From 5a1a45f98d0a40344e12c66eb2d19869c0d37de7 Mon Sep 17 00:00:00 2001 From: Luiz Carvalho Date: Fri, 19 Apr 2024 14:59:30 -0400 Subject: [PATCH 1/4] Add data validation This commit uses the ec-cli to verify the integrity of the data values defined in this repository. Ref: https://issues.redhat.com/browse/EC-321 Signed-off-by: Luiz Carvalho --- .github/workflows/tests.yaml | 31 +++++++++++++++++++++++++++++++ hack/verify-data.sh | 28 ++++++++++++++++++++++++++++ policy.yaml | 15 +++++++++++++++ 3 files changed, 74 insertions(+) create mode 100644 .github/workflows/tests.yaml create mode 100755 hack/verify-data.sh create mode 100644 policy.yaml diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml new file mode 100644 index 0000000..0bd766c --- /dev/null +++ b/.github/workflows/tests.yaml @@ -0,0 +1,31 @@ +--- +name: tests + +on: + pull_request: + branches: + - main + push: + branches: + - main + workflow_dispatch: + +permissions: + contents: read + +jobs: + verify-data: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Install ec-cli + run: |- + mkdir -p "${HOME}/.local/bin" + curl -L https://github.com/enterprise-contract/ec-cli/releases/download/snapshot/ec_linux_amd64 -o "${HOME}/.local/bin/ec" + chmod +x "${HOME}/.local/bin/ec" + ec version + + - name: Validate data + run: ./hack/verify-data.sh diff --git a/hack/verify-data.sh b/hack/verify-data.sh new file mode 100755 index 0000000..1a2ef17 --- /dev/null +++ b/hack/verify-data.sh @@ -0,0 +1,28 @@ +#!/usr/bin/env bash + +set -o errexit +set -o pipefail +set -o nounset + +cd "$(git root)" + +# The EC policy does not allow for relative paths. For this reason, we use envsubst to replace +# occurrences of $PWD with the actual working directoy. The result is a temporary policy file +# with absolute paths. +# NOTE: An alternative to saving the modified policy to a temporary file is to use a heredoc, e.g. +# `ec validate input --file <(...)` However, when doing so, the file name is something like +# `/dev/fd/63` which EC does not understand as neither a JSON nor a YAML file. Instead EC tries to +# fetch such resource from a Kubernetes cluster 😅 +POLICY_YAML="$(mktemp --suffix '.yaml')" +< policy.yaml envsubst '$PWD' > "${POLICY_YAML}" + +ec validate policy --policy "${POLICY_YAML}" +echo '✅ Policy config validated' + +# The command requires --file to be used at least one. This sets the input to be verified by the +# policy rules. However, here we are verifying the data sources which does not require an input. +# So we use a dummy input file instead. +ec validate input --policy "${POLICY_YAML}" --output yaml --file <(echo '{}') | yq . +echo '✅ Data validated' + +rm -f "${POLICY_YAML}" diff --git a/policy.yaml b/policy.yaml new file mode 100644 index 0000000..73efa8a --- /dev/null +++ b/policy.yaml @@ -0,0 +1,15 @@ +--- +name: verify-data +description: >- + This policy config is responsible for verifying the integrity of the data defined in this + repository. +sources: + - policy: + - github.com/enterprise-contract/ec-policies//policy/lib + - github.com/enterprise-contract/ec-policies//policy/release + data: + - $PWD/data/rule_data.yml + - $PWD/data/required_tasks.yml + config: + include: + - '@policy_data' From d4cc4ddc0c260421e657b666be2a9134e283faf4 Mon Sep 17 00:00:00 2001 From: Ryan Hartman Date: Mon, 22 Apr 2024 10:40:05 -0400 Subject: [PATCH 2/4] Grammar typo Co-authored-by: Simon Baird --- hack/verify-data.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hack/verify-data.sh b/hack/verify-data.sh index 1a2ef17..fb6dc73 100755 --- a/hack/verify-data.sh +++ b/hack/verify-data.sh @@ -19,7 +19,7 @@ POLICY_YAML="$(mktemp --suffix '.yaml')" ec validate policy --policy "${POLICY_YAML}" echo '✅ Policy config validated' -# The command requires --file to be used at least one. This sets the input to be verified by the +# The command requires --file to be used at least once. This sets the input to be verified by the # policy rules. However, here we are verifying the data sources which does not require an input. # So we use a dummy input file instead. ec validate input --policy "${POLICY_YAML}" --output yaml --file <(echo '{}') | yq . From e633c138367ccadd2d65e7c65fc6b9d32196a457 Mon Sep 17 00:00:00 2001 From: Ryan Hartman Date: Mon, 22 Apr 2024 10:41:05 -0400 Subject: [PATCH 3/4] Make the curl progress silent Co-authored-by: Simon Baird --- .github/workflows/tests.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 0bd766c..ba3f1ed 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -23,7 +23,7 @@ jobs: - name: Install ec-cli run: |- mkdir -p "${HOME}/.local/bin" - curl -L https://github.com/enterprise-contract/ec-cli/releases/download/snapshot/ec_linux_amd64 -o "${HOME}/.local/bin/ec" + curl -sL https://github.com/enterprise-contract/ec-cli/releases/download/snapshot/ec_linux_amd64 -o "${HOME}/.local/bin/ec" chmod +x "${HOME}/.local/bin/ec" ec version From 5aae4558c2ea0b2bbf8736bb7a6507811984a21b Mon Sep 17 00:00:00 2001 From: Ryan Hartman Date: Mon, 22 Apr 2024 10:41:30 -0400 Subject: [PATCH 4/4] Spell check Co-authored-by: Mike Bonnet --- hack/verify-data.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hack/verify-data.sh b/hack/verify-data.sh index fb6dc73..7e800e6 100755 --- a/hack/verify-data.sh +++ b/hack/verify-data.sh @@ -7,7 +7,7 @@ set -o nounset cd "$(git root)" # The EC policy does not allow for relative paths. For this reason, we use envsubst to replace -# occurrences of $PWD with the actual working directoy. The result is a temporary policy file +# occurrences of $PWD with the actual working directory. The result is a temporary policy file # with absolute paths. # NOTE: An alternative to saving the modified policy to a temporary file is to use a heredoc, e.g. # `ec validate input --file <(...)` However, when doing so, the file name is something like