make policy rego dynamic, simplify documentation-flow#277
make policy rego dynamic, simplify documentation-flow#277
Conversation
There was a problem hiding this comment.
Pull request overview
This PR introduces a new GitHub Actions workflow system for enforcing documentation policies across repositories. It adds a dynamic policy evaluation mechanism using OPA (Open Policy Agent) with externally fetched Rego policy files.
Changes:
- Added
documentation-policy-check.ymlas a wrapper workflow that accepts parameters and delegates to the main implementation - Added
docu-policy.ymlas the main reusable workflow that checks cross-repository documentation compliance using a compliance-as-code attestor and OPA policy evaluation
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 8 comments.
| File | Description |
|---|---|
| .github/workflows/documentation-policy-check.yml | Wrapper workflow that accepts inputs and calls the main documentation policy workflow |
| .github/workflows/docu-policy.yml | Main workflow implementation that fetches issues from repositories, downloads policy files, and evaluates them using OPA |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| documentation-repo: ${{ inputs.documentation-repo }} | ||
| production-repos: ${{ inputs.production-repos}} | ||
| policy-url: ${{ inputs.policy-url }} | ||
| json-path: ${{ inputs.json-path }} No newline at end of file |
There was a problem hiding this comment.
There is an inconsistency in parameter naming conventions. In the wrapper workflow, inputs use kebab-case (documentation-repo, production-repos, policy-url, json-path), but when calling the reusable workflow, some parameters are passed to a workflow that expects snake_case (documentation_repo, production_repos, policy_url, json_path as seen in docu-policy.yml lines 6-23). This mismatch will cause the workflow call to fail as the parameters won't be properly mapped.
| documentation-repo: ${{ inputs.documentation-repo }} | |
| production-repos: ${{ inputs.production-repos}} | |
| policy-url: ${{ inputs.policy-url }} | |
| json-path: ${{ inputs.json-path }} | |
| documentation_repo: ${{ inputs.documentation-repo }} | |
| production_repos: ${{ inputs.production-repos}} | |
| policy_url: ${{ inputs.policy-url }} | |
| json_path: ${{ inputs.json-path }} |
.github/workflows/docu-policy.yml
Outdated
| echo '{"documentation_repo": "${{ inputs.documentation_repo }}", "production_repo": "${{ inputs.production_repos }}", "pull_request_title": "${{ env.PR_TITLE }}"}' > /tmp/doc_repo.json | ||
| opa eval \ | ||
| --data $POLICY_REGO \ | ||
| --data $DOCUMENTATION_REPO \x |
There was a problem hiding this comment.
There is a syntax error on line 84. The line contains '\x' at the end which appears to be an erroneous escape sequence or typo. This should be removed or replaced with a proper line continuation backslash '' if the intention was to continue the command on the next line.
| --data $DOCUMENTATION_REPO \x | |
| --data $DOCUMENTATION_REPO \ |
.github/workflows/docu-policy.yml
Outdated
| curl -o policy.rego "${{ inputs.policy_url }}" | ||
| cat policy.rego > "$POLICY_REGO" |
There was a problem hiding this comment.
The curl command saves the policy file to 'policy.rego' in the current directory, but then attempts to redirect its content to $POLICY_REGO. This is redundant and inefficient. The command should either directly download to $POLICY_REGO using 'curl -o "$POLICY_REGO" "${{ inputs.policy_url }}"' or simply move/copy the file. The current implementation with 'cat policy.rego > "$POLICY_REGO"' is unnecessary since the file was already downloaded.
| curl -o policy.rego "${{ inputs.policy_url }}" | |
| cat policy.rego > "$POLICY_REGO" | |
| curl -o "$POLICY_REGO" "${{ inputs.policy_url }}" |
.github/workflows/docu-policy.yml
Outdated
| run: | | ||
| curl -o policy.rego "${{ inputs.policy_url }}" | ||
| cat policy.rego > "$POLICY_REGO" |
There was a problem hiding this comment.
The policy file download from an arbitrary URL without verification poses a security risk. Consider adding checksum verification or signature validation to ensure the policy file hasn't been tampered with. Additionally, ensure the policy_url input is restricted to trusted domains or repositories.
.github/workflows/docu-policy.yml
Outdated
|
|
||
| run: | | ||
|
|
||
| echo '{"documentation_repo": "${{ inputs.documentation_repo }}", "production_repo": "${{ inputs.production_repos }}", "pull_request_title": "${{ env.PR_TITLE }}"}' > /tmp/doc_repo.json |
There was a problem hiding this comment.
The JSON construction in this line is vulnerable to command injection. The values from workflow inputs and environment variables are directly interpolated into the JSON string without proper escaping. If any of these values contain quotes or special characters, it will break the JSON format or potentially allow injection attacks. Consider using a proper JSON generation tool like jq to construct the JSON safely.
| echo '{"documentation_repo": "${{ inputs.documentation_repo }}", "production_repo": "${{ inputs.production_repos }}", "pull_request_title": "${{ env.PR_TITLE }}"}' > /tmp/doc_repo.json | |
| apt-get update && apt-get install -y jq | |
| echo '{}' | jq \ | |
| --arg documentation_repo "${{ inputs.documentation_repo }}" \ | |
| --arg production_repo "${{ inputs.production_repos }}" \ | |
| --arg pull_request_title "${{ env.PR_TITLE }}" \ | |
| '.documentation_repo = $documentation_repo | |
| | .production_repo = $production_repo | |
| | .pull_request_title = $pull_request_title' > "$DOCUMENTATION_REPO" |
| uses: ./.github/workflows/docu-policy.yml | ||
| with: | ||
| documentation-repo: ${{ inputs.documentation-repo }} | ||
| production-repos: ${{ inputs.production-repos}} |
There was a problem hiding this comment.
There is a syntax error on this line. A space is missing after the closing brace. The correct syntax should be "production-repos}}" with a space before the closing tag delimiter.
| production-repos: ${{ inputs.production-repos}} | |
| production-repos: ${{ inputs.production-repos }} |
.github/workflows/docu-policy.yml
Outdated
| /usr/local/bin/compliance-as-code-witness github issue \ | ||
| --repository "${{ inputs.documentation_repo }}" \ | ||
| --repository "${{ inputs.production_repos }}" \ | ||
| --filter="${{ inputs.json_path }}" \ |
There was a problem hiding this comment.
The command on line 54 is missing a line continuation backslash before the line break at line 58. This will cause the command to terminate prematurely, and line 58 (cat "$ATTESTATION_FILE") will be executed as a separate command instead of being part of the compliance-as-code-witness command output redirection or continuation.
| --filter="${{ inputs.json_path }}" \ | |
| --filter="${{ inputs.json_path }}" \ | |
| > "$ATTESTATION_FILE" |
.github/workflows/docu-policy.yml
Outdated
|
|
||
| - name: fetch policy file | ||
| run: | | ||
| curl -o policy.rego "${{ inputs.policy_url }}" |
There was a problem hiding this comment.
The curl command lacks error handling. If the download fails (network error, 404, etc.), the workflow will continue with an empty or non-existent policy file, potentially leading to incorrect policy evaluation. Add the -f flag to make curl fail on HTTP errors and consider adding the -S flag for better error reporting in silent mode.
| curl -o policy.rego "${{ inputs.policy_url }}" | |
| curl -fS -o policy.rego "${{ inputs.policy_url }}" |
2 participants
No description provided.