stackrox / kube-linter-action Goto Github PK

This issue has started today without changing our action.yaml. When trying to run the kube-linter action, we are seeing the following error output:

Run stackrox/[email protected]
  with:
    directory: deployments
    format: plain
    output-file: kubelinter.log
    version: latest
Run set -u
  set -u
  case "Linux" in
    macOS)   OS=darwin ;;
    Windows) OS=windows ;;
    *)       OS=linux ;;
  esac
  RELEASE_URL='https://api.github.com/repos/stackrox/kube-linter/releases/latest'
  if [[ "latest" != "latest" ]]; then
    RELEASE_URL='https://api.github.com/repos/stackrox/kube-linter/releases/tags/latest'
  fi
  # Although releases endpoint is available without authentication, the current github.token is still passed
  # in order to increase the limit of 60 requests per hour per IP address to a higher value that's also counted
  # per GitHub account.
  # Caching is disabled in order not to receive stale responses from Varnish cache fronting GitHub API.
  RELEASE_INFO="$(curl --silent --show-error --fail \
    --header 'authorization: ***' \
    --header 'Cache-Control: no-cache, must-revalidate' \
    "${RELEASE_URL}")"
  RELEASE_NAME="$(echo "${RELEASE_INFO}" | jq --raw-output ".name")"
  LOCATION="$(echo "${RELEASE_INFO}" \
    | jq --raw-output ".assets[].browser_download_url" \
    | grep --fixed-strings "kube-linter-${OS}.tar.gz")"
  TARGET="kube-linter-${OS}-${RELEASE_NAME}.tar.gz"
  # Skip downloading release if downloaded already, e.g. when the action is used multiple times.
  if [[ ! -e "$TARGET" ]]; then
    curl --silent --show-error --fail --location --output "$TARGET" "$LOCATION"
    tar -xf "$TARGET"
  fi
  shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
curl: (3) URL using bad/illegal format or missing URL
Error: Process completed with exit code 3.

Our orchestration repo is big. Really big. You just won't believe how vastly hugely mind-bogglingly big it is. I mean, you may think it's a long way down the road to the chemist, but that's just peanuts to our orchestration repo.

As such, we'd like to only test files that have actually changed in a PR.

I tried some (what I though) clever shell commands, and ended up at this:

  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
        with:
          fetch-depth: 0
      - run: echo "CHANGED_FILES=$(git diff --name-only ${{ github.event.before }}..${{ github.event.after }} | grep 'k8s/.*\.y[a]*ml$' | tr '\n' ' ')" >> $GITHUB_ENV
 
      - name: Scan yaml files with kube-linter
        uses: stackrox/[email protected]
        id: kube-linter-action-scan
        with:
          directory: $CHANGED_FILES
          config: .kube-linter-config.yaml
          # Use plain output, because we don't have GitHub Enterprise which is required for SARIF upload
          format: plain
        continue-on-error: true

Sadly, this fails because directory is interpreted as a single file or directory; if multiple files has been changed, it will try to use "file1.yaml file2.yaml" as a single file, which will of course fail.

Suggestion: extend github action so it supports either directory or files, where the latter can take multiple files as input.

I'd love to extract results as a txt file and use it afterwards, either as artifact of the workflow run or au create a bug with the content of the results.

Could you add an optional parameter to specify the output file ?

how do we use this with Kustomize repos?

First of all, thank you for the GH action, it is extremely helpful!

however, we encountered an issue since 2 days ago, when kube-linter 0.2.4 was released (https://github.com/stackrox/kube-linter/releases/tag/0.2.4, introducing a new check: "non-isolated-pod".

Our yaml files currently violate this rule, making our test fails.
While we can easily workaround this by excluding this particular check in our config file, I think it would be good to add a parameter to the action that can allow users to use a specific version rather than latest (which is currently hardcoded) This way we would be sure that new releases won't break our listing tests and we can update as needed

Thanks @neilcar for creating the action.

Would it be possible to do a proper tagging for this project please?

Maybe good starting point is here: https://github.com/actions/checkout
They are using versions like:

v2 -> v2.0.0
v1 -> v1.2.0
v1.1.0
v1.0.0

It would be really handy to use something like v1 instead of specifying the exact version only v0.0.2:

    - uses: stackrox/kube-linter-action@v1

It will save folks from changing the "exact versions" when you release new version.

For example this project can be handy for automating the release process: https://github.com/haya14busa/action-update-semver

Thank you...

This issue was reported on stackrox/kube-linter already but I guess the fix is here.
stackrox/kube-linter#335 (comment)

When the chart is not valid, the linter will exit with status code 0, and the following warning is displayed: "Warning: no valid objects found."

It would be nice if there was at least an option to make the action fail when this happens.