diff --git a/.github/workflows/_policy_test.yaml b/.github/workflows/_policy_test.yaml
index 4fb17995..9f88a4a3 100644
--- a/.github/workflows/_policy_test.yaml
+++ b/.github/workflows/_policy_test.yaml
@@ -3,17 +3,21 @@ name: Policy Test
 on:
   workflow_call:
 
+
 jobs:
   test:
     runs-on: ubuntu-latest
+    # permissions:
+    #   id-token: write
+    #   contents: read
+    #   pull-requests: write # required to comment on PRs
     steps:
       - name: Checkout source
         uses: actions/checkout@v4.2.2
 
-      - name: Setup OPA
-        uses: open-policy-agent/setup-opa@v2.2.0
+      - name: Run OPA Rego Tests
+        uses: masterpointio/github-action-opa-rego-test@main
         with:
-          version: latest
-
-      - name: Test
-        run: opa test ./policy -v
+          path: ./policy
+          test_mode: directory # Whether to test the Rego by directory (e.g. opa test ./) or by individual files (e.g. opa test a_test.rego a.rego). Options of `directory` or `file`.
+          report_untested_files: true # Flag to check & report Rego files that does NOT have corresponding test files. Optional, defaults to false.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 251ccabe..69523147 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -58,6 +58,10 @@ jobs:
     uses: ./.github/workflows/_policy_lint.yaml
 
   policy_test:
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: write # required to comment on PRs
     # Deduplicate jobs from pull requests and branch pushes within the same repo.
     if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.repository
     uses: ./.github/workflows/_policy_test.yaml