From 1190f0d43fdabc0c86efeeed02e24b035b72c904 Mon Sep 17 00:00:00 2001 From: ninotosh <6128440+ninotosh@users.noreply.github.com> Date: Wed, 18 Mar 2026 02:02:54 +0900 Subject: [PATCH 1/5] bump conftest (#222) --- .github/workflows/check-versions.yml | 2 +- .github/workflows/unit-tests.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/check-versions.yml b/.github/workflows/check-versions.yml index c555c0a..c5a7693 100644 --- a/.github/workflows/check-versions.yml +++ b/.github/workflows/check-versions.yml @@ -44,7 +44,7 @@ jobs: - name: conftest uses: ninotosh/check-github-repo-latest-version@v1 with: - release: open-policy-agent/conftest@v0.66 + release: open-policy-agent/conftest@v0.67 github_token: ${{ secrets.GITHUB_TOKEN }} - name: setup-terraform diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml index a63c534..bebd0f8 100644 --- a/.github/workflows/unit-tests.yml +++ b/.github/workflows/unit-tests.yml @@ -24,7 +24,7 @@ jobs: run: working-directory: terraform env: - CONFTEST_VERSION: 0.66.0 + CONFTEST_VERSION: 0.67.0 CONFTEST_DOWNLOAD_DIR: ~/conftest steps: From 45182fa4a47a677cf7b86f3172e80572d69136ed Mon Sep 17 00:00:00 2001 From: ninotosh <6128440+ninotosh@users.noreply.github.com> Date: Sat, 21 Mar 2026 06:03:31 +0900 Subject: [PATCH 2/5] downloads a cue binary instead of `go install` (#225) --- .github/actions/cue/action.yml | 27 ++++++++++++--------------- docker/cue.Dockerfile | 22 +++++++++++++++++----- 2 files changed, 29 insertions(+), 20 deletions(-) diff --git a/.github/actions/cue/action.yml b/.github/actions/cue/action.yml index 82d8d51..857261a 100644 --- a/.github/actions/cue/action.yml +++ b/.github/actions/cue/action.yml @@ -1,3 +1,5 @@ +name: cue +description: check format and validate inputs: data-file: required: true @@ -9,29 +11,24 @@ inputs: runs: using: "composite" steps: - - id: go-env - run: | - echo "GOCACHE=`go env GOCACHE`" >> $GITHUB_OUTPUT - echo "GOMODCACHE=`go env GOMODCACHE`" >> $GITHUB_OUTPUT - shell: bash - - uses: actions/cache@v5 id: cache with: - path: | - ${{ steps.go-env.outputs.GOCACHE }} - ${{ steps.go-env.outputs.GOMODCACHE }} + path: ~/bin/cue key: cue-${{ inputs.cue-version }} - - run: echo "GOBIN=`go env GOPATH`/bin" >> $GITHUB_ENV - shell: bash - - run: echo "PATH=$GOBIN:$PATH" >> $GITHUB_ENV + - if: steps.cache.outputs.cache-hit != 'true' + run: | + mkdir -p ~/bin + curl -L -o cue.tar.gz https://github.com/cue-lang/cue/releases/download/v${{ inputs.cue-version }}/cue_v${{ inputs.cue-version }}_linux_amd64.tar.gz + tar zxf cue.tar.gz + cp cue ~/bin/cue shell: bash - - run: go install cuelang.org/go/cmd/cue@v${{ inputs.cue-version }} + + - run: echo "PATH=~/bin:$PATH" >> $GITHUB_ENV shell: bash - - name: cue fmt - run: cue fmt --check ${{ inputs.schema-file }} + - run: cue fmt --check ${{ inputs.schema-file }} shell: bash - run: cue vet --concrete ${{ inputs.schema-file }} ${{ inputs.data-file }} diff --git a/docker/cue.Dockerfile b/docker/cue.Dockerfile index d423f42..24de389 100644 --- a/docker/cue.Dockerfile +++ b/docker/cue.Dockerfile @@ -1,9 +1,21 @@ -FROM golang:1.25-bookworm +ARG IMAGE=ubuntu:24.04 + +FROM ${IMAGE} AS cue ARG CUE_VERSION=0.16.0 +ARG ARCH=arm64 + +RUN apt update && \ + apt install -y --no-install-recommends curl ca-certificates +RUN curl -L -o cue.tar.gz \ + https://github.com/cue-lang/cue/releases/download/v${CUE_VERSION}/cue_v${CUE_VERSION}_linux_${ARCH}.tar.gz && \ + tar zxf cue.tar.gz && \ + cp cue /usr/local/bin && \ + cue version + +FROM ${IMAGE} +COPY --from=cue /usr/local/bin/cue /usr/local/bin RUN apt update && \ apt install -y --no-install-recommends bash-completion && \ - echo 'source /usr/share/bash-completion/bash_completion' >> /etc/bash.bashrc -RUN go install cuelang.org/go/cmd/cue@v${CUE_VERSION} && \ - cue completion bash > /etc/bash_completion.d/cue -ENTRYPOINT cue + echo 'source /usr/share/bash-completion/bash_completion' >> /etc/bash.bashrc && \ + cue completion bash > /usr/share/bash-completion/completions/cue From cee930c66827d3ca17a7f000ea0d4b0a810d6ea4 Mon Sep 17 00:00:00 2001 From: ninotosh <6128440+ninotosh@users.noreply.github.com> Date: Sun, 22 Mar 2026 23:54:26 +0900 Subject: [PATCH 3/5] dynamically obtain a machine architecture (#232) --- docker/cue.Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker/cue.Dockerfile b/docker/cue.Dockerfile index 24de389..37e977b 100644 --- a/docker/cue.Dockerfile +++ b/docker/cue.Dockerfile @@ -2,11 +2,11 @@ ARG IMAGE=ubuntu:24.04 FROM ${IMAGE} AS cue ARG CUE_VERSION=0.16.0 -ARG ARCH=arm64 RUN apt update && \ apt install -y --no-install-recommends curl ca-certificates -RUN curl -L -o cue.tar.gz \ +RUN ARCH="$(uname -m | sed 's/aarch64/arm64/; s/x86_64/amd64/')" && \ + curl -L -o cue.tar.gz \ https://github.com/cue-lang/cue/releases/download/v${CUE_VERSION}/cue_v${CUE_VERSION}_linux_${ARCH}.tar.gz && \ tar zxf cue.tar.gz && \ cp cue /usr/local/bin && \ From 2d0ec20379629efa148d70def133c670da9f3511 Mon Sep 17 00:00:00 2001 From: ninotosh <6128440+ninotosh@users.noreply.github.com> Date: Mon, 23 Mar 2026 23:54:46 +0900 Subject: [PATCH 4/5] dynamically obtain a machine architecture --- docker/conftest.Dockerfile | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/docker/conftest.Dockerfile b/docker/conftest.Dockerfile index 062bdcb..35ec74f 100644 --- a/docker/conftest.Dockerfile +++ b/docker/conftest.Dockerfile @@ -2,18 +2,20 @@ ARG IMAGE=ubuntu:24.04 FROM ${IMAGE} AS conftest ARG CONFTEST_VERSION=0.49.0 + RUN apt update && \ apt install -y --no-install-recommends curl ca-certificates -RUN curl -L -o conftest.tar.gz \ - https://github.com/open-policy-agent/conftest/releases/download/v${CONFTEST_VERSION}/conftest_${CONFTEST_VERSION}_Linux_x86_64.tar.gz && \ +RUN ARCH="$(uname -m | sed 's/aarch64/arm64/')" && \ + curl -L -o conftest.tar.gz \ + https://github.com/open-policy-agent/conftest/releases/download/v${CONFTEST_VERSION}/conftest_${CONFTEST_VERSION}_Linux_${ARCH}.tar.gz && \ tar zxf conftest.tar.gz && \ cp conftest /usr/local/bin && \ conftest --version FROM ${IMAGE} COPY --from=conftest /usr/local/bin/conftest /usr/local/bin + RUN apt update && \ apt install -y --no-install-recommends bash-completion && \ echo 'source /usr/share/bash-completion/bash_completion' >> /etc/bash.bashrc && \ conftest completion bash > /usr/share/bash-completion/completions/conftest -ENTRYPOINT [ "conftest" ] From 9c622b2407421f94180b45ab36ff21e2a928bd11 Mon Sep 17 00:00:00 2001 From: ninotosh <6128440+ninotosh@users.noreply.github.com> Date: Tue, 24 Mar 2026 00:02:49 +0900 Subject: [PATCH 5/5] caches a binary instead of a directory --- .github/workflows/unit-tests.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml index bebd0f8..06850c1 100644 --- a/.github/workflows/unit-tests.yml +++ b/.github/workflows/unit-tests.yml @@ -25,7 +25,6 @@ jobs: working-directory: terraform env: CONFTEST_VERSION: 0.67.0 - CONFTEST_DOWNLOAD_DIR: ~/conftest steps: - uses: actions/checkout@v6 @@ -33,17 +32,17 @@ jobs: - uses: actions/cache@v5 id: cache with: - path: ${{ env.CONFTEST_DOWNLOAD_DIR }} + path: ~/bin/conftest key: conftest-${{ env.CONFTEST_VERSION }} - if: steps.cache.outputs.cache-hit != 'true' run: | - mkdir -p ${{ env.CONFTEST_DOWNLOAD_DIR }} - cd ${{ env.CONFTEST_DOWNLOAD_DIR }} + mkdir -p ~/bin curl -L -o conftest.tar.gz https://github.com/open-policy-agent/conftest/releases/download/v${{ env.CONFTEST_VERSION }}/conftest_${{ env.CONFTEST_VERSION }}_Linux_x86_64.tar.gz tar zxf conftest.tar.gz + cp conftest ~/bin/conftest - - run: echo "PATH=${{ env.CONFTEST_DOWNLOAD_DIR }}:$PATH" >> $GITHUB_ENV + - run: echo "PATH=~/bin:$PATH" >> $GITHUB_ENV - run: conftest fmt --check policy