Compile and check OPA policies in CI

2025-07-29 22:01:14 +03:00 · 2022-06-02 14:09:06 +02:00
parent 071055ad18
commit 88c2625dc0
2 changed files with 62 additions and 7 deletions
--- a/.github/workflows/check.yaml
+++ b/.github/workflows/check.yaml
@ -61,6 +61,31 @@ jobs:
          command: fetch
          args: --locked

+  opa-lint:
+    name: Lint and test OPA policies
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout the code
+        uses: actions/checkout@v3
+
+      - name: Setup OPA
+        uses: open-policy-agent/setup-opa@v1
+        with:
+          version: 0.40.0
+
+      - name: Lint policies
+        run: |
+          cd crates/policy/policies
+          make lint
+
+      - name: Run OPA tests
+        run: |
+          cd crates/policy/policies
+          make test

  rustfmt:
    name: Check style
@ -109,7 +134,7 @@ jobs:

  clippy:
    name: Run Clippy
-    needs: [fetch]
+    needs: [opa-lint, fetch]
    runs-on: ubuntu-latest

    permissions:
@ -129,6 +154,16 @@ jobs:
          profile: minimal
          override: true

+      - name: Setup OPA
+        uses: open-policy-agent/setup-opa@v1
+        with:
+          version: 0.40.0
+
+      - name: Compile OPA policies
+        run: |
+          cd crates/policy/policies
+          make
+
      - name: Setup Cargo cache
        uses: actions/cache@v3.0.3
        with:
@ -154,7 +189,7 @@ jobs:

  test:
    name: Run test suite with Rust ${{ matrix.toolchain }}
-    needs: [rustfmt, clippy, fetch]
+    needs: [rustfmt, clippy, opa-lint, fetch]
    runs-on: ubuntu-latest

    permissions:
@ -184,6 +219,16 @@ jobs:
          profile: minimal
          override: true

+      - name: Setup OPA
+        uses: open-policy-agent/setup-opa@v1
+        with:
+          version: 0.40.0
+
+      - name: Compile OPA policies
+        run: |
+          cd crates/policy/policies
+          make
+
      - name: Setup Cargo cache
        uses: actions/cache@v3.0.3
        with:
@ -209,7 +254,7 @@ jobs:

  coverage:
    name: Code coverage
-    needs: [rustfmt, clippy, fetch]
+    needs: [rustfmt, clippy, opa-lint, fetch]
    runs-on: ubuntu-latest

    permissions:
@ -228,6 +273,16 @@ jobs:
          override: true
          components: llvm-tools-preview

+      - name: Setup OPA
+        uses: open-policy-agent/setup-opa@v1
+        with:
+          version: 0.40.0
+
+      - name: Compile OPA policies
+        run: |
+          cd crates/policy/policies
+          make
+
      - name: Setup Cargo cache
        uses: actions/cache@v3.0.3
        with:
@ -274,7 +329,7 @@ jobs:

  build-image:
    name: Build and push Docker image
-    needs: [rustfmt, clippy]
+    needs: [rustfmt, clippy, opa-lint]
    runs-on: ubuntu-latest
    env:
      IMAGE: ghcr.io/matrix-org/matrix-authentication-service
--- a/crates/policy/Cargo.toml
+++ b/crates/policy/Cargo.toml
@ -6,10 +6,10 @@ edition = "2021"
 license = "Apache-2.0"

 [dependencies]
-anyhow = "1.0.31"
+anyhow = "1.0.57"
 opa-wasm = { git = "https://github.com/matrix-org/rust-opa-wasm.git" }
-serde = { version = "1.0.31", features = ["derive"] }
-serde_json = "1.0.31"
+serde = { version = "1.0.137", features = ["derive"] }
+serde_json = "1.0.81"
 thiserror = "1.0.31"
 tokio = { version = "1.18.2", features = ["io-util", "rt"] }
 tracing = "0.1.34"