Skip to content

Initial CI automation on test for GitOps operator support for xKS #1188

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
anandrkskd wants to merge 2 commits into
base: master
Choose a base branch
from
+50 −0
Open

Initial CI automation on test for GitOps operator support for xKS #1188

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
eafe562
Initital CI automation for GitOps operator support for xKS test
anandrkskd Jun 23, 2026
67df3df
use kind internal registry to deploy
anandrkskd Jun 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 50 additions & 0 deletions .github/workflows/deploy-test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
name: Build, Deploy and Test on kind

on:
pull_request:
branches:
- '*'

env:
IMG: gitops-operator:test

jobs:
deploy-test:
name: Build image, deploy to kind cluster and run tests
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
Comment on lines +16 to +17

@coderabbitai coderabbitai Bot Jun 23, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Disable credential persistence in checkout step

Line 17 uses actions/checkout with default credential persistence. That leaves the GitHub token in local git config for subsequent steps, which is unnecessary for this workflow and expands credential exposure risk.

Suggested fix 
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Checkout code
uses: actions/checkout@v4
- name: Checkout code
uses: actions/checkout@v4
with:
persist-credentials: false
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 16-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

[error] 17-17: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy-test.yaml around lines 16 - 17, The
actions/checkout action is using default credential persistence settings, which
stores the GitHub token in the git config for subsequent steps. Disable
credential persistence by adding the persist-credentials parameter set to false
in the actions/checkout@v4 step to reduce credential exposure risk and remove
the unnecessary token storage since it is not needed for this workflow's
subsequent steps.

Source: Linters/SAST tools

@coderabbitai coderabbitai Bot Jun 23, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Pin GitHub Actions to immutable commit SHAs

Lines 17, 20, 25, and 40 use floating tags (@v4, @v5, @v3, @v1). Per the reported policy, this is non-compliant and increases supply-chain risk from upstream retags.

Suggested fix pattern 
-      - name: Checkout code
-        uses: actions/checkout@v4
+      - name: Checkout code
+        uses: actions/checkout@<full-commit-sha>

-      - name: Setup Go
-        uses: actions/setup-go@v5
+      - name: Setup Go
+        uses: actions/setup-go@<full-commit-sha>

-      - name: Log in to Quay.io
-        uses: docker/login-action@v3
+      - name: Log in to Quay.io
+        uses: docker/login-action@<full-commit-sha>

-      - name: Create kind cluster
-        uses: helm/kind-action@v1
+      - name: Create kind cluster
+        uses: helm/kind-action@<full-commit-sha>

Also applies to: 20-20, 25-25, 40-40

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 16-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

[error] 17-17: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy-test.yaml at line 17, Replace the floating version
tags on the GitHub Actions uses statements at lines 17, 20, 25, and 40 with
their corresponding immutable commit SHAs. Instead of using `@v4`, `@v5`, `@v3`, and
`@v1` tags for actions/checkout, actions/setup-node, and other actions in this
workflow, pin each to a specific commit SHA by looking up the actual commit hash
for each version tag and replacing the tag portion with the full SHA reference
(e.g., uses: actions/checkout@abc123def456... format).

Source: Linters/SAST tools


- name: Setup Go
uses: actions/setup-go@v5
with:
go-version-file: 'go.mod'

- name: Create kind cluster
uses: helm/kind-action@v1
with:
cluster_name: gitops-test

- name: Build manager image
run: |
docker build -t ${{ env.IMG }} .

- name: Load image into kind
run: |
kind load docker-image ${{ env.IMG }} --name gitops-test

- name: Install CRDs
run: |
make install

- name: Deploy operator
run: |
make deploy IMG=${{ env.IMG }}

- name: Verify Controller Manager deployment is available
run: |
kubectl wait --for=condition=available --timeout=120s \
deployment/openshift-gitops-operator-controller-manager \
-n openshift-gitops-operator
kubectl get pods -n openshift-gitops-operator
Comment on lines +47 to +50

@coderabbitai coderabbitai Bot Jun 23, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Controller verification targets the wrong Deployment/namespace

Line 54–57 waits for deployment/openshift-gitops-operator-controller-manager in openshift-gitops-operator, but make deploy applies config/default, which resolves to the controller in argocd-operator-system (argocd-operator-controller-manager). This will make the CI check fail even when deploy succeeds.

Suggested fix 
       - name: Verify Controller Manager deployment is available
         run: |
           kubectl wait --for=condition=available --timeout=120s \
-            deployment/openshift-gitops-operator-controller-manager \
-            -n openshift-gitops-operator
-          kubectl get pods -n openshift-gitops-operator
+            deployment/argocd-operator-controller-manager \
+            -n argocd-operator-system
+          kubectl get pods -n argocd-operator-system
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
kubectl wait --for=condition=available --timeout=120s \
deployment/openshift-gitops-operator-controller-manager \
-n openshift-gitops-operator
kubectl get pods -n openshift-gitops-operator
kubectl wait --for=condition=available --timeout=120s \
deployment/argocd-operator-controller-manager \
-n argocd-operator-system
kubectl get pods -n argocd-operator-system
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy-test.yaml around lines 54 - 57, The kubectl wait
command in the deploy-test workflow is targeting the wrong Deployment and
namespace. The make deploy command creates a controller named
argocd-operator-controller-manager in the argocd-operator-system namespace, but
the current kubectl wait command is looking for
openshift-gitops-operator-controller-manager in openshift-gitops-operator
namespace. Update the deployment name from
openshift-gitops-operator-controller-manager to
argocd-operator-controller-manager and change the namespace from
openshift-gitops-operator to argocd-operator-system to match what is actually
deployed by make deploy.

Source: Linked repositories

Loading