Add v1

Author: James Alseth

.github/test/policy/always_warn.rego

@@ -0,0 +1,3 @@
+package always_warn
+
+warn["a warning! you should probably fix this"]

.github/test/resources/test.yaml

@@ -0,0 +1 @@
+name: test

.github/workflows/pull_request.yaml

@@ -0,0 +1,40 @@
+name: Pull Request
+on: ["pull_request"]
+
+jobs:
+  go-tests:
+    name: Go Tests
+    runs-on: ubuntu-latest
+    steps:
+      - name: setup go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.14.x
+
+      - name: checkout
+        uses: actions/checkout@v2
+
+      - name: unit test
+        run: go test -v ./...
+
+      - name: test build
+        run: go build -o build/action-conftest
+
+      - name: test docker build
+        run: docker build .
+
+  test-run-action:
+    name: Test the Action
+    needs: go-tests
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout
+        uses: actions/checkout@v2
+
+      - name: run action
+        uses: './'
+        with:
+          files: '.github/test/resources'
+          policy: '.github/test/policy/always_warn.rego'
+          gh-token: ${{ secrets.GITHUB_TOKEN }}
+          gh-comment-url: ${{ github.event.pull_request.comments_url }}

.gitignore

@@ -0,0 +1,2 @@
+build
+gcs.json

Dockerfile

@@ -0,0 +1,10 @@
+FROM instrumenta/conftest:latest as conftest
+
+FROM golang:1.14-alpine as builder
+COPY main.go .
+RUN go build -o /entrypoint
+
+FROM alpine:3
+COPY --from=conftest /conftest /usr/local/bin/conftest
+COPY --from=builder /entrypoint /usr/local/bin/entrypoint
+CMD [ "/usr/local/bin/entrypoint" ]

LICENSE

@@ -174,28 +174,3 @@
       of your accepting any such warranty or additional liability.
 
    END OF TERMS AND CONDITIONS
-
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "[]"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright [yyyy] [name of copyright owner]
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.

README.md

@@ -1,2 +1,67 @@
 # action-conftest
-A GitHub Action for easily using conftest in your CI
+
+A GitHub Action for easily using [conftest](https://github.com/open-policy-agent/conftest) in your CI. It allows for pulling policies from another source and can surface the violations and warnings into the comments of the pull request.
+
+**NOTE:** This action only supports pull secrets for S3, GCS, and HTTP remotes. If you are pulling from an OCI registry, it is assumed that you have already authenticated using `docker login` in a previous step in the GitHub Actions `job` and you should not supply a `pull-secret` argument.
+
+## Options
+
+| Option         | Description                                    | Default | Required               |
+|----------------|------------------------------------------------|---------|------------------------|
+| files          | Files for Conftest to test (space delimited)   |         | yes                    |
+| policy         | Where to find the policy folder or file        | policy  | no                     |
+| data           | Files or folder with supplemental test data    |         | no                     |
+| all-namespaces | Whether to use all namespaces in testing       | true    | no                     |
+| combine        | Whether to combine input files                 | false   | no                     |
+| pull-url       | URL to pull policies from                      |         | no                     |
+| pull-secret    | Secret that allows the policies to be pulled   |         | no                     |
+| add-comment    | Whether or not to add a comment to the PR      | true    | no                     |
+| docs-url       | Documentation URL to link to in the PR comment |         | no                     |
+| gh-token       | Token to authorize adding the PR comment       |         | if add-comment is true |
+| gh-comment-url | The URL of the comments for the PR             |         | if add-comment is true |
+
+## Example Usage
+
+### Using policies already in the repo
+
+This is a basic example. It assumes the policies already exist in the repository in the default `policy/` directory.
+
+```yaml
+name: conftest
+on: [pull_request]
+jobs:
+  conftest:
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout
+        uses: actions/checkout@v2
+      - name: conftest
+        uses: YubicoLabs/action-conftest@v1
+        with:
+          files: some_deployment.yaml another_resource.yaml
+          gh-token: ${{ secrets.GITHUB_TOKEN }}
+          gh-comment-url: ${{ github.event.pull_request.comments_url }}
+```
+
+### Pulling policies from a Google Cloud Storage bucket
+
+This example shows pulling the policy directory from a GCS bucket. In this case, the `pull-secret` variable is the JSON key for a service account with read acccess to the bucket.
+
+```yaml
+name: conftest-with-pull
+on: [pull_request]
+jobs:
+  conftest:
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout
+        uses: actions/checkout@v2
+      - name: conftest
+        uses: YubicoLabs/action-conftest@v1
+        with:
+          files: some_deployment.yaml another_resource.yaml
+          pull-url: gcs::https://www.googleapis.com/storage/v1/bucket_name/policy
+          pull-secret: ${{ secrets.POLICY_PULL_SECRET }}
+          gh-token: ${{ secrets.GITHUB_TOKEN }}
+          gh-comment-url: ${{ github.event.pull_request.comments_url }}
+```

action.yml

@@ -0,0 +1,47 @@
+name: "Conftest"
+description: "Write tests against structured configuration data using Open Policy Agent"
+branding:
+  icon: "check"
+  color: "green"
+inputs: 
+  files:
+    description: "Files for Conftest to test (space delimited)"
+    required: true
+  policy:
+    description: "Where to find the policy folder or file"
+    default: "policy"
+  data:
+    description: "Files or folder with supplemental test data"
+  all-namespaces:
+    description: "Whether to use all namespaces in testing"
+    default: true
+  combine:
+    description: "Whether to combine input files"
+  pull-url:
+    description: "URL to pull policies from"
+  pull-secret:
+    description: "Secret that allows the policies to be pulled"
+  add-comment:
+    description: "Whether or not to add a comment to the PR"
+    default: true
+  docs-url:
+    description: "The URL where users can find out more about the policies"
+  gh-token:
+    description: "The token that allows us to post a comment in the PR"
+  gh-comment-url:
+    description: "The URL of the comments for the PR"
+runs:
+  using: 'docker'
+  image: 'Dockerfile'
+  env:
+    FILES: ${{ inputs.files }}
+    POLICY: ${{ inputs.policy }}
+    DATA: ${{ inputs.data }}
+    ALL_NAMESPACES: ${{ inputs.all-namespaces }}
+    COMBINE: ${{ inputs.combine }}
+    PULL_URL: ${{ inputs.pull-url }}
+    PULL_SECRET: ${{ inputs.pull-secret }}
+    ADD_COMMENT: ${{ inputs.add-comment }}
+    DOCS_URL: ${{ inputs.docs-url }}
+    GITHUB_TOKEN: ${{ inputs.gh-token }}
+    GITHUB_COMMENT_URL: ${{ inputs.gh-comment-url }}