Skip to content

feat: add automated GVK sync check with kuadrant-operator#546

Merged
emmaaroche merged 4 commits into
Kuadrant:mainfrom
shubhamkumar9199:feat/gvk-sync-check
Jul 6, 2026
Merged

feat: add automated GVK sync check with kuadrant-operator#546
emmaaroche merged 4 commits into
Kuadrant:mainfrom
shubhamkumar9199:feat/gvk-sync-check

Conversation

@shubhamkumar9199

@shubhamkumar9199 shubhamkumar9199 commented Jun 14, 2026

Copy link
Copy Markdown
Contributor

Adds a weekly GitHub Action that keeps the GroupVersionKinds in src/utils/resources.ts in sync with the CRDs shipped by the kuadrant-operator.

scripts/check-gvks.sh builds the operator's config/manifests kustomize target (which aggregates the kuadrant.io, extensions.kuadrant.io and devportal.kuadrant.io CRDs the plugin uses), extracts each CRD's group and storage version with yq, and diffs them against the GVKs declared in resources.ts. Only kinds the plugin already declares are compared, so Gateway API and Istio types are skipped. A safety floor aborts the run if the upstream build returns an unexpectedly small CRD set.

The .github/workflows/gvk-sync.yaml workflow runs the script weekly (and on demand), and on drift opens a PR updating resources.ts via peter-evans/create-pull-request.

Closes #74

Type of change

  • [fix] Bug fix
  • [feat] New feature
  • [refactor] Refactor (no functional changes)
  • [test] Test updates
  • [chore] Dependency / config update

Test plan

  • yarn lint passes (no changes after running)
  • yarn build passes
  • yarn i18n passes (no changes after running — commit updated locale files if needed)
  • Tested manually in OpenShift Console
  • Tested in both light and dark themes
  • Tested in all-namespaces and single namespace mode

Screenshots

Before After

Checklist

  • All user-facing strings use t() and are added to locales/en/plugin__kuadrant-console-plugin.json
  • CSS classes are prefixed with kuadrant- — no bare .pf-* or .co-* selectors, no hex colors
  • No console.log statements left in
  • Commits include Signed-off-by line (git commit -s)

Summary by CodeRabbit

Release Notes

  • Chores
    • Added an automated weekly Kubernetes GroupVersionKind sync check against upstream sources, with manual triggering support.
    • Generates a drift report and flags when schema changes are detected.
    • Automatically opens an update pull request (with labels and sign-off) and can apply drift fixes to the maintained definition list.

Adds a weekly GitHub Action that keeps the GroupVersionKinds in
src/utils/resources.ts in sync with the CRDs shipped by the
kuadrant-operator.

scripts/check-gvks.sh builds the operator's config/manifests kustomize
target (which aggregates the kuadrant.io, extensions.kuadrant.io and
devportal.kuadrant.io CRDs the plugin uses), extracts each CRD's group
and storage version with yq, and diffs them against the GVKs declared in
resources.ts. Only kinds the plugin already declares are compared, so
Gateway API and Istio types are skipped. A safety floor aborts the run
if the upstream build returns an unexpectedly small CRD set.

The .github/workflows/gvk-sync.yaml workflow runs the script weekly (and
on demand), and on drift opens a PR updating resources.ts via
peter-evans/create-pull-request.

Closes Kuadrant#74

Signed-off-by: shubhamsharma9199 <shubham.24bcs10320@sst.scaler.com>
@coderabbitai

coderabbitai Bot commented Jun 14, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b11eff36-c1cf-4a08-913a-264547ad2839

📥 Commits

Reviewing files that changed from the base of the PR and between 5604d70 and 88edcc2.

📒 Files selected for processing (1)
  • scripts/check-gvks.sh
🚧 Files skipped from review as they are similar to previous changes (1)
  • scripts/check-gvks.sh

📝 Walkthrough

Walkthrough

Adds a drift-check script that compares local GVK entries with upstream CRD manifests, can rewrite mismatches, and reports drift. A GitHub Actions workflow runs the check on a schedule or manually and opens an update pull request when changes are detected.

Changes

GVK Drift Detection and Auto-Fix

Layer / File(s) Summary
GVK comparison and fix script
scripts/check-gvks.sh
Validates prerequisites, builds upstream GVK data from CRDs, parses src/utils/resources.ts, compares matching kinds, writes a drift report, optionally rewrites mismatched entries with --fix, and exits based on drift state.
Scheduled GitHub Actions workflow
.github/workflows/gvk-sync.yaml
Defines GVK Sync Check with weekly and manual triggers, runs scripts/check-gvks.sh --fix, checks for the drift report, and creates a pull request on chore/sync-gvks when drift is present.

