From f08f3e818fc1bd337e950a1aee8982f66e5024ff Mon Sep 17 00:00:00 2001 From: John Reese Date: Wed, 12 Mar 2025 10:42:52 -0400 Subject: [PATCH 1/5] Update action dependencies --- .github/workflows/pull_request.yaml | 8 ++++---- Dockerfile | 4 ++-- action.yml | 4 +++- 3 files changed, 9 insertions(+), 7 deletions(-) diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml index be177aa..c0a0bb1 100644 --- a/.github/workflows/pull_request.yaml +++ b/.github/workflows/pull_request.yaml @@ -7,12 +7,12 @@ jobs: runs-on: ubuntu-latest steps: - name: setup go - uses: actions/setup-go@v3 + uses: actions/setup-go@v5 with: - go-version: 1.15.x + go-version: 1.24 - name: checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: unit test run: go test -v ./... @@ -26,7 +26,7 @@ jobs: runs-on: ubuntu-latest steps: - name: checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: run action uses: './' diff --git a/Dockerfile b/Dockerfile index d9bec3a..3b1f5bf 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ -FROM instrumenta/conftest:v0.20.0 as conftest +FROM openpolicyagent/conftest:v0.58.0 AS conftest -FROM golang:1.15-alpine as builder +FROM golang:1.24-alpine AS builder COPY --from=conftest /conftest /usr/local/bin/conftest COPY main.go . RUN go build -o /entrypoint main.go diff --git a/action.yml b/action.yml index 6df4a3b..d865adf 100644 --- a/action.yml +++ b/action.yml @@ -3,7 +3,8 @@ description: "Easily run Conftest, pull remote policies, surface the results, an branding: icon: "check-square" color: "purple" -inputs: + +inputs: files: description: "Files and/or folders for Conftest to test (space delimited)" required: true @@ -59,6 +60,7 @@ inputs: description: "Name of the key in the details object that stores the policy ID" default: "policyID" required: false + runs: using: 'docker' image: 'Dockerfile' From 3f07d69b1dfc2b5c125a209e6fd7b7665a0fe905 Mon Sep 17 00:00:00 2001 From: John Reese Date: Wed, 12 Mar 2025 11:26:44 -0400 Subject: [PATCH 2/5] Add Go module --- go.mod | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 go.mod diff --git a/go.mod b/go.mod new file mode 100644 index 0000000..dccb5e0 --- /dev/null +++ b/go.mod @@ -0,0 +1,3 @@ +module github.com/YubicoLabs/action-conftest + +go 1.22.2 From 085657e6ea3105beb22f72ffaa29ff18787c19b4 Mon Sep 17 00:00:00 2001 From: John Reese Date: Wed, 12 Mar 2025 11:32:27 -0400 Subject: [PATCH 3/5] Disable Go caching --- .github/workflows/pull_request.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml index c0a0bb1..d0b985d 100644 --- a/.github/workflows/pull_request.yaml +++ b/.github/workflows/pull_request.yaml @@ -10,6 +10,7 @@ jobs: uses: actions/setup-go@v5 with: go-version: 1.24 + cache: false - name: checkout uses: actions/checkout@v4 From 7549714b7f7801f2910da5181e23c60eba44e7ef Mon Sep 17 00:00:00 2001 From: John Reese Date: Wed, 12 Mar 2025 11:41:55 -0400 Subject: [PATCH 4/5] Resolve pipeline test error --- .github/workflows/pull_request.yaml | 1 + main.go | 39 ++++++++++++++++------------- 2 files changed, 23 insertions(+), 17 deletions(-) diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml index d0b985d..4f7d82a 100644 --- a/.github/workflows/pull_request.yaml +++ b/.github/workflows/pull_request.yaml @@ -32,6 +32,7 @@ jobs: - name: run action uses: './' with: + add-comment: false files: '.github/test/resources' policy: '.github/test/policy/always_warn.rego' gh-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/main.go b/main.go index 47cbad2..2fbcc5d 100644 --- a/main.go +++ b/main.go @@ -35,24 +35,29 @@ type commentData struct { DocsURL string } -type jsonResult struct { +// Result describes the result of a single rule evaluation. +type Result struct { Message string `json:"msg"` Metadata map[string]interface{} `json:"metadata,omitempty"` + Outputs []string `json:"outputs,omitempty"` } -type jsonCheckResult struct { - Filename string `json:"filename"` - Successes []jsonResult `json:"successes"` - Warnings []jsonResult `json:"warnings,omitempty"` - Failures []jsonResult `json:"failures,omitempty"` +type CheckResult struct { + FileName string `json:"filename"` + Namespace string `json:"namespace"` + Successes int `json:"successes"` + Skipped []Result `json:"skipped,omitempty"` + Warnings []Result `json:"warnings,omitempty"` + Failures []Result `json:"failures,omitempty"` + Exceptions []Result `json:"exceptions,omitempty"` } type metricsSubmission struct { - SourceID string `json:"sourceID"` - Successes int `json:"successes,omitempty"` - Warnings metricsSeverity `json:"warns,omitempty"` - Failures metricsSeverity `json:"fails,omitempty"` - Details []jsonCheckResult `json:"details,omitempty"` + SourceID string `json:"sourceID"` + Successes int `json:"successes,omitempty"` + Warnings metricsSeverity `json:"warns,omitempty"` + Failures metricsSeverity `json:"fails,omitempty"` + Details []CheckResult `json:"details,omitempty"` } type metricsSeverity struct { @@ -111,10 +116,10 @@ func run() error { var fails, warns []string var successes int for _, result := range results { - successes += len(result.Successes) + successes += result.Successes for _, fail := range result.Failures { - fails = append(fails, fmt.Sprintf("%s - %s", result.Filename, fail.Message)) + fails = append(fails, fmt.Sprintf("%s - %s", result.FileName, fail.Message)) policyID, err := getPolicyIDFromMetadata(fail.Metadata, policyIDKey) if err != nil { continue @@ -125,7 +130,7 @@ func run() error { } for _, warn := range result.Warnings { - warns = append(warns, fmt.Sprintf("%s - %s", result.Filename, warn.Message)) + warns = append(warns, fmt.Sprintf("%s - %s", result.FileName, warn.Message)) policyID, err := getPolicyIDFromMetadata(warn.Metadata, policyIDKey) if err != nil { continue @@ -264,7 +269,7 @@ func runConftestPull(url string) error { return nil } -func runConftestTest() ([]jsonCheckResult, error) { +func runConftestTest() ([]CheckResult, error) { args := []string{"test", "--no-color", "--output", "json"} flags := getFlagsFromEnv() args = append(args, flags...) @@ -274,9 +279,9 @@ func runConftestTest() ([]jsonCheckResult, error) { cmd := exec.Command("conftest", args...) out, _ := cmd.CombinedOutput() // intentionally ignore errors so we can parse the results - var results []jsonCheckResult + var results []CheckResult if err := json.Unmarshal(out, &results); err != nil { - return nil, fmt.Errorf("%s", string(out)) + return nil, fmt.Errorf("%s -- error is: %v", string(out), err) } return results, nil From c87c98dcc25f905ad77c5daf127cc0c9714ee152 Mon Sep 17 00:00:00 2001 From: John Reese Date: Mon, 17 Mar 2025 12:49:40 -0400 Subject: [PATCH 5/5] Add pull URL --- .github/workflows/pull_request.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml index 4f7d82a..1a55c2d 100644 --- a/.github/workflows/pull_request.yaml +++ b/.github/workflows/pull_request.yaml @@ -34,6 +34,7 @@ jobs: with: add-comment: false files: '.github/test/resources' + pull-url: 'https://github.com/YubicoLabs/action-conftest/tree/main/.github/test/policy' policy: '.github/test/policy/always_warn.rego' gh-token: ${{ secrets.GITHUB_TOKEN }} gh-comment-url: ${{ github.event.pull_request.comments_url }}