diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index 942c3b7..24c32f3 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -95,6 +95,25 @@ jobs: - name: Run zizmor uses: zizmorcore/zizmor-action@192e21d79ab29983730a13d1382995c2307fbcaa # v0.5.7 + rego-policy: + name: Rego Policy Tests + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false + - name: Download OPA + uses: open-policy-agent/setup-opa@b2b258e089860efaadaaf71bf6e3aecb4a3eeff1 # v2.4.0 + with: + version: latest + # tools/policy/ holds the Rego that drives this workflow's own change + # filter. A parse/type error or a broken rule there would silently break + # CI gating, so type-check it strictly and run its unit tests. + - name: Check policy + run: opa check --strict tools/policy/ + - name: Test policy + run: opa test tools/policy/ -v + dependency-review: name: Dependency Review runs-on: ubuntu-latest @@ -273,6 +292,7 @@ jobs: needs: - check-changes - gh-actions-lint + - rego-policy - dependency-review - lint - validate-pom