feat: add automated GVK sync check with kuadrant-operator#546
Conversation
Adds a weekly GitHub Action that keeps the GroupVersionKinds in src/utils/resources.ts in sync with the CRDs shipped by the kuadrant-operator. scripts/check-gvks.sh builds the operator's config/manifests kustomize target (which aggregates the kuadrant.io, extensions.kuadrant.io and devportal.kuadrant.io CRDs the plugin uses), extracts each CRD's group and storage version with yq, and diffs them against the GVKs declared in resources.ts. Only kinds the plugin already declares are compared, so Gateway API and Istio types are skipped. A safety floor aborts the run if the upstream build returns an unexpectedly small CRD set. The .github/workflows/gvk-sync.yaml workflow runs the script weekly (and on demand), and on drift opens a PR updating resources.ts via peter-evans/create-pull-request. Closes Kuadrant#74 Signed-off-by: shubhamsharma9199 <shubham.24bcs10320@sst.scaler.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughAdds a drift-check script that compares local GVK entries with upstream CRD manifests, can rewrite mismatches, and reports drift. A GitHub Actions workflow runs the check on a schedule or manually and opens an update pull request when changes are detected. ChangesGVK Drift Detection and Auto-Fix
Estimated code review effort: 2 (Simple) | ~12 minutes Sequence Diagram(s)sequenceDiagram
participant Scheduler as GitHub scheduler / workflow_dispatch
participant Runner as gvk-sync job
participant Script as scripts/check-gvks.sh
participant PR as create-pull-request
Scheduler->>Runner: trigger workflow
Runner->>Script: run with --fix
Script-->>Runner: write drift report if drift exists
Runner->>Runner: check report existence
alt report present
Runner->>PR: open PR for resources.ts update
PR-->>Runner: PR created
else no drift
Runner-->>Scheduler: finish without PR
end
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (2)
scripts/check-gvks.sh (1)
65-65: ⚖️ Poor tradeoffBrittle regex pattern vulnerable to formatting changes.
The sed pattern assumes exact spacing and single quotes in the
gvkobject literal. Ifresources.tsis ever reformatted (e.g., by Prettier adding/removing spaces, or switching to double quotes), this extraction will silently fail, causing the drift detection to report all GVKs as missing rather than detecting actual version mismatches.Consider making the pattern more resilient:
💡 More flexible regex pattern
-local_raw="$(sed -nE "s/.*gvk: \{ group: '([^']*)', version: '([^']*)', kind: '([^']*)' \}.*/\3 \1 \2/p" "${RESOURCES_FILE}")" +local_raw="$(sed -nE "s/.*gvk:[[:space:]]*\{[[:space:]]*group:[[:space:]]*['\"]([^'\"]*)['\"][[:space:]]*,[[:space:]]*version:[[:space:]]*['\"]([^'\"]*)['\"][[:space:]]*,[[:space:]]*kind:[[:space:]]*['\"]([^'\"]*)['\"].*/\3 \1 \2/p" "${RESOURCES_FILE}")"This tolerates varying whitespace and both quote styles.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@scripts/check-gvks.sh` at line 65, The sed pattern in the local_raw variable assignment is too strict and assumes exact spacing and single quotes around the gvk object properties. Make the regex pattern more resilient by using flexible whitespace matching (like \s* or similar) to tolerate variable spacing around colons, braces, and commas, and update the quote matching to accept both single and double quotes (using a pattern like ["'] instead of hardcoded single quotes) so that the extraction continues to work correctly even if resources.ts is reformatted by tools like Prettier..github/workflows/gvk-sync.yaml (1)
21-22: 💤 Low valueConsider disabling credential persistence.
The checkout action persists the GitHub token in git config by default. Whilst the risk is low for this automated workflow, setting
persist-credentials: falseprovides defence-in-depth against potential credential exfiltration.🛡️ Disable credential persistence
- name: Checkout code uses: actions/checkout@v4 + with: + persist-credentials: false🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/gvk-sync.yaml around lines 21 - 22, The actions/checkout@v4 step in the gvk-sync.yaml workflow uses the default behavior which persists the GitHub token in git config, creating a potential security risk. Add the persist-credentials parameter set to false to the checkout action to disable credential persistence and provide defence-in-depth against potential credential exfiltration. This parameter should be added as a configuration option to the actions/checkout@v4 step.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/gvk-sync.yaml:
- Around line 21-22: The actions/checkout action is pinned to the v4 version tag
rather than a specific commit hash, which creates a security vulnerability.
Replace the version tag in the uses field of the actions/checkout step with a
specific commit hash, and add an inline comment above or next to it indicating
which version that commit corresponds to (for example, "# v4" or similar) to
maintain readability and aid future updates.
