diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 0000000..a9da618 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,10 @@ +## Type of changes + +Choose one of the below, or leave them empty: + +- [ ] New feature proposal +- [ ] Bug fix +- [ ] Minor improvements +- [ ] Refactoring (no functional changes) +- [ ] Non-code changes (updating documentation, workflows, etc.) + diff --git a/.github/workflows/check-remote.yaml b/.github/workflows/check-remote.yaml new file mode 100644 index 0000000..6e71bab --- /dev/null +++ b/.github/workflows/check-remote.yaml @@ -0,0 +1,144 @@ +name: Check remote repositories and create corresponding tag + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +on: + # If any commit message in your push or the HEAD commit of your PR contains the strings + # [skip ci], [ci skip], [no ci], [skip actions], or [actions skip] + # workflows triggered on the push or pull_request events will be skipped. + # https://github.blog/changelog/2021-02-08-github-actions-skip-pull-request-and-push-workflows-with-skip-ci/ + schedule: + - cron: '0 21 * * *' # Friday 21:00 UTC, Saturday 06:00 JST + workflow_dispatch: + +env: + DOCKER_REGISTRY_URL: ghcr.io + TARGET_TAG: "" + SOURCE_GITHUB_REPOSITORY: open-policy-agent/opa + GIT_SUBMODULE_URL: https://github.com/openpolicyagent/opa.git + GIT_SUBMODULE_PATH: opa + +jobs: + build: + + runs-on: ubuntu-latest + # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions + permissions: + actions: write + checks: none + contents: write + deployments: none + issues: none + discussions: none + packages: none + pull-requests: none + repository-projects: none + security-events: none + statuses: none + + steps: + # A GitHub Action to expose useful environment variables. + # https://github.com/FranzDiebold/github-env-vars-action + - + name: GitHub Environment Variables Action + id: env + # uses: https://github.com/FranzDiebold/github-env-vars-action/tags + uses: FranzDiebold/github-env-vars-action@v2 + + # A GitHub Action to check remote repositories + - + name: Check remote repositories + id: check + if: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' || github.event_name == 'push' }} + run: | + # Get latest release tag with: + # curl -s https://api.github.com/repos/AthenZ/athenz/releases \ + # | jq -r .[].tag_name \ + # | grep -E ".*(v[0-9]*.[0-9]*.[0-9]*).*" \ + # | sed -e 's/.*\(v[0-9]*.[0-9]*.[0-9]*\).*/\1/g' \ + # | head -n1 + if [[ "${{ env.CI_REF }}" == "refs/tags/"* ]] && [[ "$(basename ${{ env.CI_REF }})" =~ ^v?([0-9]+)\.([0-9]+)\.([0-9]+)(-[a-z]+)?(\.[0-9]+)?$ ]]; then + PACKAGE_VERSION="$(git tag --points-at HEAD | sed -e 's/.*v\([0-9]*.[0-9]*.[0-9]*\).*/\1/g')" + TAG_VERSION="$(git tag --points-at HEAD | sed -e 's/.*\(v[0-9]*.[0-9]*.[0-9]*\).*/\1/g')" + else + PACKAGE_VERSION="$( \ + curl -s https://api.github.com/repos/${{ env.SOURCE_GITHUB_REPOSITORY }}/releases \ + | jq -r .[].tag_name \ + | grep -E ".*(v[0-9]*.[0-9]*.[0-9]*).*" \ + | sed -e 's/.*v\([0-9]*.[0-9]*.[0-9]*\).*/\1/g' \ + | sort -ru \ + | head -n1 \ + )" + TAG_VERSION="$( \ + curl -s https://api.github.com/repos/${{ env.SOURCE_GITHUB_REPOSITORY }}/releases \ + | jq -r .[].tag_name \ + | grep -E ".*(v[0-9]*.[0-9]*.[0-9]*).*" \ + | sed -e 's/.*\(v[0-9]*.[0-9]*.[0-9]*\).*/\1/g' \ + | sort -ru \ + | head -n1 \ + )" + fi + CURRENT_VERSION="$( \ + curl -s https://api.github.com/repos/${{ env.CI_REPOSITORY_OWNER }}/${{ env.CI_REPOSITORY_NAME }}/releases \ + | jq -r .[].tag_name \ + | grep -E ".*(v[0-9]*.[0-9]*.[0-9]*).*" \ + | sed -e 's/.*v\([0-9]*.[0-9]*.[0-9]*\).