{"id":20542431,"url":"https://github.com/mp-es/k8s-deploy","last_synced_at":"2026-03-04T12:31:57.661Z","repository":{"id":46759616,"uuid":"359929164","full_name":"MP-ES/k8s-deploy","owner":"MP-ES","description":"Action that deploys an application in an On-Premises Kubernetes cluster based in a GitOps repository.","archived":false,"fork":false,"pushed_at":"2025-05-15T00:55:43.000Z","size":141,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-08-19T16:56:25.404Z","etag":null,"topics":["github-actions","gitops","hacktoberfest","k8s","k8s-deploy","kubernetes","premises-kubernetes-cluster"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/MP-ES.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2021-04-20T19:28:02.000Z","updated_at":"2025-05-15T00:42:11.000Z","dependencies_parsed_at":"2023-01-05T04:49:25.636Z","dependency_job_id":"f68a6b85-bc92-4a6f-8e09-e4307dc9af81","html_url":"https://github.com/MP-ES/k8s-deploy","commit_stats":{"total_commits":27,"total_committers":4,"mean_commits":6.75,"dds":"0.37037037037037035","last_synced_commit":"55ca861f4fee18b48b7d958fe3ad7727ab483100"},"previous_names":[],"tags_count":18,"template":false,"template_full_name":null,"purl":"pkg:github/MP-ES/k8s-deploy","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MP-ES%2Fk8s-deploy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MP-ES%2Fk8s-deploy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MP-ES%2Fk8s-deploy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MP-ES%2Fk8s-deploy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/MP-ES","download_url":"https://codeload.github.com/MP-ES/k8s-deploy/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MP-ES%2Fk8s-deploy/sbom","scorecard":{"id":87886,"data":{"date":"2025-08-11","repo":{"name":"github.com/MP-ES/k8s-deploy","commit":"881d92faab5666d1f2f05435a3464dc5ce869092"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":4.1,"checks":[{"name":"Code-Review","score":2,"reason":"Found 6/30 approved changesets -- score normalized to 2","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/integration.yml:1","Warn: no topLevel permission defined: .github/workflows/release.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Maintained","score":0,"reason":"1 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":0,"reason":"license file not detected","details":["Warn: project does not have a license file"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/MP-ES/k8s-deploy/integration.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/integration.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/MP-ES/k8s-deploy/integration.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/MP-ES/k8s-deploy/integration.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/integration.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/MP-ES/k8s-deploy/integration.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/MP-ES/k8s-deploy/integration.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/integration.yml:55: update your workflow using https://app.stepsecurity.io/secureworkflow/MP-ES/k8s-deploy/integration.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/MP-ES/k8s-deploy/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/MP-ES/k8s-deploy/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/MP-ES/k8s-deploy/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/MP-ES/k8s-deploy/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/MP-ES/k8s-deploy/release.yml/main?enable=pin","Warn: containerImage not pinned by hash: Dockerfile:2: pin your Docker image by updating golang:1.23 to golang:1.23@sha256:8b9a1e34c73ab8a774613c6b66cd92c750d1eeaa72c914b551026156ca5a8c52","Warn: containerImage not pinned by hash: slim.dockerfile:6","Info:   0 out of   5 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   6 third-party GitHubAction dependencies pinned","Info:   0 out of   2 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/release.yml:21"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 16 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-15T07:18:48.888Z","repository_id":46759616,"created_at":"2025-08-15T07:18:48.889Z","updated_at":"2025-08-15T07:18:48.889Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":272971422,"owners_count":25024093,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-31T02:00:09.071Z","response_time":79,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["github-actions","gitops","hacktoberfest","k8s","k8s-deploy","kubernetes","premises-kubernetes-cluster"],"created_at":"2024-11-16T01:32:08.770Z","updated_at":"2025-08-31T10:42:07.018Z","avatar_url":"https://github.com/MP-ES.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# k8s-deploy\n\nAction that deploys an application in an On-Premises Kubernetes cluster based in a GitOps repository.\n\n[![Codecov](https://codecov.io/gh/MP-ES/k8s-deploy/graph/badge.svg?token=HSN90LV4NG)](https://codecov.io/gh/MP-ES/k8s-deploy)\n[![Integration](https://github.com/MP-ES/k8s-deploy/workflows/Integration/badge.svg)](https://github.com/MP-ES/k8s-deploy/actions?query=workflow%3AIntegration)\n[![Release](https://github.com/MP-ES/k8s-deploy/workflows/Release/badge.svg)](https://github.com/MP-ES/k8s-deploy/actions?query=workflow%3ARelease)\n\n## Requirements\n\nThe owner must have a repository named **gitops** with the rules of application deployment. For example, if you are deploying the repository **ORG/application**, then this k8s-deploy will try to get the rules in the repository **ORG/gitops**, once the repository owner is **ORG**.