Skip to content

Add Regal linting in CI pipeline #616

Add Regal linting in CI pipeline

Add Regal linting in CI pipeline #616

Workflow file for this run

name: pr-tests
on:
push:
branches: [ master, main ]
pull_request:
# run for every chnage in the PR
types: [ opened, synchronize, reopened, ready_for_review ]
# Do not run the pipeline if only Markdown files changed
paths-ignore: ['**.md']
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
env:
REGO_ARTIFACT_KEY_NAME: rego_artifact
REGO_ARTIFACT_PATH: releaseDev
jobs:
# testing link checks
markdown-link-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
- name: Check links
uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368
with:
use-verbose-mode: 'yes'
# main job of testing and building the env.
test_pr_checks:
# needs: [markdown-link-check]
permissions:
pull-requests: write
uses: kubescape/workflows/.github/workflows/go-basic-tests.yaml@main
with:
GO_VERSION: 1.19
BUILD_PATH: github.com/kubescape/regolibrary/gitregostore/...
secrets: inherit
# test-coverage:
# needs: [test_pr_checks]
# uses: kubescape/workflows/.github/workflows/coverage-check.yaml@main
# if: |
# ${{ (always() &&
# (contains(needs.*.result, 'success')) &&
# !(contains(needs.*.result, 'skipped')) &&
# !(contains(needs.*.result, 'failure')) &&
# !(contains(needs.*.result, 'cancelled'))) }}
# with:
# COVERAGELIMIT: "58"
# SHA: ${{ github.sha }}
build-and-rego-test:
name: Build and test rego artifacts
runs-on: ubuntu-latest
if: |
${{ (always() &&
(contains(needs.*.result, 'success')) &&
!(contains(needs.*.result, 'skipped')) &&
!(contains(needs.*.result, 'failure')) &&
!(contains(needs.*.result, 'cancelled'))) }}
# needs: [test_pr_checks]
outputs:
REGO_ARTIFACT_KEY_NAME: ${{ steps.set_outputs.outputs.REGO_ARTIFACT_KEY_NAME }}
REGO_ARTIFACT_PATH: ${{ steps.set_outputs.outputs.REGO_ARTIFACT_PATH }}
steps:
- uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
name: checkout repo content
with:
token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
# Test using Golang OPA hot rule compilation
- name: Set up Go
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568
with:
go-version: 1.19
# testing rego library
- name: Test Regoes
working-directory: testrunner
run: |
apt update && apt install -y cmake
GOPATH=$(go env GOPATH) make
- name: Set up Regal
uses: StyraInc/[email protected]
with:
version: v0.10.1
- name: Lint Rego
run: regal lint --format github rules
- name: setup python
uses: actions/setup-python@v4
with:
python-version: 3.10.6
# validate control-ID duplications
- run: python ./scripts/validations.py
# generating subsections ids
- name: Update frameworks subsections
run: bash ./scripts/generate_subsections_ids.sh
# run export script to generate regolibrary artifacts
# releaseDev clean up is for old compatability. should be removed at end of 2023.
- name: Run export script
run: |
OUTPUT=pre-release python ./scripts/export.py
rm -r -f releaseDev
cp -R pre-release releaseDev
- name: Set outputs
id: set_outputs
run: |
echo "REGO_ARTIFACT_KEY_NAME=${{ env.REGO_ARTIFACT_KEY_NAME }}" >> $GITHUB_OUTPUT
echo "REGO_ARTIFACT_PATH=${{ env.REGO_ARTIFACT_PATH }}" >> $GITHUB_OUTPUT
- uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/[email protected]
name: Upload artifact
with:
name: ${{ env.REGO_ARTIFACT_KEY_NAME }}
path: ${{ env.REGO_ARTIFACT_PATH }}/
if-no-files-found: error
# test kubescape with regolibrary artifacts
ks-and-rego-test:
uses: kubescape/workflows/.github/workflows/kubescape-cli-e2e-tests.yaml@main
if: |
${{ (always() &&
(contains(needs.*.result, 'success')) &&
!(contains(needs.*.result, 'skipped')) &&
!(contains(needs.*.result, 'failure')) &&
!(contains(needs.*.result, 'cancelled'))) }}
needs: [build-and-rego-test]
with:
DOWNLOAD_ARTIFACT_KEY_NAME: ${{ needs.build-and-rego-test.outputs.REGO_ARTIFACT_KEY_NAME }}
BINARY_TESTS: '[ "scan_nsa",
"scan_mitre",
"scan_with_exceptions",
"scan_repository",
"scan_local_file",
"scan_local_glob_files",
"scan_nsa_and_submit_to_backend",
"scan_mitre_and_submit_to_backend",
"scan_local_repository_and_submit_to_backend",
"scan_repository_from_url_and_submit_to_backend",
"host_scanner",
"scan_local_list_of_files",
"scan_compliance_score"
]'
DOWNLOAD_ARTIFACT_PATH: ${{ needs.build-and-rego-test.outputs.REGO_ARTIFACT_PATH }}
secrets: inherit
clean-up:
name: Remove pre-release folder and clean up
runs-on: ubuntu-latest
needs: [ks-and-rego-test]
steps:
- uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
name: checkout repo content
with:
token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
- name: Remove pre-release folder
run: rm -r -f pre-release