Skip to content
Lint policies with Regal

added schema checking to opa check #531

Sign in to view logs

added schema checking to opa check

added schema checking to opa check #531

Workflow file for this run

.github/workflows/regal-lint.yaml at e8a0138
name: Lint policies with Regal
on: [push, pull_request]
# Declare default permissions as read only.
permissions: read-all
jobs:
lint-policy:
runs-on: ubuntu-latest
env:
# renovate: datasource=github-releases depName=open-policy-agent/opa
OPA_VERSION: v0.69.0
# renovate: datasource=github-releases depName=StyraInc/regal
REGAL_VERSION: v0.27.0
# renovate: datasource=github-releases depName=garethahealy/openshift-json-schema
OCP_SCHEMA_VERSION: 4.16.0
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- name: Setup OPA
uses: open-policy-agent/setup-opa@34a30e8a924d1b03ce2cf7abe97250bbb1f332b5 # v2.2.0
with:
version: ${{ env.OPA_VERSION }}
- name: Setup Regal
uses: StyraInc/setup-regal@33a142b1189004e0f14bf42b15972c67eecce776 # v1.0.0
with:
version: ${{ env.REGAL_VERSION }}
- name: Clone schemas
run: |
if [[ ! -d "_test/schema-generation/openshift-json-schema" ]]; then
mkdir -p _test/schema-generation/openshift-json-schema
rm -rf /tmp/openshift-json-schema
# Download openshift-json-schema dynamically so it doesnt need to be added into source
git clone https://github.com/garethahealy/openshift-json-schema.git /tmp/openshift-json-schema --depth 1
mv /tmp/openshift-json-schema/v${OCP_SCHEMA_VERSION}/schemas/* _test/schema-generation/openshift-json-schema
fi
- name: Run OPA Check
run: opa check policy --strict --schema _test/schema-generation/openshift-json-schema
- name: Run Regal lint
run: regal lint --format github policy