My submission to the GitHub actionshackathon21

My Workflow

Policyer is an open source project (more like a vision) I created after inspired by policy engines that become very popular lately (OPA,Checkov)
Policyer going to focus on providing platform to run and create meaningful reports, data engagement and plugin system to let you provide any data, some time it can be k8s yaml and in other it can be user data.

Policyer Action

The policyer-action let you the option to run Policyer as part of your CI process, in my example I'm going to validate GitHub SDK calls.

Provider is like a plugin for policyer engine, it provide the data so the engine can run it against the checks (polciies)

Its important for me to emphasize that Policyer provide a platform, and eventually I will want to see marketplace full of custom providers.
The action can use any provider either local or published to NPM (support for private registries is on the way). In my example I created a simple provider to run GitHub SDK calls.

Example Repo

Example Check:

  provider: github-provider
  type: rest
    - pull_request
    - push
  domain: pulls
  action: listRequestedReviewers
    owner: context.payload.pull_request.base.user.login
    repo: context.payload.pull_request.base.repo.name
    pull_number: context.payload.pull_request.number
  - id: validate-reviewers
    name: check if reviewers exists.
    severity: High
      - path: data.users
        condition: includes
        value: "nirtester"
        utility: map
          - "login"

(just a reminder this is a policy example and the Github action will evaluate it and output as a report)

Check flow:

  • first of all we setup the configuration section where we can provider meta data for the check, in this example I'm asking from the provider to do an SDK call:
                  owner: ...pull_request.base.user.login
                  repo: ...pull_request.base.repo.name
                  pull_number: ...pull_request.number

octokit docs

  • next we going to dive in to the actual policy, in this policy we want to verify a certain user is a reviewer, so after the call im going to point to the "users" array, then use the condition includes ([...users].includes(value)), utilities function by default includes all Lodash functions, you can add custom utilities in the provider level.
    I'm going to use the map utility function to prepare an array of reviewers usernames.
  • final step is the results:
  ____       _ _                      
 |  _ \ ___ | (_) ___ _   _  ___ _ __ 
 | |_) / _ \| | |/ __| | | |/ _ \ '__|
 |  __/ (_) | | | (__| |_| |  __/ |   
 |_|   \___/|_|_|\___|\__, |\___|_|   
Visit us at policyer.org
Event name: pull_request
Valid events: pull_request,push

│      (index)       │ hasError │            check             │ stepsResults │ inspectedValues │  status   │ severity │
│ validate-reviewers │  false   │ 'check if reviewers exists.' │   [ true ]   │   [ [Array] ]   │ 'success' │  'High'  │

Submission Category:

Wacky Wildcards

Action yaml

# Add github action file .github/workflows/policyer.yml
name: Policyer

on: [pull_request]

    runs-on: ubuntu-latest
      - uses: actions/[email protected]
      - name: Policyer GitHub Action
        uses: policyerorg/[email protected]
          verbose: false
          provider: policyer-github
          internal: false
          checks_path: ./checks

Additional Resources / Info

Visit Policyer for more information this is just the beginning

Packages used

  • chalk
  • figlet
  • jmespath
  • lodash
  • moment
  • yaml
  • yargs
  • @actions/core/github