I contributed to open-policy-agent/conftest with GitHub flavored output.
Now you can simply use Conftest directly which makes this action obsolete.
---
name: Conftest
on:
pull_request:
branches:
- main
jobs:
conftest:
runs-on: ubuntu-latest
container: openpolicyagent/conftest:latest
steps:
- name: Code checkout
uses: actions/checkout@v2
- name: Validate Kubernetes policy
run: |
conftest test -o github -p examples/kubernetes/policy examples/kubernetes/deployment.yaml
The -o github
will be responsible for annotating the files where policy violations
are found.
OPA stands for OPA Pull-Request Assessor and is a GitHub Action that checks files against policies (configured in the same repo). It's using the original OPA (Open Policy Agent) through the use of Conftest.
Start using this OPA-action in three simple steps:
Create a folder (i.e. policies
) with your policy files written in the Rego
language. For sample policies, check out the
Conftest examples
or write your own using Rego,
the OPA Policy Language.
Configure in either .opa-action.yaml
or .github/opa-action.yaml
where your
policy files can be found (path
, the folder you created in the step before)
followed by pairs of files or filepatterns (sources
) and the package/namespace
(package
) the files should be tested against and optionally if this should not
fail the check (no_fail
, default or absense means 'false' and will fail the
check on errors).
---
path: policy
rego:
- sources: "Dockerfile"
package: "docker"
no_fail: true
- sources: ".github/workflows/*.yml"
package: "workflows"
Add the GitHub Action to your workflows, either on its own as a separate workflow or add it as an action between the code checkout and the rest of your existing workflow.
---
name: Policy check
on:
pull_request:
branches:
- main
jobs:
policy-check:
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v2
- name: OPA Pull-Request Assessor
uses: koozz/opa-action@latest
If your satisfied, follow best practices and pin the action to a specific version.
Apache License, Version 2.0