*/\1/g' \ + | sort -ru \ + | head -n1 \ + )" + printf "VERSION=${PACKAGE_VERSION}\n" >> $GITHUB_ENV + printf "TAG_VERSION=${TAG_VERSION}\n" >> $GITHUB_ENV + printf "CURRENT_VERSION=${CURRENT_VERSION}\n" >> $GITHUB_ENV + + # A GitHub Action to update submodule and commit + - + name: Update submodule and commit + id: update + if: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' || github.event_name == 'push' }} + run: | + set -x + git config advice.addIgnoredFile false + git submodule add -f ${{ env.GIT_SUBMODULE_URL }} ${{ env.GIT_SUBMODULE_PATH }} + cd ${{ env.GIT_SUBMODULE_PATH }} && git fetch --refetch --tags ${{ env.GIT_SUBMODULE_URL }} && git checkout ${{ env.TAG_VERSION }} + cd ${GITHUB_WORKSPACE} + git config --global user.name "github-actions" + git config --global user.email "notifications@github.com" + git add -f ${{ env.GIT_SUBMODULE_PATH }} + git commit -m "Updated ${{ env.GIT_SUBMODULE_PATH }} to ${{ env.TAG_VERSION }}" || true + + # A GitHub Action to create git tags + # + # Using the GITHUB_TOKEN in a workflow + # https://docs.github.com/en/actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow + # When you use the repository's GITHUB_TOKEN to perform tasks, events triggered by the GITHUB_TOKEN, with the exception of workflow_dispatch and repository_dispatch, will not create a new workflow run. + # This prevents you from accidentally creating recursive workflow runs. + # For example, if a workflow run pushes code using the repository's GITHUB_TOKEN, a new workflow will not run even when the repository contains a workflow configured to run when push events occur. + - + name: Create git tag + id: tag + if: ${{ env.CURRENT_VERSION != '' && env.VERSION != '' && env.VERSION != env.CURRENT_VERSION }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + set -x + git tag -f ${{ env.TAG_VERSION }} + git remote set-url origin https://x-access-token:${GITHUB_TOKEN}@github.com/${{ github.repository }} + git push -f origin tag ${{ env.TAG_VERSION }} + + # A GitHub Action to dispatch event + # https://docs.github.com/en/rest/actions/workflows?apiVersion=2022-11-28#create-a-workflow-dispatch-event + - + name: Trigger Workflows + if: ${{ env.CURRENT_VERSION != '' && env.VERSION != '' && env.VERSION != env.CURRENT_VERSION }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + set -x + curl --fail -X POST \ + -H "Accept: application/vnd.github.v3+json" \ + -H "Authorization: Bearer $GITHUB_TOKEN" \ + https://api.github.com/repos/${{ github.repository }}/actions/workflows/trigger-workflows.yaml/dispatches \ + -d "{\"ref\":\"${{ env.TAG_VERSION }}\",\"inputs\":{\"target_version\":\"${{ env.VERSION }}\",\"current_version\":\"${{ env.CURRENT_VERSION }}\"}}" diff --git a/.github/workflows/github-releases.yaml b/.github/workflows/github-releases.yaml new file mode 100644 index 0000000..5a027e2 --- /dev/null +++ b/.github/workflows/github-releases.yaml @@ -0,0 +1,137 @@ +name: Create Github Releases with Packages + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +on: + # If any commit message in your push or the HEAD commit of your PR contains the strings + # [skip ci], [ci skip], [no ci], [skip actions], or [actions skip] + # workflows triggered on the push or pull_request events will be skipped. + # https://github.blog/changelog/2021-02-08-github-actions-skip-pull-request-and-push-workflows-with-skip-ci/ + workflow_call: + pull_request: + branches: + - main + +env: + SOURCE_GITHUB_REPOSITORY: open-policy-agent/opa + +jobs: + build: + + runs-on: ubuntu-latest + # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions + permissions: + actions: none + checks: none + contents: write + deployments: none + issues: none + discussions: none + packages: read + pull-requests: none + repository-projects: none + security-events: none + statuses: none + + steps: + # A GitHub Action to expose useful environment