fix(workflow): ensure Kyverno errors are written to PR summary and exit properly

wnqueiroz · wnqueiroz · commit 892bf4f1c373 · 2025-04-21T17:23:48.000-03:00
Previously, Kyverno failures were not clearly visible in the PR summary due to missing output
redirects and improper exit checks. This change captures the Kyverno exit code explicitly, appends
the results to `$GITHUB_STEP_SUMMARY`, and exits with an error when validation fails.
diff --git a/.github/workflows/validate-claims.yaml b/.github/workflows/validate-claims.yaml
@@ -31,14 +31,18 @@ jobs:
           echo "" >> $GITHUB_STEP_SUMMARY
           echo '```' >> $GITHUB_STEP_SUMMARY
 
-          if kyverno apply ./kyverno --resource ./crossplane/claims | tee result.txt; then
-            echo "✅ All policies passed." >> $GITHUB_STEP_SUMMARY
-          else
-            cat result.txt >> $GITHUB_STEP_SUMMARY
-            echo '```' >> $GITHUB_STEP_SUMMARY
+          set +e
+          kyverno apply ./kyverno --resource ./crossplane/claims | tee result.txt
+          KYVERNO_EXIT_CODE=${PIPESTATUS[0]}
+          set -e
+
+          cat result.txt >> $GITHUB_STEP_SUMMARY
+          echo '```' >> $GITHUB_STEP_SUMMARY
+
+          if [[ $KYVERNO_EXIT_CODE -ne 0 ]]; then
             echo "" >> $GITHUB_STEP_SUMMARY
-            echo "❌ One or more Kyverno policies failed." >> $GITHUB_STEP_SUMMARY
+            echo "❌ One or more Kyverno policies failed. Please fix the issues above." >> $GITHUB_STEP_SUMMARY
             exit 1
+          else
+            echo "✅ All policies passed." >> $GITHUB_STEP_SUMMARY
           fi
-
-          echo '```' >> $GITHUB_STEP_SUMMARY
