From 0e61ece28aff992c2956f14ba19a5cfb107c0f5e Mon Sep 17 00:00:00 2001 From: Zoheb Shaikh <26975142+ZohebShaikh@users.noreply.github.com> Date: Fri, 30 Jan 2026 23:48:35 +0000 Subject: [PATCH 1/4] Change policy tests --- .github/workflows/_policy_test.yaml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/.github/workflows/_policy_test.yaml b/.github/workflows/_policy_test.yaml index 4fb17995..df7ad60c 100644 --- a/.github/workflows/_policy_test.yaml +++ b/.github/workflows/_policy_test.yaml @@ -10,10 +10,9 @@ jobs: - name: Checkout source uses: actions/checkout@v4.2.2 - - name: Setup OPA - uses: open-policy-agent/setup-opa@v2.2.0 + - name: Run OPA Rego Tests + uses: masterpointio/github-action-opa-rego-test@main with: - version: latest - - - name: Test - run: opa test ./policy -v + path: ./policy + test_mode: directory # Whether to test the Rego by directory (e.g. opa test ./) or by individual files (e.g. opa test a_test.rego a.rego). Options of `directory` or `file`. + report_untested_files: true # Flag to check & report Rego files that does NOT have corresponding test files. Optional, defaults to false. From 4e9fc10070cadaa0e431d3a9d119bd7a1a02c8bc Mon Sep 17 00:00:00 2001 From: Zoheb Shaikh <26975142+ZohebShaikh@users.noreply.github.com> Date: Sat, 31 Jan 2026 00:05:33 +0000 Subject: [PATCH 2/4] add ability to comment --- .github/workflows/_policy_test.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/_policy_test.yaml b/.github/workflows/_policy_test.yaml index df7ad60c..a2a38913 100644 --- a/.github/workflows/_policy_test.yaml +++ b/.github/workflows/_policy_test.yaml @@ -3,6 +3,11 @@ name: Policy Test on: workflow_call: +permissions: + id-token: write + contents: read + pull-requests: write # required to comment on PRs + jobs: test: runs-on: ubuntu-latest From 43f87566eb56ab27b04fb496667da96dda0dc37e Mon Sep 17 00:00:00 2001 From: Zoheb Shaikh <26975142+ZohebShaikh@users.noreply.github.com> Date: Sat, 31 Jan 2026 00:18:03 +0000 Subject: [PATCH 3/4] Move permissions --- .github/workflows/_policy_test.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/_policy_test.yaml b/.github/workflows/_policy_test.yaml index a2a38913..8f18b5e1 100644 --- a/.github/workflows/_policy_test.yaml +++ b/.github/workflows/_policy_test.yaml @@ -3,14 +3,14 @@ name: Policy Test on: workflow_call: -permissions: - id-token: write - contents: read - pull-requests: write # required to comment on PRs jobs: test: runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + pull-requests: write # required to comment on PRs steps: - name: Checkout source uses: actions/checkout@v4.2.2 From 847d2f4eba406436fc4cc7f3fdb66dac206ba2d3 Mon Sep 17 00:00:00 2001 From: Zoheb Shaikh <26975142+ZohebShaikh@users.noreply.github.com> Date: Sat, 31 Jan 2026 00:20:08 +0000 Subject: [PATCH 4/4] move permissions --- .github/workflows/_policy_test.yaml | 8 ++++---- .github/workflows/ci.yaml | 4 ++++ 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/_policy_test.yaml b/.github/workflows/_policy_test.yaml index 8f18b5e1..9f88a4a3 100644 --- a/.github/workflows/_policy_test.yaml +++ b/.github/workflows/_policy_test.yaml @@ -7,10 +7,10 @@ on: jobs: test: runs-on: ubuntu-latest - permissions: - id-token: write - contents: read - pull-requests: write # required to comment on PRs + # permissions: + # id-token: write + # contents: read + # pull-requests: write # required to comment on PRs steps: - name: Checkout source uses: actions/checkout@v4.2.2 diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 251ccabe..69523147 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -58,6 +58,10 @@ jobs: uses: ./.github/workflows/_policy_lint.yaml policy_test: + permissions: + id-token: write + contents: read + pull-requests: write # required to comment on PRs # Deduplicate jobs from pull requests and branch pushes within the same repo. if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.repository uses: ./.github/workflows/_policy_test.yaml