validate false

Dockerfile

@@ -5,9 +5,11 @@ RUN go build -o kforge .
 
 FROM alpine:3.19
 COPY --from=builder /app/kforge /usr/local/bin/kforge
-RUN apk add --no-cache curl && \
+RUN apk add --no-cache curl docker-cli && \
     curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" && \
-    install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
+    install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl && \
+    curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+
 COPY entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh
 

action.yml

@@ -40,6 +40,15 @@ inputs:
     description: "Kubernetes service account token"
     required: true
 
+  scan_image:
+    description: "Scan image for vulnerabilities before pushing"
+    required: false
+    default: "true"
+  scan_severity:
+    description: "Fail on these severity levels (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL)"
+    required: false
+    default: "HIGH,CRITICAL"
+
 # outputs:
 #   output_file:
 #     description: "Path to the generated Kubernetes YAML file"

entrypoint.sh

@@ -67,6 +67,15 @@ if [ -n "$INPUT_IMAGE_NAME" ]; then
   if [ -n "$INPUT_IMAGE_TAG" ]; then
     echo "Building image $FULL_IMAGE:$INPUT_IMAGE_TAG..."
     docker build -t "$FULL_IMAGE:$INPUT_IMAGE_TAG" -f "$INPUT_DOCKERFILE" .
+
+    echo "Scanning image for vulnerabilities..."
+    trivy image \
+      --exit-code 1 \
+      --severity "$INPUT_SCAN_SEVERITY" \
+      --no-progress \
+      "$FULL_IMAGE:$INPUT_IMAGE_TAG"
+
+    echo "Scan passed, pushing image..."
     docker push "$FULL_IMAGE:$INPUT_IMAGE_TAG"
   else
     SHA=$(echo "$GITHUB_SHA" | cut -c1-7)
@@ -75,6 +84,15 @@ if [ -n "$INPUT_IMAGE_NAME" ]; then
       -t "$FULL_IMAGE:latest" \
       -t "$FULL_IMAGE:$SHA" \
       -f "$INPUT_DOCKERFILE" .
+
+    echo "Scanning image for vulnerabilities..."
+    trivy image \
+      --exit-code 1 \
+      --severity "$INPUT_SCAN_SEVERITY" \
+      --no-progress \
+      "$FULL_IMAGE:latest"
+
+    echo "Scan passed, pushing image..."
     docker push "$FULL_IMAGE:latest"
     docker push "$FULL_IMAGE:$SHA"
 
@@ -93,9 +111,15 @@ echo "Generating Kubernetes YAML from .kforge.yml"
 # ----------------------------------------------------------------
 # Build kubeconfig from token-based credentials
 echo "Configuring kubectl..."
+
+# Try writing the cert and check if it worked
+echo "$INPUT_KUBE_CERTIFICATE" | base64 -d > /tmp/kube-ca.crt 2>&1
+echo "Cert file size: $(wc -c < /tmp/kube-ca.crt)"
+echo "Cert file contents: $(cat /tmp/kube-ca.crt | head -1)"
+
 kubectl config set-cluster default \
 --server="$INPUT_KUBE_HOST" \
---certificate-authority=<(echo "$INPUT_KUBE_CERTIFICATE" | base64 -d)
+--certificate-authority=/tmp/kube-ca.crt
 
 kubectl config set-credentials default \
 --token="$INPUT_KUBE_TOKEN"
@@ -106,14 +130,17 @@ kubectl config set-context default \
 
 kubectl config use-context default
 
+
 # Create/update regcred secret idempotently
-echo "Creating regcred secret..."
-kubectl create secret docker-registry regcred \
---docker-server="$INPUT_REGISTRY" \
---docker-username="$INPUT_REGISTRY_USERNAME" \
---docker-password="$INPUT_REGISTRY_PASSWORD" \
---dry-run=client -o yaml | kubectl apply -f -
+# echo "Creating regcred secret..."
+# kubectl create secret docker-registry regcred \
+# --docker-server="$INPUT_REGISTRY" \
+# --docker-username="$INPUT_REGISTRY_USERNAME" \
+# --docker-password="$INPUT_REGISTRY_PASSWORD" \
+# --dry-run=client -o yaml | kubectl apply -f - --insecure-skip-tls-verify --validate=false
 
 echo "Deploying to Kubernetes..."
-kubectl apply -f ./kforge-out/
+kubectl apply --insecure-skip-tls-verify  --validate=false  -f ./.kforge-out/
 echo "Deploy complete."
+echo "Cleanup"
+rm -f /tmp/kube-ca.crt