Skip to content

Commit 785b437

Browse files
author
James Alseth
authored
Add support for pushing metrics to a remote server (#3)
* Bump to Go 1.15 * Add support for pushing metrics to a remote server
1 parent 734668c commit 785b437

File tree

8 files changed

+278
-84
lines changed

8 files changed

+278
-84
lines changed

.github/test/policy/always_warn.rego

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,10 @@
11
package always_warn
22

3-
warn["a warning! you should probably fix this"]
3+
warn[msg] {
4+
msg := {
5+
"msg": "a warning! you should probably fix this",
6+
"details": {"policyID": "P0000"}
7+
}
8+
9+
true
10+
}

.github/workflows/pull_request.yaml

Lines changed: 1 addition & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ jobs:
99
- name: setup go
1010
uses: actions/setup-go@v2
1111
with:
12-
go-version: 1.14.x
12+
go-version: 1.15.x
1313

1414
- name: checkout
1515
uses: actions/checkout@v2
@@ -20,9 +20,6 @@ jobs:
2020
- name: test build
2121
run: go build -o build/action-conftest
2222

23-
- name: test docker build
24-
run: docker build .
25-
2623
test-run-action:
2724
name: Test the Action
2825
needs: go-tests

.gitignore

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,3 @@
11
build
22
gcs.json
3+
*.env

Dockerfile

Lines changed: 4 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,7 @@
11
FROM instrumenta/conftest:v0.20.0 as conftest
22

3-
FROM golang:1.14-alpine as builder
4-
COPY main.go .
5-
RUN go build -o /entrypoint
6-
7-
FROM alpine:3
3+
FROM golang:1.15-alpine as builder
84
COPY --from=conftest /conftest /usr/local/bin/conftest
9-
COPY --from=builder /entrypoint /usr/local/bin/entrypoint
10-
CMD [ "/usr/local/bin/entrypoint" ]
5+
COPY main.go .
6+
RUN go build -o /entrypoint main.go
7+
CMD [ "/entrypoint" ]

README.md

Lines changed: 43 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -1,24 +1,30 @@
11
# action-conftest
22

3-
A GitHub Action for easily using [conftest](https://github.com/open-policy-agent/conftest) in your CI. It allows for pulling policies from another source and can surface the violations and warnings into the comments of the pull request.
3+
A GitHub Action for easily using [conftest](https://github.com/open-policy-agent/conftest) in your CI. It allows for pulling policies from another source and can surface the violations and warnings into the comments of the pull request. Additionally, the action can submit metrics for the results of the tests to a remote server for analysis of the rate of failures and warnings, which is useful when deploying new policies.
44

55
**NOTE:** This action only supports pull secrets for S3, GCS, and HTTP remotes. If you are pulling from an OCI registry, it is assumed that you have already authenticated using `docker login` in a previous step in the GitHub Actions `job` and you should not supply a `pull-secret` argument.
66

77
## Options
88

9-
| Option | Description | Default | Required |
10-
|----------------|------------------------------------------------|---------|------------------------|
11-
| files | Files for Conftest to test (space delimited) | | yes |
12-
| policy | Where to find the policy folder or file | policy | no |
13-
| data | Files or folder with supplemental test data | | no |
14-
| all-namespaces | Whether to use all namespaces in testing | true | no |
15-
| combine | Whether to combine input files | false | no |
16-
| pull-url | URL to pull policies from | | no |
17-
| pull-secret | Secret that allows the policies to be pulled | | no |
18-
| add-comment | Whether or not to add a comment to the PR | true | no |
19-
| docs-url | Documentation URL to link to in the PR comment | | no |
20-
| gh-token | Token to authorize adding the PR comment | | if add-comment is true |
21-
| gh-comment-url | The URL of the comments for the PR | | if add-comment is true |
9+
| Option | Description | Default | Required |
10+
|-----------------|-----------------------------------------------------------------|----------|------------------------|
11+
| files | Files and/or folders for Conftest to test (space delimited) | | yes |
12+
| policy | Where to find the policy folder or file | policy | no |
13+
| data | Files or folder with supplemental test data | | no |
14+
| all-namespaces | Whether to use all namespaces in testing | true | no |
15+
| combine | Whether to combine input files | false | no |
16+
| pull-url | URL to pull policies from | | no |
17+
| pull-secret | Secret that allows the policies to be pulled | | no |
18+
| add-comment | Whether or not to add a comment to the PR | true | no |
19+
| docs-url | Documentation URL to link to in the PR comment | | no |
20+
| no-fail | Always returns an exit code of 0 (no error) | false | no |
21+
| gh-token | Token to authorize adding the PR comment | | if add-comment is true |
22+
| gh-comment-url | URL of the comments for the PR | | if add-comment is true |
23+
| metrics-url | URL to POST the results to for metrics | | no |
24+
| metrics-source | Unique ID for the source of the metrics (usually the repo name) | | if metrics-url is set |
25+
| metrics-details | Whether to include the full test results in the metrics | false | no
26+
| metrics-token | Bearer token for submitting the metrics | | no |
27+
| policy-id-key | Name of the key in the details object that stores the policy ID | policyID | if metrics-url is set |
2228

