@@ -13,21 +13,28 @@ jobs:
1313 runs-on : ubuntu-latest
1414 strategy :
1515 matrix :
16- env : [dev, tst, stg, prd]
16+ env : [dev] # [ tst, dev , stg, prd]
1717 steps :
1818 - uses : actions/checkout@v4
1919
2020 - name : Setup tools
2121 run : |
2222 curl -LO https://github.com/yannh/kubeconform/releases/latest/download/kubeconform-linux-amd64.tar.gz
2323 tar -xf kubeconform-linux-amd64.tar.gz && sudo mv kubeconform /usr/local/bin
24+
2425 curl -LO https://openpolicyagent.org/downloads/latest/opa_linux_amd64
2526 chmod +x opa_linux_amd64 && sudo mv opa_linux_amd64 /usr/local/bin/opa
2627
2728name : Validate Kustomize
2829 run : |
2930 kubectl kustomize clusters/${{ matrix.env }}/ > rendered.yaml
3031
32+ name : Save rendered manifest as artifact
33+ uses : actions/upload-artifact@v4
34+ with :
35+ name : rendered-manifest-${{ matrix.env }}-${{ github.run_number }}
36+ path : rendered.yaml
37+
3138 - name : Kubeconform validation
3239 run : |
3340 kubeconform -summary -strict \
3643
3744name : OPA policy check
3845 run : |
39- opa eval -f pretty -d policies/ -i rendered.yaml "data.kubernetes.deny[msg]"
46+ echo "🔎 Evaluating OPA policies..."
47+ opa eval -f pretty -d policies/ -i rendered.yaml "data.kubernetes.deny[msg]" || {
48+ echo "❌ OPA crashed (syntax or data issue)"
49+ exit 2
50+ }
51+
52+ result=$(opa eval -f pretty -d policies/ -i rendered.yaml "data.kubernetes.deny[msg]")
53+ echo "$result"
54+
55+ if echo "$result" | grep -q "msg"; then
56+ echo "❌ OPA policy violations found"
57+
58+ echo "⛔ Problem fragment:"
59+ line=$(grep -n "$(echo "$result" | grep msg | cut -d':' -f2 | head -n1 | xargs)" rendered.yaml | cut -d':' -f1 | head -n1)
60+ if [ -n "$line" ]; then
61+ start=$((line-10))
62+ [ "$start" -lt 1 ] && start=1
63+ end=$((line+10))
64+ sed -n "${start},${end}p" rendered.yaml
65+ fi
66+
67+ exit 1
68+ fi
0 commit comments