\n\n## Usage\n\n```yaml\n- name: Deploy on on-premises K8S\n  uses: MP-ES/k8s-deploy@v2\n  with:\n    # Multiline input where each line contains the name of a Kubernetes environment defined in the GitOps repository\n    k8s_envs: |\n      env1\n      env2\n\n    # Path to the manifest directory, with files to be used for deployment\n    # DEFAULT: kubernetes\n    manifest_dir: kubernetes\n\n    # Personal access token (PAT) used to manage comments on pull request\n    # DEFAULT: ${{ github.token }}\n    repo_token: ${{ github.token }}\n\n    # GitHub PAT with read permission on gitOps repository, if gitOps is private\n    gitops_token: ${{ secrets.SECRET_NAME }}\n\n    # Deployment strategy to be used. Allowed values are none, canary and blue-green\n    # More details below\n    # DEFAULT: none\n    strategy: none\n\n  env:\n    # list of app secrets, defined in gitOps repository\n    app_secret1: ${{ secrets.app_secret1 }}\n    app_secret2: ${{ secrets.app_secret2 }}\n\n    # base64 of kubeconfig file for each Kubernetes environment defined in k8s_envs\n    # See below an example of an expected kubeconfig\n    base64_kubeconfig_env1: ${{ secrets.base64_kubeconfig_env1 }}\n    base64_kubeconfig_env2: ${{ secrets.base64_kubeconfig_env2 }}\n```\n\n### Strategy\n\nDeployment strategy to be used while applying manifest files on the cluster. Acceptable values are none, canary and blue-green.\n\n#### none\n\nNo deployment strategy is used when deploying. The files are changed on the cluster in force mode. This is sufficient to pull requests deployments or if the application can have short downtime during deployment.\n\n#### canary\n\n*not implemented yet.*\n\n#### blue-green\n\n*not implemented yet.*\n\n### kubeconfig example\n\nThe most important part is the **context name**, which **must be** the same as the **Kubernetes environment name** to which the kubeconfig belongs.\n\n```yaml\napiVersion: v1\nkind: Config\nclusters:\n  - cluster:\n      certificate-authority-data: base64-encoded of ca-file\n      server: https://server.domain.com:6443\n    name: k8s-cluster\nusers:\n  - name: kube-admin-user\n    user:\n      client-certificate-data: base64-encoded of cert-file\n      client-key-data: base64-encoded of key-file\ncontexts:\n  - context:\n      cluster: k8s-cluster\n      user: kube-admin-user\n    name: env1\n```\n\nYou can generate a base64 of the file with `base64 -w 0 kubeconfig_file.yaml`.\n\n## Outputs\n\nFollowing outputs are available:\n\n| Name     | Type        | Description                                   |\n| -------- | ----------- | --------------------------------------------- |\n| `status` | JSON object | Array of deployment status by K8S environment |\n\nOutput example:\n\n```json\n[\n   {\n      \"K8sEnv\":\"dev\",\n      \"Deployed\":true,\n      \"ErrMsg\":\"\",\n      \"DeploymentLog\":\"deployment.apps/test created\\nservice/test created\\ningress.extensions/test created\\nnamespace/test unchanged\\nresourcequota/test unchanged\\nsecret/test unchanged\\n\",\n      \"Ingresses\":[\n         \"ingress.env.domain.com\"\n      ]\n   },\n   {\n      \"K8sEnv\":\"app\",\n      \"Deployed\":false,\n      \"ErrMsg\":\"1 error occurred:\\n\\t* exit status 1\\n\\n\",\n      \"DeploymentLog\":\"resourcequota/test created\\nsecret/test created\\nError from server (NotFound): error when creating \\\"../.deploy/pr/final.yaml\\\": namespaces \\\"test\\\" not found\\n\",\n      \"Ingresses\":[]\n   }\n]\n```\n\n## Developer\n\n```shell\n# Copy .env.* example file to .env file\n# Simulate a pull request call\ncp src/.env.pr src/.env\n\n# Install lint\ncurl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sudo sh -c 'sh -s -- -b /usr/local/bin'\n\n# Run lint locally\n# From src directory\ngolangci-lint run\n\n# Run tests\n# From src directory\ngo test -race -v -covermode=atomic -coverprofile=coverage.out ./...\n\n# See cover report\n# From src directory\ngo tool cover -html=coverage.out\n```\n\n### Update dependencies\n\n```shell\ncd src\n\n# Update dependencies\ngo get -u\n\n# Update go.mod\ngo mod tidy\n```\n\n### How to test it locally\n\n```shell\n\n# Navigate to the src directory\ncd src\n\n# Run the app\ngo run main.go\n```\n\n### How to validate the changes using a pull request\n\n- Create a new branch from main (e.g. `new-feature`).\n\n- In the [action.yml](./action.yml) file, replace the `image` key with the `Dockerfile` path:\n  \n  ```yaml\n  runs:\n    using: \"docker\"\n    image: \"Dockerfile\"\n  ```\n\n- Then, in the repository where you want to test the action, call the action using the new branch:\n\n  ```yaml\n  - name: Deploy on on-premises K8S\n    uses: MP-ES/k8s-deploy@new-feature\n    with:\n      # Other parameters...\n  ```\n\n- Don't forget to revert the `image` key in the `action.yml` file to its original state after testing.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmp-es%2Fk8s-deploy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmp-es%2Fk8s-deploy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmp-es%2Fk8s-deploy/lists"}