Check PR for mistakes in ecosystem page change (#4164)

Since both contributors and reviewers (i.e. me!) seem
to easily miss the correct location of the logo for a new
integration - add checks that will fail the PR when this
happens.

This is admittedly mostly for fun, but I figured it would
be pretty cool to explore whether we could integrate Rego
policies into our own build pipeline. There are definitely
more things to explore using the GitHub API as a datasource
for build pipeline policies, but this is at least a start.

Signed-off-by: Anders Eknert <anders@eknert.com>

.github/policy/files.rego

@@ -0,0 +1,46 @@
+# Expects policy input as provided by:
+# https://api.github.com/repos/open-policy-agent/opa/pulls/${PR_ID}/files
+#
+# Note that the "filename" here refers to the full path of the file, like
+# docs/website/data/integrations.yaml - since that's how it's named in the
+# input we'll use the same convention here.
+
+package files
+
+import future.keywords.in
+
+filenames := [f | f := input[_].filename]
+
+changes := {filename: attributes |
+	c := input[_]
+	filename := c.filename
+	attributes := object.remove(c, ["filename"])
+}
+
+deny["Logo must be placed in docs/website/static/img/logos/integrations"] {
+	"docs/website/data/integrations.yaml" in filenames
+
+	some filename in filenames
+	endswith(filename, ".png")
+	changes[filename].status == "added"
+	directory := substring(filename, 0, last_indexof(filename, "/"))
+	directory != "docs/website/static/img/logos/integrations"
+}
+
+deny["Logo must be a .png file"] {
+	"docs/website/data/integrations.yaml" in filenames
+
+	some filename in filenames
+	changes[filename].status == "added"
+	directory := substring(filename, 0, last_indexof(filename, "/"))
+	directory == "docs/website/static/img/logos/integrations"
+	not endswith(filename, ".png")
+}
+
+last_indexof(string, search) = i {
+	all := [i | chars := split(string, ""); chars[i] == search]
+	count(all) > 0
+	i := all[count(all) - 1]
+} else = -1 {
+	true
+}

.github/policy/files_test.rego

@@ -0,0 +1,44 @@
+package files_test
+
+import data.files.deny
+
+test_deny_logo_if_added_in_wrong_directory {
+	expected := "Logo must be placed in docs/website/static/img/logos/integrations"
+	deny[expected] with input as [
+		{
+			"filename": "docs/website/data/integrations.yaml",
+			"status": "modified",
+		},
+		{
+			"filename": "docs/website/static/img/logos/example.png",
+			"status": "added",
+		},
+	]
+}
+
+test_allow_logo_if_added_in_correct_directory {
+	count(deny) == 0 with input as [
+		{
+			"filename": "docs/website/data/integrations.yaml",
+			"status": "modified",
+		},
+		{
+			"filename": "docs/website/static/img/logos/integrations/example.png",
+			"status": "added",
+		},
+	]
+}
+
+test_deny_logo_if_not_png_file {
+	expected := "Logo must be a .png file"
+	deny[expected] with input as [
+		{
+			"filename": "docs/website/data/integrations.yaml",
+			"status": "modified",
+		},
+		{
+			"filename": "docs/website/static/img/logos/integrations/example.jpg",
+			"status": "added",
+		},
+	]
+}

.github/workflows/pull-request.yaml

@@ -274,3 +274,24 @@ jobs:
       - name: Build
         run: make ci-go-ci-build-linux GOVERSION=${{ matrix.version }}
         timeout-minutes: 30
+
+  # Run PR metadata against Rego policies
+  rego-check-pr:
+    name: Rego PR checks
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Download OPA
+        uses: infracost/setup-opa@v1
+
+      - name: Test policies
+        run: opa test .github/policy
+
+      - name: Run policy checks on changed files
+        run: |
+          curl --silent --fail --header 'Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' \
+          https://api.github.com/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/files \
+          | opa eval --data .github/policy/files.rego --format values --stdin-input --fail-defined 'data.files.deny[message]'
+