diff --git a/.github/workflows/drift.yml b/.github/workflows/drift.yml new file mode 100644 index 0000000..420ff0b --- /dev/null +++ b/.github/workflows/drift.yml @@ -0,0 +1,26 @@ +name: Check for .policy.yml drift + +on: + pull_request: + types: + - edited + - opened + - ready_for_review + - synchronize + push: + branches: + - main + +jobs: + drift: + name: Check for drift + runs-on: ubuntu-latest + steps: + - name: Check repository out + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Check for drift + uses: ./actions/check-for-drift + with: + input_file: .policy.yml + merge_with: policy.yml diff --git a/actions/check-for-drift/action.yml b/actions/check-for-drift/action.yml new file mode 100644 index 0000000..053cf2b --- /dev/null +++ b/actions/check-for-drift/action.yml @@ -0,0 +1,68 @@ +name: Check for Drift +description: Checks if the generated output is different from the input file + +inputs: + input_file: + description: The input file to compare + required: true + + merge_with: + description: The file to merge with the input file + required: false + +runs: + using: composite + + steps: + - name: Check repository out + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + env: + action_repo: ${{ github.action_repository }} + action_ref: ${{ github.action_ref }} + with: + path: ${{ github.workspace }}/action-checkout + repository: ${{ env.action_repo }} + ref: ${{ env.action_ref }} + + - name: Set up Go + uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 + with: + go-version-file: ${{ github.workspace }}/action-checkout/go.mod + + - name: Build the program + shell: sh + run: | + cd "${{ github.workspace }}/action-checkout" + + DESTDIR="$(go env GOPATH)/bin" + mkdir -p "${DESTDIR}" + + go build \ + -o "${DESTDIR}/generate-policy-bot-config" \ + github.com/grafana/generate-policy-bot-config/cmd/generate-policy-bot-config + + - name: Generate new config + id: new + shell: sh + run: | + echo "config< "${GITHUB_OUTPUT}" + generate-policy-bot-config \ + --output - \ + --merge-with ${{ inputs.merge_with }} \ + . \ + | tee -a "${GITHUB_OUTPUT}" + echo "EOC" >> "${GITHUB_OUTPUT}" + + - name: Check for drift + shell: bash + run: | + IFS='' read -r -d '' NEW_CONFIG <<'EOC' || true + ${{ steps.new.outputs.config }} + EOC + + if ! diff -u ${{ inputs.input_file }} - <<< "${NEW_CONFIG}"; then + echo "Drift detected: ${{ inputs.input_file }} is out-of-date. Regenerate it and commit the result." + exit 1 + fi + + echo "No drift detected: ${{ inputs.input_file }} is up-to-date." diff --git a/actions/validate/README.md b/actions/validate/README.md new file mode 100644 index 0000000..eb358f2 --- /dev/null +++ b/actions/validate/README.md @@ -0,0 +1,33 @@ +# validate-policy-bot-config + +Validates the `.policy.yml` configuration file for [Policy Bot][policy-bot]. See +[the documentation][policy-bot-docs] for more information on creating rules. + +[policy-bot]: https://github.com/palantir/policy-bot +[policy-bot-docs]: https://github.com/palantir/policy-bot?tab=readme-ov-file#configuration + +## Inputs + +- `policy`: The path to the `.policy.yml` file to validate. Default: `.policy.yml`. +- `validation_endpoint` (required): The endpoint to validate the configuration + against. + +Example workflow: + +```yaml +name: validate-policy-bot +on: + pull_request: + paths: + - .policy.yml + push: + paths: + - .policy.yml + +jobs: + validate-policy-bot: + runs-on: ubuntu-latest + steps: + - name: Validate Policy Bot configuration + uses: grafana/generate-policy-bot-config/actions/validate@main +``` diff --git a/actions/validate/action.yml b/actions/validate/action.yml new file mode 100644 index 0000000..2cb0ed9 --- /dev/null +++ b/actions/validate/action.yml @@ -0,0 +1,26 @@ +name: Validate Policy Bot Config +description: Validates the Policy Bot configuration file. + +inputs: + policy: + description: | + Path to the Policy Bot configuration file. + default: .policy.yml + + validation_endpoint: + description: | + Validation API endpoint. + required: true + +runs: + using: composite + steps: + - name: Validate Policy Bot config + shell: bash + run: | + curl \ + --silent \ + --fail-with-body \ + --request PUT \ + --upload-file "${{ inputs.policy }}" \ + "${{ inputs.validation_endpoint }}"