empty capabilities block prevents default-drop-all-capabilities
# mutation from adding drop:ALL — apk needs CAP_CHOWN to install packages
capabilities: {}
script: |
#!/bin/sh
set -e
apk add --no-cache curl git tar
curl -sSL \
https://github.com/yannh/kubeconform/releases/latest/download/kubeconform-linux-amd64.tar.gz \
| tar xz -C /usr/local/bin
SCHEMA='https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/{{.ResourceKind}}-{{.ResourceAPIVersion}}.json'
git ls-files '*.yaml' '*.yml' | xargs kubeconform \
-strict \
-summary \
-ignore-missing-schemas \
-schema-location "$SCHEMA" \
-schema-location default
- name: scan-secrets
runAfter: [clone]
workspaces:
- name: source
workspace: source
taskSpec:
workspaces:
- name: source
steps:
- name: gitleaks
image: ghcr.io/zricethezav/gitleaks:latest
workingDir: $(workspaces.source.path)
securityContext:
runAsNonRoot: false
allowPrivilegeEscalation: false
capabilities:
drop: [ALL]
command: [gitleaks]
args: [detect, --no-git, -v, --redact, --source=.]