Add Automated Production Manifest Security Validation to CI #325
Description
Overview
Priority: 🟡 MEDIUM
Effort: 30 minutes
Related PR: #246
Mentioned in: 3/6 code reviews
Create GitHub Actions workflow to automatically validate production manifests are clean.
Problem
Currently, Test 27 validates production manifests locally, but there's no CI check on every PR.
Gap: A PR could introduce DISABLE_AUTH or ENVIRONMENT=local to production manifests and only be caught locally.
Solution
Note: This is partially addressed in .github/workflows/test-local-dev.yml (step: "Validate production manifest safety"), but only runs as part of the test-local-dev job. Need a dedicated fast-fail check.
Create .github/workflows/security-manifest-check.yml:
name: Security - Production Manifest Validation
on:
pull_request:
paths:
- 'components/manifests/base/**'
- 'components/manifests/overlays/production/**'
push:
branches: [main]
paths:
- 'components/manifests/base/**'
- 'components/manifests/overlays/production/**'
jobs:
validate-production-manifests:
runs-on: ubuntu-latest
timeout-minutes: 2
steps:
- uses: actions/checkout@v5
- name: Check production manifests are clean
run: |
echo "Validating production manifests do NOT contain dev mode variables..."
EXIT_CODE=0
# Check for DISABLE_AUTH
if grep -r "DISABLE_AUTH" components/manifests/base/ components/manifests/overlays/production/; then
echo ""
echo "❌ CRITICAL: Production manifest contains DISABLE_AUTH"
echo "This would enable dev mode authentication bypass in production"
echo ""
EXIT_CODE=1
fi
# Check for ENVIRONMENT=local or development
if grep -rE "ENVIRONMENT.*[\"']?(local|development)[\"']?" components/manifests/base/ components/manifests/overlays/production/; then
echo ""
echo "❌ CRITICAL: Production manifest sets ENVIRONMENT=local/development"
echo "This would enable dev mode in production"
echo ""
EXIT_CODE=1
fi
if [ $EXIT_CODE -eq 0 ]; then
echo "✅ All production manifests are clean"
echo ""
echo "Verified:"
echo " - No DISABLE_AUTH in production manifests"
echo " - No ENVIRONMENT=local/development in production manifests"
fi
exit $EXIT_CODE
- name: Verify minikube manifests DO have dev mode
run: |
echo "Verifying minikube manifests correctly include dev mode variables..."
if ! grep -q "DISABLE_AUTH" components/manifests/minikube/backend-deployment.yaml; then
echo "⚠️ WARNING: Minikube backend missing DISABLE_AUTH (dev mode broken?)"
else
echo "✅ Minikube manifests correctly configured for dev mode"
fiBenefits
- Fast feedback - Fails in ~30 seconds vs waiting for full test suite
- Clear error messages - Points directly to problematic file
- Prevents accidents - Catches configuration drift before merge
- Complements Test 27 - Automated + manual validation
Acceptance Criteria
- Workflow file created
- Triggers on PR and push to main
- Scans base/ and overlays/production/ manifests
- Checks for DISABLE_AUTH
- Checks for ENVIRONMENT=local/development
- Provides clear error messages
- Verifies minikube manifests have dev mode
- Runs in < 1 minute
- Shows in PR checks prominently
Testing
Test the workflow by:
- Creating test PR with DISABLE_AUTH in base/backend-deployment.yaml
- Verify workflow fails with clear message
- Remove DISABLE_AUTH
- Verify workflow passes
References
tests/local-dev-test.sh:866-926(Test 27)docs/SECURITY_DEV_MODE.md:176-206- PR feat: Local Dev with MiniKube #246 reviews (3/6 mentioned this)
Timeline: Low priority - can be implemented anytime