Estimated code review effort: 2 (Simple) | ~12 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Scheduler as GitHub scheduler / workflow_dispatch
  participant Runner as gvk-sync job
  participant Script as scripts/check-gvks.sh
  participant PR as create-pull-request

  Scheduler->>Runner: trigger workflow
  Runner->>Script: run with --fix
  Script-->>Runner: write drift report if drift exists
  Runner->>Runner: check report existence
  alt report present
    Runner->>PR: open PR for resources.ts update
    PR-->>Runner: PR created
  else no drift
    Runner-->>Scheduler: finish without PR
  end
Loading

Poem

🐇 I sniffed the CRDs by moonlit light,
Compared each GVK and set it right.
If drift appeared, I lent a paw,
Then opened a PR with bunny awe.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly states the main change: an automated GVK sync check for kuadrant-operator.
Linked Issues check ✅ Passed The script compares upstream kuadrant-operator GVKs to resources.ts and the workflow can open an automated PR on drift.
Out of Scope Changes check ✅ Passed The changes stay within the sync-check workflow and GVK comparison script required by issue #74.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🧹 Nitpick comments (2)
scripts/check-gvks.sh (1)

65-65: ⚖️ Poor tradeoff

Brittle regex pattern vulnerable to formatting changes.

The sed pattern assumes exact spacing and single quotes in the gvk object literal. If resources.ts is ever reformatted (e.g., by Prettier adding/removing spaces, or switching to double quotes), this extraction will silently fail, causing the drift detection to report all GVKs as missing rather than detecting actual version mismatches.

Consider making the pattern more resilient:

💡 More flexible regex pattern
-local_raw="$(sed -nE "s/.*gvk: \{ group: '([^']*)', version: '([^']*)', kind: '([^']*)' \}.*/\3 \1 \2/p" "${RESOURCES_FILE}")"
+local_raw="$(sed -nE "s/.*gvk:[[:space:]]*\{[[:space:]]*group:[[:space:]]*['\"]([^'\"]*)['\"][[:space:]]*,[[:space:]]*version:[[:space:]]*['\"]([^'\"]*)['\"][[:space:]]*,[[:space:]]*kind:[[:space:]]*['\"]([^'\"]*)['\"].*/\3 \1 \2/p" "${RESOURCES_FILE}")"

This tolerates varying whitespace and both quote styles.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/check-gvks.sh` at line 65, The sed pattern in the local_raw variable
assignment is too strict and assumes exact spacing and single quotes around the
gvk object properties. Make the regex pattern more resilient by using flexible
whitespace matching (like \s* or similar) to tolerate variable spacing around
colons, braces, and commas, and update the quote matching to accept both single
and double quotes (using a pattern like ["'] instead of hardcoded single quotes)
so that the extraction continues to work correctly even if resources.ts is
reformatted by tools like Prettier.
.github/workflows/gvk-sync.yaml (1)

21-22: 💤 Low value

Consider disabling credential persistence.

The checkout action persists the GitHub token in git config by default. Whilst the risk is low for this automated workflow, setting persist-credentials: false provides defence-in-depth against potential credential exfiltration.

🛡️ Disable credential persistence
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/gvk-sync.yaml around lines 21 - 22, The
actions/checkout@v4 step in the gvk-sync.yaml workflow uses the default behavior
which persists the GitHub token in git config, creating a potential security
risk. Add the persist-credentials parameter set to false to the checkout action
to disable credential persistence and provide defence-in-depth against potential
credential exfiltration. This parameter should be added as a configuration
option to the actions/checkout@v4 step.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/gvk-sync.yaml:
- Around line 21-22: The actions/checkout action is pinned to the v4 version tag
rather than a specific commit hash, which creates a security vulnerability.
Replace the version tag in the uses field of the actions/checkout step with a
specific commit hash, and add an inline comment above or next to it indicating
which version that commit corresponds to (for example, "# v4" or similar) to
maintain readability and aid future updates.
- Line 38: The peter-evans/create-pull-request action is currently referenced by
version tag (v6) instead of a specific commit hash, which creates a security
risk given the action's write permissions. Replace the version tag reference
with a specific commit hash pinned to the v6 release, and add a comment above
the action indicating which version the commit hash corresponds to. This ensures
the workflow uses an immutable reference and prevents accidental upgrades to
potentially compromised future versions.

