add validate and secrets workflows

Author: mastapegs

.github/workflows/secrets.yml

@@ -0,0 +1,38 @@
+name: secrets
+
+# Server-side complement to the gitleaks pre-commit hook in .pre-commit-config.yaml.
+#
+# Why both:
+#   - Pre-commit runs locally and is bypassable (`git commit --no-verify`),
+#     skippable (if `pre-commit install` was never run), and doesn't fire for
+#     commits authored via the GitHub web UI, mobile app, or REST API.
+#   - This workflow runs in CI on every PR + push, can be enforced via branch
+#     protection ("required check"), and is the last line before merge.
+#
+# Both use the same gitleaks engine, so detection rules are consistent.
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  gitleaks:
+    name: gitleaks
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          # Fetch the full history so gitleaks can scan all commits in the PR,
+          # not just the tip. Catches secrets that were committed and then
+          # "deleted" (still in history) without being rotated.
+          fetch-depth: 0
+
+      - uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # GITLEAKS_LICENSE is required only for org-owned private repos.
+          # This repo is public, so the license check is skipped automatically.

.github/workflows/validate.yml

@@ -0,0 +1,46 @@
+name: validate
+
+# Pre-merge validation: yamllint, kustomize rendering, kubeconform, shellcheck.
+# Calls the same script developers can run locally — see ci/validate.sh and
+# the README "Optional, for running CI checks locally" line in Prerequisites.
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  validate:
+    name: validate
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.x'
+      - run: pip install --quiet yamllint
+
+      - name: Install kustomize
+        run: |
+          curl -sfL "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash
+          sudo mv kustomize /usr/local/bin/
+
+      # helm is required for kustomize's `--enable-helm` flag (renders the
+      # helmCharts: block in manifests/quine-enterprise/).
+      - uses: azure/setup-helm@v4
+        with:
+          version: v3.16.0
+
+      - name: Install kubeconform
+        run: |
+          curl -sfL "https://github.com/yannh/kubeconform/releases/latest/download/kubeconform-linux-amd64.tar.gz" \
+            | sudo tar -xz -C /usr/local/bin kubeconform
+
+      # shellcheck is pre-installed on ubuntu-latest runners.
+
+      - name: Run validation
+        run: ./ci/validate.sh

.yamllint.yaml

@@ -0,0 +1,27 @@
+# yamllint config — relaxed preset, with rules tuned for this repo.
+#
+# We disable line-length because Kustomize patches, Helm values, and operator
+# CRs commonly carry long URLs or composite identifiers. We disable
+# `truthy.check-keys` because Kubernetes manifests use `on:` (workflow trigger)
+# and similar field names that yamllint would otherwise flag.
+#
+# What still fires (and should):
+#   - syntax errors
+#   - duplicate keys
+#   - inconsistent indentation
+#   - trailing whitespace
+#   - missing document start where required by surrounding context
+
+extends: relaxed
+
+rules:
+  line-length: disable
+  truthy:
+    check-keys: false
+
+ignore: |
+  charts/
+  **/charts/
+  tmp/
+  temp/
+  .pre-commit-cache/

README.md

@@ -17,6 +17,12 @@ export THATDOT_REGISTRY_USERNAME="..."
 export THATDOT_REGISTRY_PASSWORD="..."
 ```
 
+Optional — for reproducing the CI validation checks locally before pushing (`./ci/validate.sh` runs the same checks `.github/workflows/validate.yml` runs):
+
+```bash
+brew install yamllint shellcheck kustomize helm kubeconform
+```
+
 ## First-time setup
 
 ```bash

ci/validate.sh

@@ -0,0 +1,57 @@
+#!/usr/bin/env bash
+set -uo pipefail
+
+# Validates the manifest tree, Kustomize rendering, and helper scripts.
+# Same checks the .github/workflows/validate.yml workflow runs — install the
+# tools locally and you can reproduce CI before pushing.
+#
+# Tools required:
+#   yamllint, shellcheck, kustomize, helm, kubeconform
+#
+# macOS install:
+#   brew install yamllint shellcheck kustomize helm kubeconform
+#
+# Usage: ./ci/validate.sh
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"
+cd "$PROJECT_DIR" || exit 1
+
+# ---- Tool check ----
+missing=()
+for tool in yamllint shellcheck kustomize helm kubeconform; do
+    command -v "$tool" >/dev/null 2>&1 || missing+=("$tool")
+done
+if [[ ${#missing[@]} -gt 0 ]]; then
+    echo "ERROR: missing required tools: ${missing[*]}"
+    echo "  macOS install: brew install ${missing[*]}"
+    exit 1
+fi
+
+# Run all checks, collecting failures rather than aborting on the first one —
+# so the developer sees the full picture in a single run.
+failed=()
+
+echo "==> yamllint"
+yamllint . || failed+=("yamllint")
+
+echo ""
+echo "==> shellcheck scripts/*.sh ci/*.sh"
+shellcheck scripts/*.sh ci/*.sh || failed+=("shellcheck")
+
+echo ""
+echo "==> kustomize + kubeconform per leaf"
+for leaf in manifests/root manifests/platform manifests/product manifests/cassandra manifests/keycloak manifests/quine-enterprise; do
+    echo "  --- $leaf ---"
+    if ! kustomize build --enable-helm "$leaf" \
+            | kubeconform --strict --ignore-missing-schemas --summary; then
+        failed+=("$leaf")
+    fi
+done
+
+echo ""
+if [[ ${#failed[@]} -gt 0 ]]; then
+    echo "FAILED: ${failed[*]}"
+    exit 1
+fi
+echo "All checks passed."