fix(ci): Add kubeconform testing

.github/scripts/kubeconform.sh

@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+set -o errexit
+set -o pipefail
+
+KUBERNETES_DIR=$1
+
+[[ -z "${KUBERNETES_DIR}" ]] && echo "Kubernetes location not specified" && exit 1
+
+kustomize_args=("--load-restrictor=LoadRestrictionsNone")
+kustomize_config="kustomization.yaml"
+kubeconform_args=(
+    "-strict"
+    "-ignore-missing-schemas"
+    "-skip"
+    "Secret,ConfigMap"
+    "-schema-location"
+    "default"
+    "-schema-location"
+    "https://kubernetes-schemas.pages.dev/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json"
+    "-verbose"
+)
+
+
+echo "=== Validating standalone manifests in ${KUBERNETES_DIR} ==="
+find "${KUBERNETES_DIR}" -maxdepth 1 -type f -name '*.yaml' -print0 | while IFS= read -r -d $'\0' file;
+do
+    kubeconform "${kubeconform_args[@]}" "${file}"
+    if [[ ${PIPESTATUS[0]} != 0 ]]; then
+        exit 1
+    fi
+done
+
+echo "=== Validating all namespace.yaml files in ${KUBERNETES_DIR} ==="
+find "${KUBERNETES_DIR}" -type f -name 'namespace.yaml' -print0 | while IFS= read -r -d $'\0' file;
+do
+    echo "Validating ${file}"
+    kubeconform "${kubeconform_args[@]}" "${file}"
+    if [[ ${PIPESTATUS[0]} != 0 ]]; then
+        exit 1
+    fi
+done
+
+echo "=== Validating all helm-release.yaml files in ${KUBERNETES_DIR} ==="
+find "${KUBERNETES_DIR}" -type f -name 'helm-release.yaml' -print0 | while IFS= read -r -d $'\0' file;
+do
+    echo "Validating ${file}"
+    kubeconform "${kubeconform_args[@]}" "${file}"
+    if [[ ${PIPESTATUS[0]} != 0 ]]; then
+        exit 1
+    fi
+done
+
+
+echo "=== Validating kustomizations in ${KUBERNETES_DIR}/ ==="
+find "${KUBERNETES_DIR}" -type f -name $kustomize_config -print0 | while IFS= read -r -d $'\0' file;
+do
+    echo "=== Validating kustomizations in ${file/%$kustomize_config} ==="
+    kustomize build "${file/%$kustomize_config}" "${kustomize_args[@]}" | kubeconform "${kubeconform_args[@]}"
+    if [[ ${PIPESTATUS[0]} != 0 ]]; then
+        exit 1
+    fi
+done

.github/workflows/flux-diff.yaml

@@ -0,0 +1,76 @@
+name: Flux Helm Diff
+
+on:
+  pull_request:
+    paths:
+      - '**/helm-release.yaml'
+
+jobs:
+  flux-diff:
+    runs-on: ubuntu-latest
+    concurrency:
+      group: flux-diff-${{ github.event.pull_request.number }}
+      cancel-in-progress: true
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set changed helm releases
+        id: changed
+        run: |
+          # Get all helm-release.yaml files changed in this PR
+          files=$(git diff --name-only ${{ github.event.before }} ${{ github.sha }} | grep 'helm-release.yaml' || true)
+          echo "changed_files=$files" >> $GITHUB_OUTPUT
+
+      - name: Run Flux Local Diff
+        if: ${{ steps.changed.outputs.changed_files != '' }}
+        id: flux
+        uses: docker://ghcr.io/allenporter/flux-local:v8.1.0@sha256:37c3c4309a351830b04f93c323adfcb0e28c368001818cd819cbce3e08828261
+        with:
+          entrypoint: /bin/sh
+          args: |
+            -c '
+            for file in ${{ steps.changed.outputs.changed_files }}; do
+              flux diff -f "$file" > diff.patch || true
+              cat diff.patch
+            done
+            '
+        env:
+          GITHUB_SHA: ${{ github.sha }}
+
+      - name: Generate Diff Output
+        if: ${{ steps.changed.outputs.changed_files != '' }}
+        id: diff
+        run: |
+          if [ -f diff.patch ] && [ -s diff.patch ]; then
+            echo "diff<<EOF" >> $GITHUB_OUTPUT
+            cat diff.patch >> $GITHUB_OUTPUT
+            echo "EOF" >> $GITHUB_OUTPUT
+
+            echo "## Flux diff" >> $GITHUB_STEP_SUMMARY
+            echo '```diff' >> $GITHUB_STEP_SUMMARY
+            cat diff.patch >> $GITHUB_STEP_SUMMARY
+            echo '```' >> $GITHUB_STEP_SUMMARY
+          fi
+
+      - if: ${{ steps.diff.outputs.diff != '' }}
+        name: Generate Token
+        uses: actions/create-github-app-token@v2.2.1
+        id: app-token
+        with:
+          app-id: ${{ secrets.BOT_APP_ID }}
+          private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }}
+
+      - if: ${{ steps.diff.outputs.diff != '' }}
+        name: Add PR Comment
+        continue-on-error: true
+        uses: mshick/add-pr-comment@v2
+        with:
+          repo-token: "${{ steps.app-token.outputs.token }}"
+          message-id: "${{ github.event.pull_request.number }}/kubernetes/flux-diff"
+          header: "${{ github.event.pull_request.number }}/kubernetes/flux-diff"
+          message-failure: Diff was not successful
+          message: |
+            ```diff
+            ${{ steps.diff.outputs.diff }}
+            ```

.github/workflows/kubeconform.yaml

@@ -0,0 +1,49 @@
+name: "Kubeconform"
+
+on:
+  pull_request:
+
+concurrency:
+  group: ${{ github.head_ref }}-pr-validate
+  cancel-in-progress: true
+
+env:
+  KUBERNETES_DIR: ./embed/generic/kubernetes
+
+jobs:
+  kubeconform:
+    name: Kubeconform
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+      - name: Setup Homebrew
+        uses: Homebrew/actions/setup-homebrew@master
+      - name: Setup Workflow Tools
+        run: brew install fluxcd/tap/flux kubeconform kustomize
+      - name: Create dummy deploykey secret (CI only)
+        shell: bash
+        run: |
+          SECRET_PATH="embed/generic/kubernetes/flux-system/flux/deploykey.secret.yaml"
+
+          if [[ ! -f "$SECRET_PATH" ]]; then
+            echo "Creating dummy deploykey.secret.yaml for kubeconform"
+            mkdir -p "$(dirname "$SECRET_PATH")"
+            touch "$SECRET_PATH"
+          fi
+      - name: Inject ConfigMap data for CI
+        shell: bash
+        run: |
+          CONFIG_PATH="embed/generic/kubernetes/flux-system/flux/clustersettings.secret.yaml"
+
+          if [[ -f "$CONFIG_PATH" ]]; then
+            echo "Replacing REPLACEWITHENV in clustersettings.secret.yaml"
+
+            # Example: replace with dummy key-values for CI
+            sed -i "s|REPLACEWITHENV|  dummyKey: dummyValue|" "$CONFIG_PATH"
+          fi
+      - name: Run kubeconform
+        shell: bash
+        run: bash ./.github/scripts/kubeconform.sh ${{ env.KUBERNETES_DIR }}