chore: use Namespace cluster action for QA chart tests#14
Conversation
|
Note Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported. |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
Codex Review: Here are some suggestions.
Reply with @codex fix comments to fix any unresolved comments.
About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you open a pull request for review, mark a draft as ready, or comment "@codex review". If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex fix this CI failure" or "@codex address that feedback".
| - name: Configure Namespace access | ||
| if: (github.event_name == 'pull_request' || github.event_name == 'push') && steps.ct-changed.outputs.changed == 'true' | ||
| uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0 | ||
| id: nscloud | ||
| uses: namespacelabs/nscloud-setup@b989f4420f16ab4efd52fcb69d33a51d575f24bc # v0 |
There was a problem hiding this comment.
[P1] Provide credentials to nscloud setup action
The new step switches from helm/kind-action to namespacelabs/nscloud-setup, but the action is invoked without the required authentication inputs. nscloud-setup expects either an API key or a preconfigured profile; otherwise it fails before provisioning any cluster. No secrets or profile inputs are passed or exported anywhere in this workflow, so the QA job will now error out as soon as the setup step runs and chart testing will never execute. Pass api-key, profile, or whatever the action requires for authentication.
Useful? React with 👍 / 👎.
roderik
changed the title
roderik
force-pushed
the
feat/nscloud-cluster
branch
from
ed5cde7 to
ee6b97f
Compare
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
| if: (github.event_name == 'pull_request' || github.event_name == 'push') && steps.ct-changed.outputs.changed == 'true' | ||
| uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0 | ||
| id: nscloud | ||
| uses: namespacelabs/nscloud-setup@v0 |
There was a problem hiding this comment.
security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha): An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
Source: opengrep
|
|
||
| - name: Provision Namespace Kubernetes cluster | ||
| if: (github.event_name == 'pull_request' || github.event_name == 'push') && steps.ct-changed.outputs.changed == 'true' | ||
| uses: namespacelabs/nscloud-cluster-action@v0 |
There was a problem hiding this comment.
security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha): An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
Source: opengrep
|
To view in Slack, search for: 1758128220.321679 |
github-actions
Bot
added
status:ready-for-review
github-actions
Bot
added
status:merged
1 participant
Summary
Testing
Summary by Sourcery
CI: