# .github/workflows/policy-ci.yaml
name: Kyverno Policy CI

on:
  pull_request:
    paths:
    - 'policies/**'

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    
    - name: Install Kyverno CLI
      run: |
        curl -LO https://github.com/kyverno/kyverno/releases/latest/download/kyverno-cli_linux_amd64.tar.gz
        tar -xzf kyverno-cli_linux_amd64.tar.gz
        sudo mv kyverno /usr/local/bin/
    
    - name: Lint policies
      run: |
        kyverno apply policies/ --resource test-resources/ --detailed-results
    
    - name: Run tests
      run: |
        kyverno test policies/tests/
    
    - name: Validate helm chart
      run: |
        helm lint kyverno-policies/
        helm template kyverno-policies/ | kyverno apply - --resource test-resources/
  
  deploy-staging:
    needs: test
    if: github.ref == 'refs/heads/main'
    runs-on: ubuntu-latest
    steps:
    - name: Deploy to staging
      run: |
        helm upgrade --install kyverno-policies ./kyverno-policies \
          -f values-staging.yaml \
          --kubeconfig ${{ secrets.STAGING_KUBECONFIG }}