I'm trying to use Open Policy Agent gatekeeper in a github actions pipeline like so:

name: OPA Gatekeeper

on: [push, pull_request]

jobs:
  test:
    runs-on: ubuntu-latest-medium

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Set up Kubernetes
        uses: engineerd/[email protected]

      - name: Install kubectl
        uses: azure/setup-kubectl@v4

      - name: Install Gatekeeper with kubectl
        run: |
          kubectl create clusterrolebinding cluster-admin-binding --clusterrole cluster-admin --user admin 
          kubectl apply -f .18.2/deploy/gatekeeper.yaml

      - name: Apply constraint template
        run: |
          sleep 30
          kubectl apply -f gatekeeper/constraint_template.yml

      - name: Apply Constraint
        run: |
          kubectl apply -f gatekeeper/constraint.yml

      - name: Run Ingress
        run: ./kubectl apply -f gatekeeper/ingress.yml

The constraint_template.yml file it uses is this:

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: hostvalidation
spec:
  crd:
    spec:
      names:
        kind: HostValidation
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
          package hostvalidation
           violation[{"msg": msg}] {
             input.review.object.kind == "Ingress"
             host := input.review.object.spec.rules[_].host
             not endswith(host, ".xp")
             msg := sprintf("Ingress host %s does not end with 'xp'", [host])
           }

And the constraint.yml is this:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: HostValidation
metadata:
  name:  hostvalidation
spec:
  match:
    kinds:
      - apiGroups: ["networking.k8s.io"]
        kinds: ["Ingress"]

All of this works locally. However in the pipeline the hostvalidation crd never gets created. We've tried numerous ways of creating it but nothing works.
Is there a known issue with using constraint templates in a pipeline?

Thanks