feat: List local and imported variables in the policy with InspectPolicies #3781
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: CI | |
on: | |
pull_request: | |
branches: | |
- main | |
- 'v*' | |
jobs: | |
changes: | |
runs-on: ubuntu-latest | |
timeout-minutes: 5 | |
outputs: | |
code: ${{ steps.filter.outputs.code }} | |
docs: ${{ steps.filter.outputs.docs }} | |
npm: ${{ steps.filter.outputs.npm }} | |
protos: ${{ steps.filter.outputs.protos }} | |
steps: | |
- uses: dorny/paths-filter@v3 | |
id: filter | |
with: | |
filters: | | |
code: | |
- '!(.node-version|{docs,npm}/**)' | |
docs: | |
- .github/workflows/pr-test.yaml | |
- 'docs/**' | |
npm: | |
- .github/workflows/pr-test.yaml | |
- 'npm/**' | |
- .node-version | |
protos: | |
- .github/workflows/pr-test.yaml | |
- '**/*.proto' | |
cache: | |
uses: ./.github/workflows/cache.yaml | |
generate: | |
needs: changes | |
if: ${{ needs.changes.outputs.code == 'true' }} | |
name: Generate | |
runs-on: ubuntu-latest | |
timeout-minutes: 10 | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Install Go and restore cached dependencies | |
uses: ./.github/actions/setup-go | |
- name: Generate | |
run: make generate | |
- name: Check repo status | |
run: |- | |
REPO_STATUS="$(git status --porcelain)" | |
if [[ ! -z $REPO_STATUS ]]; then | |
echo "::error::Uncommitted changes detected" | |
echo "$REPO_STATUS" | |
exit 1 | |
fi | |
download-test-times: | |
name: Download test times | |
runs-on: ubuntu-latest | |
timeout-minutes: 5 | |
steps: | |
- name: Download previous test times | |
continue-on-error: true | |
uses: dawidd6/action-download-artifact@v3 | |
with: | |
workflow: pr-test.yaml | |
name: test-times | |
search_artifacts: true | |
- name: Upload previous test times | |
uses: actions/upload-artifact@v4 | |
with: | |
name: previous-test-times | |
path: test-times.json | |
test: | |
needs: | |
- changes | |
- download-test-times | |
if: ${{ needs.changes.outputs.code == 'true' }} | |
name: Test | |
runs-on: ubuntu-latest | |
timeout-minutes: 15 | |
strategy: | |
fail-fast: false | |
matrix: | |
split: [0, 1, 2, 3, 4, 5] | |
outputs: | |
job-total: ${{ strategy.job-total }} | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
with: | |
lfs: true | |
- name: Install Go and restore cached dependencies | |
uses: ./.github/actions/setup-go | |
- name: Download previous test times | |
uses: actions/download-artifact@v4 | |
with: | |
name: previous-test-times | |
- name: Test | |
run: make test-all TESTSPLIT_INDEX=${{ strategy.job-index }} TESTSPLIT_TOTAL=${{ strategy.job-total }} | |
env: | |
GOEXPERIMENT: loopvar # https://github.com/golang/go/wiki/LoopvarExperiment | |
CERBOS_LOG_LEVEL: "debug" | |
CERBOS_TEST_LOG_LEVEL: "debug" | |
CERBOS_DEBUG_DB: "true" | |
CERBOS_DEBUG_ENGINE: "true" | |
CERBOS_DEBUG_KAFKA: "true" | |
- name: Upload JUnit reports | |
uses: actions/upload-artifact@v4 | |
with: | |
name: junit-reports-${{ strategy.job-index }} | |
path: junit.*.xml | |
- name: Upload unit coverage to Coveralls | |
uses: shogo82148/actions-goveralls@v1 | |
with: | |
path-to-profile: unit.cover | |
flag-name: unit-${{ strategy.job-index }} | |
parallel: true | |
- name: Upload integration coverage to Coveralls | |
uses: shogo82148/actions-goveralls@v1 | |
with: | |
path-to-profile: integration.cover | |
flag-name: integration-${{ strategy.job-index }} | |
parallel: true | |
upload-test-times: | |
needs: test | |
if: ${{ always() && needs.test.result != 'skipped' }} | |
name: Upload test times | |
runs-on: ubuntu-latest | |
timeout-minutes: 5 | |
steps: | |
- name: Check test results | |
run: test "${{ needs.test.result }}" = "success" | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Install Go and restore cached dependencies | |
uses: ./.github/actions/setup-go | |
- name: Download JUnit reports | |
uses: actions/download-artifact@v4 | |
- name: Combine JUnit reports | |
run: |- | |
mv junit-reports-*/junit.*.xml . | |
make test-times TESTSPLIT_TOTAL=${{ needs.test.outputs.job-total }} | |
- name: Upload new test times | |
uses: actions/upload-artifact@v4 | |
with: | |
name: test-times | |
path: test-times.json | |
- name: Complete coveralls report | |
uses: shogo82148/actions-goveralls@v1 | |
with: | |
parallel-finished: true | |
