This repository was archived by the owner on Nov 7, 2025. It is now read-only.
feat: add flags for input and output programs #754
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json | |
| name: PR | |
| permissions: {} | |
| on: | |
| pull_request: | |
| branches: | |
| - '*' | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| check-actions: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: Ensure SHA pinned actions | |
| uses: zgosalvez/github-actions-ensure-sha-pinned-actions@9e9574ef04ea69da568d6249bd69539ccc704e74 # v4.0.0 | |
| with: | |
| # slsa-github-generator requires using a semver tag for reusable workflows. | |
| # See: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators | |
| allowlist: | | |
| slsa-framework/slsa-github-generator | |
| verify-codegen: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 | |
| with: | |
| go-version-file: go.mod | |
| cache-dependency-path: go.sum | |
| - name: Verify codegen | |
| run: | | |
| set -e | |
| make verify-codegen | |
| scan-trivy: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| fetch-depth: 0 | |
| - name: Run trivy vulnerability scanner in repo mode | |
| uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1 | |
| with: | |
| scan-type: fs | |
| ignore-unfixed: false | |
| format: sarif | |
| output: trivy-results.sarif | |
| severity: CRITICAL,HIGH,MEDIUM | |
| scanners: vuln,secret | |
| exit-code: "0" | |
| vuln-type: os,library | |
| env: | |
| TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db:2" | |
| - name: Upload trivy scan results | |
| uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 | |
| with: | |
| sarif_file: trivy-results.sarif | |
| category: code | |
| golangci-lint: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: Setup go | |
| uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 | |
| with: | |
| go-version-file: go.mod | |
| cache-dependency-path: go.sum | |
| - name: golangci-lint | |
| uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0 | |
| with: | |
| skip-cache: true | |
| args: --timeout 5m | |
| semantics-pr: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Validate pull request | |
| uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| # Configure which types are allowed. | |
| # Default: https://github.com/commitizen/conventional-commit-types | |
| types: | | |
| feat | |
| fix | |
| build | |
| chore | |
| ci | |
| docs | |
| perf | |
| refactor | |
| revert | |
| style | |
| test | |
| revert | |
| release | |
| # Configure which scopes are allowed. | |
| scopes: | | |
| api | |
| client | |
| commands | |
| config | |
| data | |
| deps | |
| discovery | |
| internal | |
| report | |
| resource | |
| runner | |
| operations | |
| processors | |
| test | |
| utils | |
| validation | |
| version | |
| docs | |
| release | |
| testdata | |
| ignoreLabels: | | |
| bot | |
| ignore-semantic-pull-request | |
| # Configure that a scope must always be provided. | |
| requireScope: false | |
| # When using "Squash and merge" on a PR with only one commit, GitHub | |
| # will suggest using that commit message instead of the PR title for the | |
| # merge commit, and it's easy to commit this by mistake. Enable this option | |
| # to also validate the commit message for one commit PRs. | |
| validateSingleCommit: true | |
| # Related to `validateSingleCommit` you can opt-in to validate that the PR | |
| # title matches a single commit to avoid confusion. | |
| validateSingleCommitMatchesPrTitle: true | |
| unit-tests: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: Setup go | |
| uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 | |
| with: | |
| go-version-file: go.mod | |
| cache-dependency-path: go.sum | |
| - name: Run tests | |
| run: | | |
| set -e | |
| make tests | |
| - name: Upload coverage | |
| uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 | |
| with: | |
| name: coverage.out | |
| path: coverage.out | |
| retention-days: 1 | |
| if-no-files-found: error | |
| upload-to-codecov: | |
| needs: | |
| - unit-tests | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Download coverage | |
| uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 | |
| with: | |
| name: coverage.out | |
| - name: Upload Report to Codecov | |
| uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 | |
| with: | |
| files: ./coverage.out | |
| fail_ci_if_error: true | |
| verbose: true | |
| env: | |
| CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
| prepare-images: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: Setup go | |
| uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 | |
| with: | |
| go-version-file: go.mod | |
| cache-dependency-path: go.sum | |
| - name: Save image archive | |
| shell: bash | |
| run: | | |
| set -e | |
| make ko-build | |
| make docker-save-image | |
| - name: Upload image archive | |
| uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 | |
