From 3981beb340078cebe7ad3836d478eed78374cdb6 Mon Sep 17 00:00:00 2001 From: Sebastian Spaink Date: Mon, 6 Jul 2026 17:00:14 -0500 Subject: [PATCH] ci: test and type-check Rego policy on PRs tools/policy/ contains the Rego that drives this workflow's own change filter, but nothing tested it. Add a rego-policy job that runs 'opa check --strict' and 'opa test' so a parse/type error or broken rule can't silently break CI gating. Signed-off-by: Sebastian Spaink --- .github/workflows/pull-request.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index e5d0be9e..8ad7b9c7 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -95,6 +95,25 @@ jobs: - name: Run zizmor uses: zizmorcore/zizmor-action@192e21d79ab29983730a13d1382995c2307fbcaa # v0.5.7 + rego-policy: + name: Rego Policy Tests + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false + - name: Download OPA + uses: open-policy-agent/setup-opa@b2b258e089860efaadaaf71bf6e3aecb4a3eeff1 # v2.4.0 + with: + version: latest + # tools/policy/ holds the Rego that drives this workflow's own change + # filter. A parse/type error or a broken rule there would silently break + # CI gating, so type-check it strictly and run its unit tests. + - name: Check policy + run: opa check --strict tools/policy/ + - name: Test policy + run: opa test tools/policy/ -v + lint: name: Checkstyle & PMD runs-on: ubuntu-latest @@ -220,6 +239,7 @@ jobs: needs: - check-changes - gh-actions-lint + - rego-policy - lint - validate-pom - test-opa-evaluator