variables. + # https://github.com/FranzDiebold/github-env-vars-action + - + name: GitHub Environment Variables Action + id: env + # uses: https://github.com/FranzDiebold/github-env-vars-action/tags + uses: FranzDiebold/github-env-vars-action@v2 + + # This action checks-out your repository under $GITHUB_WORKSPACE, so your workflow can access it. + # https://github.com/actions/checkout + - + name: Checkout repository + id: checkout + # You may pin to the exact commit or the version. + # uses: https://github.com/actions/checkout/tags + uses: actions/checkout@v4 + with: + submodules: recursive + + # GitHub action to configure the Open Policy Agent CLI in your GitHub Actions workflow. + # Open Policy Agent (OPA) is an open source, general-purpose policy engine. + # https://github.com/open-policy-agent/setup-opa + - + name: Setup OPA with latest version + id: setup-opa-latest + if: ${{ github.event.inputs.target_version == '' }} + # uses: https://github.com/open-policy-agent/setup-opa/tags + uses: open-policy-agent/setup-opa@v2 + with: + version: latest + + # GitHub action to configure the Open Policy Agent CLI in your GitHub Actions workflow. + # Open Policy Agent (OPA) is an open source, general-purpose policy engine. + # https://github.com/open-policy-agent/setup-opa + - + name: Setup OPA with specific version + id: setup-opa-version + if: ${{ github.event.inputs.target_version != '' }} + # uses: https://github.com/open-policy-agent/setup-opa/tags + uses: open-policy-agent/setup-opa@v2 + with: + version: ${{ github.event.inputs.target_version }} + + # A GitHub Action to Create Open Policy Agent Bundle + # https://nfpm.goreleaser.com/install/#go-install + - + name: Build Open Policy Agent Bundle + id: opa-build + if: ${{ github.event_name != 'pull_request' && github.event.inputs.target_version != '' && github.event.inputs.target_version != github.event.inputs.current_version }} + run: | + set -x + OPA_BUILD_MESSAGE=$(opa build -b policy/ -o bundle.tar.gz --debug 2>&1) + printf "OPA_BUILD_MESSAGE=${OPA_BUILD_MESSAGE}\n" >> $GITHUB_ENV + test -f ./bundle.tar.gz + + # A GitHub Action to create GitHub Release + # https://docs.github.com/en/rest/releases/releases?apiVersion=2022-11-28#create-a-release + - + name: Create GitHub Release + id: create_release + if: ${{ github.event_name != 'pull_request' && github.event.inputs.target_version != '' && github.event.inputs.target_version != github.event.inputs.current_version }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + set -x + tag=v${{ github.event.inputs.target_version }} + body=$(curl -s https://api.github.com/repos/${SOURCE_GITHUB_REPOSITORY}/releases | jq -r ".[] | select(.tag_name == \"$tag\") | \"# [\"+.name+\"](\"+.html_url+\") ${{ env.OPA_BUILD_MESSAGE }}\"") + curl \ + -XPOST \ + -H "Accept: application/vnd.github+json" \ + -H "Authorization: Bearer $GITHUB_TOKEN" \ + "https://api.github.com/repos/${CI_REPOSITORY}/releases" \ + -d "{\"tag_name\":\"$tag\",\"name\":\"Release $tag\",\"body\":\"$body\",\"draft\":false,\"prerelease\":false}" + + # A GitHub Action to upload release assets + # https://docs.github.com/en/rest/releases/assets?apiVersion=2022-11-28#upload-a-release-asset + - + name: Upload GitHub Release Assets + id: upload_release_assets + if: ${{ github.event_name != 'pull_request' && github.event.inputs.target_version != '' && github.event.inputs.target_version != github.event.inputs.current_version }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + set -x + tag=v${{ github.event.inputs.target_version }} + release_id=$(curl \ + -XGET \ + -H "Accept: application/vnd.github+json" \ + -H "Authorization: Bearer $GITHUB_TOKEN" \ + "https://api.github.com/repos/${CI_REPOSITORY}/releases/tags/$tag" \ + | jq '.id') + curl \ + -XPOST \ + -H "Accept: application/vnd.github+json" \ + -H "Authorization: Bearer $GITHUB_TOKEN" \ + -H "Content-Type: $(file --mime-type -b ./bundle.tar.gz)" \ + --data-binary @./bundle.tar.gz \ + "https://uploads.github.com/repos/${CI_REPOSITORY}/releases/$release_id/assets?name=$(basename ./bundle.tar.gz)" diff --git a/.github/workflows/test-identityprovider.yaml b/.github/workflows/test-identityprovider.yaml new file mode 100644 index 0000000..99a7055 --- /dev/null +++ b/.github/workflows/test-identityprovider.yaml @@ -0,0 +1,131 @@ +name: Test Open Policy Agent Rego for Identity Provider + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +on: + # If any commit message in your push or the HEAD commit of your PR contains the strings + # [skip ci], [ci skip], [no ci], [skip actions], or [actions skip] + # workflows triggered on the push or pull_request events will be skipped. + # https://github.blog/changelog/2021-02-08-github-actions-skip-pull-request-and-push-workflows-with-skip-ci/ + workflow_call: + workflow_dispatch: + pull_request: + paths: + - .github/workflows/test-identityprovider.yaml + - policy/** + - test/** + +env: + # Use docker.io for Docker Hub if empty + DOCKER_REGISTRY_URL: ghcr.io + # DOCKER_REGISTRY_OWNER: ${{ env.CI_REPOSITORY_OWNER }} + # DOCKER_REGISTRY_IMAGE: ${{ env.CI_REPOSITORY_NAME }} + # DOCKER_REGISTRY_TOKEN: ${{ secrets.DOCKER_REGISTRY_TOKEN }} + # DOCKER_TAEGET_PLATFORMS: linux/amd64,linux/arm64 + # DOCKER_BUILD_ARGS: | + SOURCE_GITHUB_REPOSITORY: open-policy-agent/opa + EXPECTED_OPA_TEST_COVERAGE: 90 + +jobs: + build: + + runs-on: ubuntu-latest + # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions + permissions: + actions: none + checks: none + contents: read + deployments: none + issues: none + discussions: none + packages: none + pull-requests: none + repository-projects: none + security-events: none + statuses: none + + steps: + # A GitHub Action to expose useful environment variables. + # https://github.com/FranzDiebold/github-env-vars-action + - + name: GitHub Environment Variables Action + id: env + # uses: https://github.com/FranzDiebold/github-env-vars-action/tags + uses: FranzDiebold/github-env-vars-action@v2 + + # A GitHub Action to prepare default environment variables. + - + name: Set Default Environment Variables + id: default_env + run: | + # Use docker.io for Docker Hub if empty + [[ "${{ env.DOCKER_REGISTRY_URL}}" = "" ]] && echo "DOCKER_REGISTRY_URL=docker.io" >> $GITHUB_ENV + [[ "${{ env.DOCKER_REGISTRY_OWNER }}" = "" ]] && echo "DOCKER_REGISTRY_OWNER=${{ env.CI_REPOSITORY_OWNER }}" >> $GITHUB_ENV + [[ "${{ env.DOCKER_REGISTRY_IMAGE }}" = "" ]] && echo "DOCKER_REGISTRY_IMAGE=${{ env.CI_REPOSITORY_NAME }}" >> $GITHUB_ENV + [[ "${{ secrets.DOCKER_REGISTRY_TOKEN }}" = "" ]] && echo "DOCKER_REGISTRY_URL=ghcr.io" >> $GITHUB_ENV + [[ "${{ secrets.DOCKER_REGISTRY_TOKEN }}" = "" ]] && echo "DOCKER_REGISTRY_OWNER=${{ env.CI_REPOSITORY_OWNER }}" >> $GITHUB_ENV + [[ "${{ secrets.DOCKER_REGISTRY_TOKEN }}" = "" ]] && echo "DOCKER_REGISTRY_TOKEN=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV || echo "DOCKER_REGISTRY_TOKEN=${{ secrets.DOCKER_REGISTRY_TOKEN }}" >> $GITHUB_ENV + + # This action checks-out your repository under $GITHUB_WORKSPACE, so your workflow can access it. + # https://github.com/actions/checkout + - + name: Checkout repository + id: checkout + # You may pin to the exact commit or the version. + # uses: https://github.com/actions/checkout/tags + uses: actions/checkout@v4 + with: + submodules: recursive + + # GitHub action to configure the Open Policy Agent CLI in your GitHub Actions workflow. + # Open Policy Agent (OPA) is an open source, general-purpose policy