| with: | |
| name: image.tar | |
| path: image.tar | |
| retention-days: 1 | |
| if-no-files-found: error | |
| e2e-authz-server-envoy: | |
| runs-on: ubuntu-latest | |
| needs: [ prepare-images ] | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| k8s-version: [v1.31.12, v1.32.8, v1.33.4, v1.34.0] | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: Setup go | |
| uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 | |
| with: | |
| go-version-file: go.mod | |
| cache-dependency-path: go.sum | |
| - name: Install helm | |
| id: helm | |
| uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1 | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 | |
| - name: Install chainsaw | |
| uses: kyverno/action-install-chainsaw@6354895e0f99ab23d3e38d85cf5c71b5dc21d727 # v0.2.13 | |
| with: | |
| verify: true | |
| - name: Download image archive | |
| uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 | |
| with: | |
| name: image.tar | |
| - name: Create kind cluster | |
| uses: helm/kind-action@92086f6be054225fa813e0a4b13787fc9088faab # v1.13.0 | |
| with: | |
| node_image: kindest/node:${{ matrix.k8s-version }} | |
| cluster_name: kind | |
| - name: Load image archive | |
| run: | | |
| set -e | |
| make kind-load-archive | |
| - name: Setup istio | |
| run: | | |
| set -e | |
| export HELM=${{ steps.helm.outputs.helm-path }} | |
| KYVERNO_AUTHZ_SERVICE=kyverno-authz-server.kyverno.svc.cluster.local make install-istio | |
| - name: Setup cert-manager | |
| run: | | |
| set -e | |
| export HELM=${{ steps.helm.outputs.helm-path }} | |
| make install-cert-manager install-cluster-issuer | |
| - name: Install VPOL | |
| run: | | |
| set -e | |
| make install-vpol | |
| - name: Install chart | |
| run: | | |
| set -e | |
| export HELM=${{ steps.helm.outputs.helm-path }} | |
| make deploy-kyverno-envoy-server | |
| - name: Install sample app | |
| run: | | |
| set -e | |
| kubectl create ns app | |
| kubectl label namespace app istio-injection=enabled | |
| kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.24/samples/httpbin/httpbin.yaml -n app | |
| - name: Run Chainsaw Tests | |
| run: | | |
| set -e | |
| chainsaw test tests/e2e/authz-server/envoy | |
| e2e-authz-server-http: | |
| runs-on: ubuntu-latest | |
| needs: [ prepare-images ] | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| k8s-version: [v1.31.12, v1.32.8, v1.33.4, v1.34.0] | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: Setup go | |
| uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 | |
| with: | |
| go-version-file: go.mod | |
| cache-dependency-path: go.sum | |
| - name: Install helm | |
| id: helm | |
| uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1 | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 | |
| - name: Install chainsaw | |
| uses: kyverno/action-install-chainsaw@6354895e0f99ab23d3e38d85cf5c71b5dc21d727 # v0.2.13 | |
| with: | |
| verify: true | |
| - name: Download image archive | |
| uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 | |
| with: | |
| name: image.tar | |
| - name: Create kind cluster | |
| uses: helm/kind-action@92086f6be054225fa813e0a4b13787fc9088faab # v1.13.0 | |
| with: | |
| node_image: kindest/node:${{ matrix.k8s-version }} | |
| cluster_name: kind | |
| - name: Load image archive | |
| run: | | |
| set -e | |
| make kind-load-archive | |
| - name: Setup cert-manager | |
| run: | | |
| set -e | |
| export HELM=${{ steps.helm.outputs.helm-path }} | |
| make install-cert-manager install-cluster-issuer | |
| - name: Install VPOL | |
| run: | | |
| set -e | |
| make install-vpol | |
| - name: Install chart | |
| run: | | |
| set -e | |
| export HELM=${{ steps.helm.outputs.helm-path }} | |
| make deploy-kyverno-http-server | |
| - name: Install sample app | |
| run: | | |
| set -e | |
| kubectl create ns app | |
| kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.24/samples/httpbin/httpbin.yaml -n app | |
| - name: Run Chainsaw Tests | |
| run: | | |
| set -e | |
| chainsaw test tests/e2e/authz-server/http | |
| e2e-sidecar-injector: | |
| runs-on: ubuntu-latest | |
| needs: [ prepare-images ] | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| k8s-version: [v1.31.12, v1.32.8, v1.33.4, v1.34.0] | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: Setup go | |
| uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 | |
| with: | |
| go-version-file: go.mod | |
| cache-dependency-path: go.sum | |
| - name: Install helm | |
| id: helm | |
| uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1 | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 | |
| - name: Install chainsaw | |
| uses: kyverno/action-install-chainsaw@6354895e0f99ab23d3e38d85cf5c71b5dc21d727 # v0.2.13 | |
| with: | |
| verify: true | |
| - name: Download image archive | |
| uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 | |
| with: | |
| name: image.tar | |
| - name: Create kind cluster | |
