ci(validate-scaffold): schema-validate rendered manifests with kubeconform

[devantler]

🤖 Generated by the Daily AI Assistant

Problem

validate-scaffold.yaml is the scaffold-integrity gate for this template's core deliverable — the deploy/ Kustomize manifests every tenant inherits. Today it runs only kubectl kustomize deploy/, which catches a broken kustomization (renamed/removed resource, YAML error) but does not schema-validate the rendered resources. A typo in a CRD field (ExternalSecret, SecretStore, CloudNativePG Cluster, Gateway-API HTTPRoute) renders without complaint and ships green to every tenant.

What this does

Adds a kubeconform schema-validation pass to the existing scaffold gate (the devantler-tech-standard manifest validator — KSail embeds it in pkg/client/kubeconform, and the platform's gitops-repo-audit skill uses it):

• Standard Kubernetes kinds validate against kubeconform's bundled schemas.
• The CRD-backed resources validate against the datreeio CRDs-catalog (all four CRDs present: external-secrets.io, postgresql.cnpg.io, gateway.networking.k8s.io).
• -ignore-missing-schemas skips any kind with no published schema rather than failing, so a future CRD without a catalog entry won't wedge the gate.

It also fixes a real issue the new validation surfaced: deploy/secretstore.yaml's REPLACE_ME placeholders for auth.kubernetes.role and serviceAccountRef.name fail strict schema validation — both must be DNS-1123 names, and the file's own comments say each "equals the repository name" (always lowercase-hyphenated). So REPLACE_ME (uppercase + underscore) could never be a valid value there; a tenant copying it literally would get an invalid SecretStore. Changed to replace-me — still an obvious placeholder, but DNS-valid and a correct shape.

Validation (local)

$ kubectl kustomize deploy/ | kubeconform -strict -ignore-missing-schemas \
    -schema-location default -schema-location '<datreeio-catalog>' -summary
Summary: 6 resources found - Valid: 6, Invalid: 0, Errors: 0, Skipped: 0

Before the placeholder fix the same command reported SecretStore openbao is invalid … 'REPLACE_ME' does not match pattern '^[a-z0-9]...' — i.e. the new gate demonstrably catches the class of error it's meant to. actionlint and zizmor both clean on the changed workflow.

Trade-offs / for the maintainer

• New CI tool + remote schema source. kubeconform is fetched per-run from its GitHub release (pinned v0.7.0) and CRD schemas from the datreeio catalog over the network (allowed — harden-runner is egress-policy: audit). If you'd rather avoid the network dependency, the alternative is bundling the CRD schemas in-repo (as the platform's gitops-repo-audit skill does in assets/schemas); I kept the lighter remote-catalog approach since this gate runs only on template-repo PRs. Happy to switch to bundled schemas if you prefer.
• No shared action yet. There's no validate-manifests composite action in devantler-tech/actions today, so this is hand-rolled in the workflow. If manifest validation lands in a second repo it'd be worth extracting (holistic-stewardship follow-up) — premature with one consumer.

Part of establishing a roadmap for this newly-created template (it had none); this is the first concrete validated, secure scaffold item.

[Copilot]

Pull request overview

Adds schema validation for the rendered deploy/ Kustomize manifests in the template-only scaffold gate, so PRs can’t merge with structurally valid YAML that is schema-invalid for Kubernetes/CRD resources.

Changes:

• Update the scaffold validation workflow to run kubectl kustomize deploy/ and validate the output with kubeconform (including CRD schemas from datreeio’s catalog).
• Adjust deploy/secretstore.yaml placeholder values to be DNS-1123 compliant so strict schema validation passes.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
.github/workflows/validate-scaffold.yaml	Adds kubeconform-based schema validation on rendered deploy/ manifests in the template-only scaffold gate.
deploy/secretstore.yaml	Updates placeholder values to be schema-valid DNS-1123 names under strict validation.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.