2329
## Example Usage
2430

@@ -36,7 +42,7 @@ jobs:
3642
- name: checkout
3743
uses: actions/checkout@v2
3844
- name: conftest
39-
uses: YubicoLabs/action-conftest@v1
45+
uses: YubicoLabs/action-conftest@v2
4046
with:
4147
files: some_deployment.yaml another_resource.yaml
4248
gh-token: ${{ secrets.GITHUB_TOKEN }}
@@ -57,11 +63,32 @@ jobs:
5763
- name: checkout
5864
uses: actions/checkout@v2
5965
- name: conftest
60-
uses: YubicoLabs/action-conftest@v1
66+
uses: YubicoLabs/action-conftest@v2
6167
with:
6268
files: some_deployment.yaml another_resource.yaml
6369
pull-url: gcs::https://www.googleapis.com/storage/v1/bucket_name/policy
6470
pull-secret: ${{ secrets.POLICY_PULL_SECRET }}
6571
gh-token: ${{ secrets.GITHUB_TOKEN }}
6672
gh-comment-url: ${{ github.event.pull_request.comments_url }}
6773
```
74+
75+
### Submitting metrics to a remote server
76+
77+
```yaml
78+
name: conftest-push-metrics
79+
on: [pull_request]
80+
jobs:
81+
conftest:
82+
runs-on: ubuntu-latest
83+
steps:
84+
- name: checkout
85+
uses: actions/checkout@v2
86+
- name: conftest
87+
uses: YubicoLabs/action-conftest@v2
88+
with:
89+
files: some_deployment.yaml another_resource.yaml
90+
gh-token: ${{ secrets.GITHUB_TOKEN }}
91+
gh-comment-url: ${{ github.event.pull_request.comments_url }}
92+
metrics-url: https://your.com/metrics/endpoints/conftest
93+
metrics-source: your-repo-name
94+
```

action.yml

Lines changed: 23 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ branding:
55
color: "green"
66
inputs:
77
files:
8-
description: "Files for Conftest to test (space delimited)"
8+
description: "Files and/or folders for Conftest to test (space delimited)"
99
required: true
1010
policy:
1111
description: "Where to find the policy folder or file"
@@ -25,11 +25,24 @@ inputs:
2525
description: "Whether or not to add a comment to the PR"
2626
default: true
2727
docs-url:
28-
description: "The URL where users can find out more about the policies"
28+
description: "URL where users can find out more about the policies"
29+
no-fail:
30+
description: "Always returns an exit code of 0 (no error)"
2931
gh-token:
30-
description: "The token that allows us to post a comment in the PR"
32+
description: "Token that allows us to post a comment in the PR"
3133
gh-comment-url:
32-
description: "The URL of the comments for the PR"
34+
description: "URL of the comments for the PR"
35+
metrics-url:
36+
description: "URL to POST the results to for metrics"
37+
metrics-source:
38+
description: "Unique identifier for the source of the submission"
39+
metrics-details:
40+
description: "Whether to include the full test results in the metrics"
41+
metrics-token:
42+
description: "Bearer token for submitting metrics"
43+
policy-id-key:
44+
description: "Name of the key in the details object that stores the policy ID"
45+
default: "policyID"
3346
runs:
3447
using: 'docker'
3548
image: 'Dockerfile'
@@ -43,5 +56,11 @@ runs:
4356
PULL_SECRET: ${{ inputs.pull-secret }}
4457
ADD_COMMENT: ${{ inputs.add-comment }}
4558
DOCS_URL: ${{ inputs.docs-url }}
59+
NO_FAIL: ${{ inputs.no-fail }}
4660
GITHUB_TOKEN: ${{ inputs.gh-token }}
4761
GITHUB_COMMENT_URL: ${{ inputs.gh-comment-url }}
62+
METRICS_URL: ${{ inputs.metrics-url }}
63+
METRICS_SOURCE: ${{ inputs.metrics-source }}
64+
METRICS_DETAILS: ${{ inputs.metrics-details }}
65+
METRICS_TOKEN: ${{ inputs.metrics-token }}
66+
POLICY_ID_KEY: ${{ inputs.policy-id-key }}

0 commit comments

Comments
 (0)