| uses: helm/kind-action@92086f6be054225fa813e0a4b13787fc9088faab # v1.13.0 | |
| with: | |
| node_image: kindest/node:${{ matrix.k8s-version }} | |
| cluster_name: kind | |
| - name: Load image archive | |
| run: | | |
| set -e | |
| make kind-load-archive | |
| - name: Setup istio | |
| run: | | |
| set -e | |
| export HELM=${{ steps.helm.outputs.helm-path }} | |
| KYVERNO_AUTHZ_SERVICE=kyverno-authz-server.local make install-istio install-service-entry | |
| - name: Setup cert-manager | |
| run: | | |
| set -e | |
| export HELM=${{ steps.helm.outputs.helm-path }} | |
| make install-cert-manager install-cluster-issuer | |
| - name: Install VPOL | |
| run: | | |
| set -e | |
| make install-vpol | |
| - name: Install chart | |
| run: | | |
| set -e | |
| export HELM=${{ steps.helm.outputs.helm-path }} | |
| make deploy-kyverno-sidecar-injector | |
| - name: Install sample app | |
| run: | | |
| set -e | |
| kubectl create ns app | |
| kubectl label namespace app istio-injection=enabled | |
| kubectl label namespace app kyverno-injection=enabled | |
| kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.24/samples/httpbin/httpbin.yaml -n app | |
| - name: Run Chainsaw Tests | |
| run: chainsaw test tests/e2e/sidecar-injector | |
| e2e-validation-wehook-envoy: | |
| runs-on: ubuntu-latest | |
| needs: [ prepare-images ] | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| k8s-version: [v1.31.12, v1.32.8, v1.33.4, v1.34.0] | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: Setup go | |
| uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 | |
| with: | |
| go-version-file: go.mod | |
| cache-dependency-path: go.sum | |
| - name: Install helm | |
| id: helm | |
| uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1 | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 | |
| - name: Install chainsaw | |
| uses: kyverno/action-install-chainsaw@6354895e0f99ab23d3e38d85cf5c71b5dc21d727 # v0.2.13 | |
| with: | |
| verify: true | |
| - name: Download image archive | |
| uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 | |
| with: | |
| name: image.tar | |
| - name: Create kind cluster | |
| uses: helm/kind-action@92086f6be054225fa813e0a4b13787fc9088faab # v1.13.0 | |
| with: | |
| node_image: kindest/node:${{ matrix.k8s-version }} | |
| cluster_name: kind | |
| - name: Load image archive | |
| run: | | |
| set -e | |
| make kind-load-archive | |
| - name: Setup cert-manager | |
| run: | | |
| set -e | |
| export HELM=${{ steps.helm.outputs.helm-path }} | |
| make install-cert-manager install-cluster-issuer | |
| - name: Install VPOL | |
| run: | | |
| set -e | |
| make install-vpol | |
| - name: Install chart | |
| run: | | |
| set -e | |
| export HELM=${{ steps.helm.outputs.helm-path }} | |
| make deploy-kyverno-envoy-server | |
| - name: Run Chainsaw Tests | |
| run: | | |
| set -e | |
| chainsaw test tests/e2e/validation-webhook/envoy | |
| e2e-validation-wehook-http: | |
| runs-on: ubuntu-latest | |
| needs: [ prepare-images ] | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| k8s-version: [v1.31.12, v1.32.8, v1.33.4, v1.34.0] | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: Setup go | |
| uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 | |
| with: | |
| go-version-file: go.mod | |
| cache-dependency-path: go.sum | |
| - name: Install helm | |
| id: helm | |
| uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1 | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 | |
| - name: Install chainsaw | |
| uses: kyverno/action-install-chainsaw@6354895e0f99ab23d3e38d85cf5c71b5dc21d727 # v0.2.13 | |
| with: | |
| verify: true | |
| - name: Download image archive | |
| uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 | |
| with: | |
| name: image.tar | |
| - name: Create kind cluster | |
| uses: helm/kind-action@92086f6be054225fa813e0a4b13787fc9088faab # v1.13.0 | |
| with: | |
| node_image: kindest/node:${{ matrix.k8s-version }} | |
| cluster_name: kind | |
| - name: Load image archive | |
| run: | | |
| set -e | |
| make kind-load-archive | |
| - name: Setup cert-manager | |
| run: | | |
| set -e | |
| export HELM=${{ steps.helm.outputs.helm-path }} | |
| make install-cert-manager install-cluster-issuer | |
| - name: Install VPOL | |
| run: | | |
| set -e | |
| make install-vpol | |
| - name: Install chart | |
| run: | | |
| set -e | |
| export HELM=${{ steps.helm.outputs.helm-path }} | |
| make deploy-kyverno-http-server | |
| - name: Run Chainsaw Tests | |
| run: | | |
| set -e | |
| chainsaw test tests/e2e/validation-webhook/http | |
| required: | |
| needs: | |
| - check-actions | |
| - e2e-authz-server-envoy | |
| - e2e-authz-server-http | |
| - e2e-sidecar-injector | |
| - e2e-validation-wehook-envoy | |
| - e2e-validation-wehook-http | |
| - golangci-lint | |
| - prepare-images | |
| - semantics-pr | |
| - unit-tests | |
| - verify-codegen | |
| runs-on: ubuntu-latest | |
| steps: | |
| - run: echo "Required jobs success!" |