GCSS-1127: add YAML schema validation before terraform plan#47
Merged
Conversation
Validates repos/*.yaml files against a JSON schema before terraform plan runs on PRs. Fails fast with a clear error if validation fails, preventing wasted CI time on malformed configs.
Replaces the Python-based YAML schema validation with a Go implementation integrated into `github-repo-importer`. Streamlines workflow by leveraging the importer's built-in schema generator and validator. Updates CI to ensure the schema is current before validation.
Updates the validation logic to include both `.yaml` and `.yml` extensions. Refactors file globbing into a reusable function and adds a test case to ensure `.yml` files are validated correctly.
dev-milos
changed the title
Enhances schema resolution logic to include a fallback schema option (`--fallback-schema`) when no org-level override is present. Updates command flags, adjusts resolution priority, and extends test cases to verify fallback behavior.
Introduces `fallback-schema-path` input to the validation action and `base_schema_path` to the workflow, allowing customization of schema resolution. Uses fallback schema when no override is provided, defaulting to the bundled schema.
Contributor
|
Loo, |
pavlovic-ivan
approved these changes
Jun 11, 2026
pavlovic-ivan
left a comment
pavlovic-ivan
left a comment
Contributor
There was a problem hiding this comment.
Looking good. Thanks, and well done 🎉
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Validate
repos/*.yamlagainst schema beforeterraform planCloses G-Research/gr-oss#1127
Problem
Malformed repo config only surfaced deep inside
terraform planoutput — noisy and slow to diagnose.Approach
Adds a
validatejob that runs beforeterraform-planon every PR and validates all repo config files against the repository JSON schema, failing fast with a clear, file-scoped error.Validation runs through the Go importer CLI (
importer validate) rather than a standalone script. The schema is generated in-memory from the same Go structs that theschemacommand and Terraform already use, so there is a single source of truth and no checked-in snapshot to drift.Acceptance criteria
github-configuration/.schemas/repository-config.schema.json, when added later, transparently overrides the built-in schema — no further wiringTesting
.ymlextension, empty dir, org-override precedence, and symlink-escape guard.go build/go vet/go test ./...green;importer schemaoutput byte-identical (refactor introduced no schema change).Notes
validatejob runs the action from the terraformer ref the config repo consumes, so this must be merged before config-repo PRs can use it.