docs: | |
needs: changes | |
if: ${{ needs.changes.outputs.docs == 'true' }} | |
name: Build docs | |
runs-on: ubuntu-latest | |
timeout-minutes: 10 | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
lfs: true | |
- name: Generate docs | |
uses: ./.github/actions/antora-docs | |
id: docs | |
golangci: | |
needs: changes | |
if: ${{ needs.changes.outputs.code == 'true' }} | |
name: Lint | |
runs-on: ubuntu-latest | |
timeout-minutes: 10 | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Install Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version: 1.22.x | |
check-latest: true | |
cache: false | |
- name: golangci-lint | |
uses: golangci/golangci-lint-action@v5.3.0 | |
with: | |
version: latest | |
args: '--config=.golangci.yaml -v' | |
buf: | |
needs: changes | |
if: ${{ needs.changes.outputs.protos == 'true' }} | |
name: Proto check | |
runs-on: ubuntu-latest | |
timeout-minutes: 10 | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Setup Buf | |
uses: bufbuild/buf-setup-action@v1.31.0 | |
with: | |
github_token: ${{ github.token }} | |
- name: Lint protos | |
uses: bufbuild/buf-lint-action@v1.1.1 | |
- name: Check formatting | |
run: buf format --diff --exit-code | |
- name: Find latest release | |
id: latest-release | |
run: gh release view --json tagName --jq '"tag=\(.tagName)"' >> $GITHUB_OUTPUT | |
env: | |
GH_TOKEN: ${{ github.token }} | |
- name: Check backwards compatibility | |
uses: cerbos/buf-breaking-action@since | |
with: | |
against: https://github.com/cerbos/cerbos.git#tag=${{ steps.latest-release.outputs.tag }} | |
since: https://github.com/cerbos/cerbos.git#branch=main | |
test-helm: | |
needs: changes | |
if: ${{ needs.changes.outputs.code == 'true' }} | |
name: Helm test | |
runs-on: ubuntu-latest | |
timeout-minutes: 10 | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-go@v5 | |
with: | |
go-version: '1.22.x' | |
- name: Test Helm chart | |
run: ./deploy/charts/validate.sh | |
build-npm: | |
needs: changes | |
if: ${{ needs.changes.outputs.npm == 'true' }} | |
name: Build npm packages | |
runs-on: ubuntu-latest | |
timeout-minutes: 20 | |
steps: | |
- name: Free disk space | |
uses: jlumbroso/free-disk-space@main | |
with: | |
tool-cache: false | |
android: true | |
dotnet: true | |
haskell: true | |
large-packages: true | |
docker-images: true | |
swap-storage: true | |
- name: Check out code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Install Go and cache dependencies | |
uses: ./.github/actions/setup-go | |
with: | |
cross_compiling: true | |
- name: Build binaries | |
uses: goreleaser/goreleaser-action@v5 | |
with: | |
version: latest | |
args: build --config=.goreleaser.yml --clean --snapshot | |
env: | |
TELEMETRY_WRITE_KEY: ${{ secrets.TELEMETRY_WRITE_KEY }} | |
TELEMETRY_URL: ${{ secrets.TELEMETRY_URL }} | |
- name: Collect npm packages | |
run: tar --create --verbose --file npm.tar npm | |
- name: Upload npm packages | |
uses: actions/upload-artifact@v4 | |
with: | |
name: npm-packages | |
path: npm.tar | |
test-npm: | |
needs: build-npm | |
name: Test npm packages | |
strategy: | |
fail-fast: false | |
matrix: | |
runs-on: | |
- macos-latest | |
- ubuntu-latest | |
runs-on: ${{ matrix.runs-on }} | |
timeout-minutes: 10 | |
steps: | |
- name: Check out .node-version file | |
uses: actions/checkout@v4 | |
with: | |
sparse-checkout: .node-version | |
sparse-checkout-cone-mode: false | |
- name: Download npm packages | |
uses: actions/download-artifact@v4 | |
with: | |
name: npm-packages | |
- name: Extract npm packages | |
run: tar --extract --verbose --file npm.tar | |
- name: Install Node.js | |
uses: actions/setup-node@v4 | |
with: | |
cache: npm | |
cache-dependency-path: npm/test/registry/package-lock.json | |
node-version-file: .node-version | |
# https://github.com/actions/runner-images/issues/9626 | |
- name: Don't force curl to use IPv4 | |
run: rm -f ~/.curlrc | |
- name: Test npm packages | |
working-directory: npm | |
run: corepack npm test | |
test-npm-results: | |
name: Check results of npm package tests | |
runs-on: ubuntu-latest | |
if: always() && needs.test-npm.result != 'skipped' | |
needs: | |
- test-npm | |
steps: | |
- name: Check test results | |
run: test "${{ needs.test-npm.result }}" = "success" |