In `@scripts/check-gvks.sh`:
- Around line 84-86: The sed -i flag used in the FIX block for updating the gvk
pattern in RESOURCES_FILE is not portable across macOS and Linux due to
incompatible BSD and GNU sed syntax. Replace the sed -i flag with sed -i.bak to
create a backup file that is compatible with both implementations, then add a
command immediately after the sed invocation to remove the backup file with the
.bak extension using rm.

---

Nitpick comments:
In @.github/workflows/gvk-sync.yaml:
- Around line 21-22: The actions/checkout@v4 step in the gvk-sync.yaml workflow
uses the default behavior which persists the GitHub token in git config,
creating a potential security risk. Add the persist-credentials parameter set to
false to the checkout action to disable credential persistence and provide
defence-in-depth against potential credential exfiltration. This parameter
should be added as a configuration option to the actions/checkout@v4 step.

In `@scripts/check-gvks.sh`:
- Line 65: The sed pattern in the local_raw variable assignment is too strict
and assumes exact spacing and single quotes around the gvk object properties.
Make the regex pattern more resilient by using flexible whitespace matching
(like \s* or similar) to tolerate variable spacing around colons, braces, and
commas, and update the quote matching to accept both single and double quotes
(using a pattern like ["'] instead of hardcoded single quotes) so that the
extraction continues to work correctly even if resources.ts is reformatted by
tools like Prettier.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 755937f3-3e96-47bf-99b4-bcd4ea3482f5

📥 Commits

Reviewing files that changed from the base of the PR and between b1f3e1a and a186ddb.

📒 Files selected for processing (2)
  • .github/workflows/gvk-sync.yaml
  • scripts/check-gvks.sh

Comment thread .github/workflows/gvk-sync.yaml Outdated
Comment thread .github/workflows/gvk-sync.yaml Outdated
Comment thread scripts/check-gvks.sh
BSD sed (macOS) and GNU sed (Linux) have incompatible `-i` syntax, so
running the script locally on macOS would fail. Write the result through
a temp file and mv it into place instead, which works on both.

Signed-off-by: shubhamsharma9199 <shubham.24bcs10320@sst.scaler.com>
@shubhamkumar9199

Copy link
Copy Markdown
Contributor Author

@eguzki when you are free can you check this ?

@R-Lawton

Copy link
Copy Markdown
Contributor

@shubhamkumar9199 This looks good but can you address the code rabbit reviews please

Pin actions/checkout and peter-evans/create-pull-request to full commit
SHAs (with the version as a trailing comment) instead of floating tags,
addressing the CodeRabbit supply-chain review comments. Tags can be moved
to point at compromised commits; SHAs are immutable.

- actions/checkout: v4 -> 34e114876b0b11c390a56381ad16ebd13914f8d5 (v4.3.1)
- peter-evans/create-pull-request: v6 -> c5a7806660adbe173f04e3e038b0ccdcd758773c (v6.1.0)

Signed-off-by: shubhamsharma9199 <shubham.24bcs10320@sst.scaler.com>
@shubhamkumar9199

shubhamkumar9199 commented Jun 30, 2026

Copy link
Copy Markdown
Contributor Author

@R-Lawton thanks for the review! I've addressed the CodeRabbit comments:

  • Pinned actions/checkout to 34e114876b0b11c390a56381ad16ebd13914f8d5 (v4.3.1)
  • Pinned peter-evans/create-pull-request to c5a7806660adbe173f04e3e038b0ccdcd758773c (v6.1.0)
  • The sed -i portability issue was fixed earlier in 2c571e4

All checks are green. Could you take another look when you get a chance?

Comment thread scripts/check-gvks.sh Outdated
Address review feedback: the sed pattern assumed exact single quotes and
spacing in the gvk object, so reformatting resources.ts (e.g. via Prettier,
switching to double quotes) would silently extract nothing and report every
GVK as drifted instead of detecting real drift.

Use a whitespace- and quote-agnostic pattern ([[:space:]]* and a ["'] class)
so formatting changes no longer break drift detection. Extraction output is
unchanged for the current file (verified: identical 23-GVK result).

Signed-off-by: shubhamsharma9199 <shubham.24bcs10320@sst.scaler.com>

@emmaaroche emmaaroche left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, LGTM 👍

@emmaaroche emmaaroche added this pull request to the merge queue Jul 6, 2026
Merged via the queue into Kuadrant:main with commit e80d96a Jul 6, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Automate API version checks between Kuadrant Operator and Console Plugin

3 participants