-
Notifications
You must be signed in to change notification settings - Fork 19
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #21 from lcarva/EC-321
Add data validation
- Loading branch information
Showing
3 changed files
with
74 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| --- | ||
| name: tests | ||
|
|
||
| on: | ||
| pull_request: | ||
| branches: | ||
| - main | ||
| push: | ||
| branches: | ||
| - main | ||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| verify-data: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Install ec-cli | ||
| run: |- | ||
| mkdir -p "${HOME}/.local/bin" | ||
| curl -sL https://github.com/enterprise-contract/ec-cli/releases/download/snapshot/ec_linux_amd64 -o "${HOME}/.local/bin/ec" | ||
| chmod +x "${HOME}/.local/bin/ec" | ||
| ec version | ||
| - name: Validate data | ||
| run: ./hack/verify-data.sh |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| #!/usr/bin/env bash | ||
|
|
||
| set -o errexit | ||
| set -o pipefail | ||
| set -o nounset | ||
|
|
||
| cd "$(git root)" | ||
|
|
||
| # The EC policy does not allow for relative paths. For this reason, we use envsubst to replace | ||
| # occurrences of $PWD with the actual working directory. The result is a temporary policy file | ||
| # with absolute paths. | ||
| # NOTE: An alternative to saving the modified policy to a temporary file is to use a heredoc, e.g. | ||
| # `ec validate input --file <(...)` However, when doing so, the file name is something like | ||
| # `/dev/fd/63` which EC does not understand as neither a JSON nor a YAML file. Instead EC tries to | ||
| # fetch such resource from a Kubernetes cluster 😅 | ||
| POLICY_YAML="$(mktemp --suffix '.yaml')" | ||
| < policy.yaml envsubst '$PWD' > "${POLICY_YAML}" | ||
|
|
||
| ec validate policy --policy "${POLICY_YAML}" | ||
| echo '✅ Policy config validated' | ||
|
|
||
| # The command requires --file to be used at least once. This sets the input to be verified by the | ||
| # policy rules. However, here we are verifying the data sources which does not require an input. | ||
| # So we use a dummy input file instead. | ||
| ec validate input --policy "${POLICY_YAML}" --output yaml --file <(echo '{}') | yq . | ||
| echo '✅ Data validated' | ||
|
|
||
| rm -f "${POLICY_YAML}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| --- | ||
| name: verify-data | ||
| description: >- | ||
| This policy config is responsible for verifying the integrity of the data defined in this | ||
| repository. | ||
| sources: | ||
| - policy: | ||
| - github.com/enterprise-contract/ec-policies//policy/lib | ||
| - github.com/enterprise-contract/ec-policies//policy/release | ||
| data: | ||
| - $PWD/data/rule_data.yml | ||
| - $PWD/data/required_tasks.yml | ||
| config: | ||
| include: | ||
| - '@policy_data' |