engine. + # https://github.com/open-policy-agent/setup-opa + - + name: Setup OPA with latest version + id: setup-opa-latest + if: ${{ github.event.inputs.target_version == '' }} + # uses: https://github.com/open-policy-agent/setup-opa/tags + uses: open-policy-agent/setup-opa@v2 + with: + version: latest + + # GitHub action to configure the Open Policy Agent CLI in your GitHub Actions workflow. + # Open Policy Agent (OPA) is an open source, general-purpose policy engine. + # https://github.com/open-policy-agent/setup-opa + - + name: Setup OPA with specific version + id: setup-opa-version + if: ${{ github.event.inputs.target_version != '' }} + # uses: https://github.com/open-policy-agent/setup-opa/tags + uses: open-policy-agent/setup-opa@v2 + with: + version: ${{ github.event.inputs.target_version }} + + # A GitHub Action to check and test application + - + name: Run Tests + run: | + # Run tests for Open Policy Agent Rego files + # Replace this with your test command + opa test -v \ + {policy,test}/*.rego \ + {policy,test}/*.yaml + + # A GitHub Action to attest the test coverage of the application + - + name: Run Tests + run: | + # Run tests for Open Policy Agent Rego files and attest the test coverage + # Replace this with your test command + OPA_TEST_COVERAGE=$(opa test -cv \ + {policy,test}/*.rego \ + {policy,test}/*.yaml \ + | jq -r .coverage) + echo "${EXPECTED_OPA_TEST_COVERAGE} < ${OPA_TEST_COVERAGE}" \ + | bc -l \ + | xargs -I% test % = 1 \ + && echo "EXPECTED_OPA_TEST_COVERAGE: ${EXPECTED_OPA_TEST_COVERAGE} < OPA_TEST_COVERAGE: ${OPA_TEST_COVERAGE}" + diff --git a/.github/workflows/trigger-workflows.yaml b/.github/workflows/trigger-workflows.yaml new file mode 100644 index 0000000..a2adcf9 --- /dev/null +++ b/.github/workflows/trigger-workflows.yaml @@ -0,0 +1,71 @@ +name: Trigger Workflows + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +on: + # If any commit message in your push or the HEAD commit of your PR contains the strings + # [skip ci], [ci skip], [no ci], [skip actions], or [actions skip] + # workflows triggered on the push or pull_request events will be skipped. + # https://github.blog/changelog/2021-02-08-github-actions-skip-pull-request-and-push-workflows-with-skip-ci/ + push: + # Publish semver tags as releases. + tags: + - 'v[0-9]+.[0-9]+.[0-9]+' + workflow_dispatch: + inputs: + target_version: + description: 'Target version to release this repository e.g. 0.0.0' + required: false + default: '' + type: string + current_version: + description: 'Current released version of this repository e.g. 0.0.0' + required: false + default: '' + type: string + +jobs: + + # https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability + test-identityprovider: + name: "Test Open Policy Agent Rego" + uses: ./.github/workflows/test-identityprovider.yaml + secrets: inherit + # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions + permissions: + actions: none + checks: none + contents: read + deployments: none + issues: none + discussions: none + packages: none + pull-requests: none + repository-projects: none + security-events: none + statuses: none + + # https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability + github-releases: + name: "Create Github Releases with Packages" + needs: + - test-identityprovider + if: ${{ github.ref_type == 'tag' || github.event_name == 'workflow_dispatch' }} + uses: ./.github/workflows/github-releases.yaml + secrets: inherit + # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions + permissions: + actions: none + checks: none + contents: write + deployments: none + issues: none + discussions: none + packages: read + pull-requests: none + repository-projects: none + security-events: none + statuses: none