feat(actions): add validation and drift-detection actions

iainlane · iainlane · commit 583fcedd4a77 · 2024-11-11T19:40:03.000Z
diff --git a/.github/workflows/drift.yml b/.github/workflows/drift.yml
@@ -0,0 +1,26 @@
+name: Check for .policy.yml drift
+
+on:
+  pull_request:
+    types:
+      - edited
+      - opened
+      - ready_for_review
+      - synchronize
+  push:
+    branches:
+      - main
+
+jobs:
+  drift:
+    name: Check for drift
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check repository out
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Check for drift
+        uses: ./actions/check-for-drift
+        with:
+          input_file: .policy.yml
+          merge_with: policy.yml
diff --git a/actions/check-for-drift/action.yml b/actions/check-for-drift/action.yml
@@ -0,0 +1,68 @@
+name: Check for Drift
+description: Checks if the generated output is different from the input file
+
+inputs:
+  input_file:
+    description: The input file to compare
+    required: true
+
+  merge_with:
+    description: The file to merge with the input file
+    required: false
+
+runs:
+  using: composite
+
+  steps:
+    - name: Check repository out
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      env:
+        action_repo: ${{ github.action_repository }}
+        action_ref: ${{ github.action_ref }}
+      with:
+        path: ${{ github.workspace }}/action-checkout
+        repository: ${{ env.action_repo }}
+        ref: ${{ env.action_ref }}
+
+    - name: Set up Go
+      uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      with:
+        go-version-file: ${{ github.workspace }}/action-checkout/go.mod
+
+    - name: Build the program
+      shell: sh
+      run: |
+        cd "${{ github.workspace }}/action-checkout"
+
+        DESTDIR="$(go env GOPATH)/bin"
+        mkdir -p "${DESTDIR}"
+
+        go build \
+          -o "${DESTDIR}/generate-policy-bot-config" \
+          github.com/grafana/generate-policy-bot-config/cmd/generate-policy-bot-config
+
+    - name: Generate new config
+      id: new
+      shell: sh
+      run: |
+        echo "config<<EOC" > "${GITHUB_OUTPUT}"
+        generate-policy-bot-config \
+          --output - \
+          --merge-with ${{ inputs.merge_with }} \
+          . \
+        | tee -a "${GITHUB_OUTPUT}"
+        echo "EOC" >> "${GITHUB_OUTPUT}"
+
+    - name: Check for drift
+      shell: bash
+      run: |
+        IFS='' read -r -d '' NEW_CONFIG <<'EOC' || true
+        ${{ steps.new.outputs.config }}
+        EOC
+
+        if ! diff -u ${{ inputs.input_file }} - <<< "${NEW_CONFIG}"; then
+          echo "Drift detected: ${{ inputs.input_file }} is out-of-date. Regenerate it and commit the result."
+          exit 1
+        fi
+
+        echo "No drift detected: ${{ inputs.input_file }} is up-to-date."
diff --git a/actions/validate/README.md b/actions/validate/README.md
@@ -0,0 +1,33 @@
+# validate-policy-bot-config
+
+Validates the `.policy.yml` configuration file for [Policy Bot][policy-bot]. See
+[the documentation][policy-bot-docs] for more information on creating rules.
+
+[policy-bot]: https://github.com/palantir/policy-bot
+[policy-bot-docs]: https://github.com/palantir/policy-bot?tab=readme-ov-file#configuration
+
+## Inputs
+
+- `policy`: The path to the `.policy.yml` file to validate. Default: `.policy.yml`.
+- `validation_endpoint` (required): The endpoint to validate the configuration
+  against.
+
+Example workflow:
+
+```yaml
+name: validate-policy-bot
+on:
+  pull_request:
+    paths:
+      - .policy.yml
+  push:
+    paths:
+      - .policy.yml
+
+jobs:
+  validate-policy-bot:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Validate Policy Bot configuration
+        uses: grafana/generate-policy-bot-config/actions/validate@main
+```
diff --git a/actions/validate/action.yml b/actions/validate/action.yml
@@ -0,0 +1,26 @@
+name: Validate Policy Bot Config
+description: Validates the Policy Bot configuration file.
+
+inputs:
+  policy:
+    description: |
+      Path to the Policy Bot configuration file.
+    default: .policy.yml
+
+  validation_endpoint:
+    description: |
+      Validation API endpoint.
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Validate Policy Bot config
+      shell: bash
+      run: |
+        curl \
+          --silent \
+          --fail-with-body \
+          --request PUT \
+          --upload-file "${{ inputs.policy }}" \
+          "${{ inputs.validation_endpoint }}"