- Line 38: The peter-evans/create-pull-request action is currently referenced by
version tag (v6) instead of a specific commit hash, which creates a security
risk given the action's write permissions. Replace the version tag reference
with a specific commit hash pinned to the v6 release, and add a comment above
the action indicating which version the commit hash corresponds to. This ensures
the workflow uses an immutable reference and prevents accidental upgrades to
potentially compromised future versions.
In `@scripts/check-gvks.sh`:
- Around line 84-86: The sed -i flag used in the FIX block for updating the gvk
pattern in RESOURCES_FILE is not portable across macOS and Linux due to
incompatible BSD and GNU sed syntax. Replace the sed -i flag with sed -i.bak to
create a backup file that is compatible with both implementations, then add a
command immediately after the sed invocation to remove the backup file with the
.bak extension using rm.
---
Nitpick comments:
In @.github/workflows/gvk-sync.yaml:
- Around line 21-22: The actions/checkout@v4 step in the gvk-sync.yaml workflow
uses the default behavior which persists the GitHub token in git config,
creating a potential security risk. Add the persist-credentials parameter set to
false to the checkout action to disable credential persistence and provide
defence-in-depth against potential credential exfiltration. This parameter
should be added as a configuration option to the actions/checkout@v4 step.
In `@scripts/check-gvks.sh`:
- Line 65: The sed pattern in the local_raw variable assignment is too strict
and assumes exact spacing and single quotes around the gvk object properties.
Make the regex pattern more resilient by using flexible whitespace matching
(like \s* or similar) to tolerate variable spacing around colons, braces, and
commas, and update the quote matching to accept both single and double quotes
(using a pattern like ["'] instead of hardcoded single quotes) so that the
extraction continues to work correctly even if resources.ts is reformatted by
tools like Prettier.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 755937f3-3e96-47bf-99b4-bcd4ea3482f5
📒 Files selected for processing (2)
.github/workflows/gvk-sync.yamlscripts/check-gvks.sh
BSD sed (macOS) and GNU sed (Linux) have incompatible `-i` syntax, so running the script locally on macOS would fail. Write the result through a temp file and mv it into place instead, which works on both. Signed-off-by: shubhamsharma9199 <shubham.24bcs10320@sst.scaler.com>
|
@eguzki when you are free can you check this ? |
|
@shubhamkumar9199 This looks good but can you address the code rabbit reviews please |
Pin actions/checkout and peter-evans/create-pull-request to full commit SHAs (with the version as a trailing comment) instead of floating tags, addressing the CodeRabbit supply-chain review comments. Tags can be moved to point at compromised commits; SHAs are immutable. - actions/checkout: v4 -> 34e114876b0b11c390a56381ad16ebd13914f8d5 (v4.3.1) - peter-evans/create-pull-request: v6 -> c5a7806660adbe173f04e3e038b0ccdcd758773c (v6.1.0) Signed-off-by: shubhamsharma9199 <shubham.24bcs10320@sst.scaler.com>
|
@R-Lawton thanks for the review! I've addressed the CodeRabbit comments:
All checks are green. Could you take another look when you get a chance? |
Address review feedback: the sed pattern assumed exact single quotes and spacing in the gvk object, so reformatting resources.ts (e.g. via Prettier, switching to double quotes) would silently extract nothing and report every GVK as drifted instead of detecting real drift. Use a whitespace- and quote-agnostic pattern ([[:space:]]* and a ["'] class) so formatting changes no longer break drift detection. Extraction output is unchanged for the current file (verified: identical 23-GVK result). Signed-off-by: shubhamsharma9199 <shubham.24bcs10320@sst.scaler.com>
Adds a weekly GitHub Action that keeps the GroupVersionKinds in src/utils/resources.ts in sync with the CRDs shipped by the kuadrant-operator.
scripts/check-gvks.sh builds the operator's config/manifests kustomize target (which aggregates the kuadrant.io, extensions.kuadrant.io and devportal.kuadrant.io CRDs the plugin uses), extracts each CRD's group and storage version with yq, and diffs them against the GVKs declared in resources.ts. Only kinds the plugin already declares are compared, so Gateway API and Istio types are skipped. A safety floor aborts the run if the upstream build returns an unexpectedly small CRD set.
The .github/workflows/gvk-sync.yaml workflow runs the script weekly (and on demand), and on drift opens a PR updating resources.ts via peter-evans/create-pull-request.
Closes #74
Type of change
[fix]Bug fix[feat]New feature[refactor]Refactor (no functional changes)[test]Test updates[chore]Dependency / config updateTest plan
yarn lintpasses (no changes after running)yarn buildpassesyarn i18npasses (no changes after running — commit updated locale files if needed)Screenshots
Checklist
t()and are added tolocales/en/plugin__kuadrant-console-plugin.jsonkuadrant-— no bare.pf-*or.co-*selectors, no hex colorsconsole.logstatements left inSigned-off-byline (git commit -s)Summary by CodeRabbit
Release Notes