ci: update CI workflows and test script

- Simplify find calls and remove extra greps - Update `run_policy_tests.sh` to exit non-0 and print an error on failures (for local use) - Update `actions/checkout` to `v4` - Update setup-regal workflow to v1 (note: keeping lint version at `v0.11.0`, since the latest version seems to have a number of issues with the current config
spacelift-io · Oct 2, 2024 · 06b2ea1 · 06b2ea1
1 parent 4d58d40
commit 06b2ea1
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 11 deletions.
diff --git a/.github/workflows/continuous-integration.yaml b/.github/workflows/continuous-integration.yaml
@@ -12,9 +12,9 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Setup Regal
-        uses: StyraInc/setup-regal@v0.2.0
+        uses: StyraInc/setup-regal@v1
         with:
           version: v0.11.0
       - run: regal lint --format=github .
@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - name: Check out
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Install OPA
         uses: open-policy-agent/setup-opa@v2
@@ -35,18 +35,15 @@ jobs:
       - name: Check syntax
         run: |
           # KLUDGE: plan/check-sanitized-value.rego needs to be ignored because it uses the custom sanitized() function
-          policies=$(find . -type f -regex '.*\.rego$' | grep -v _test.rego | grep -v plan/check-sanitized-value.rego)
-          for policy in $policies; do
-              opa check --strict $policy
-          done
+          find . -name \*.rego ! -regex '.*_test\.rego$' ! -path './plan/check-sanitized-value.rego' -print0 | xargs -0 -n1 opa check --strict
 
   unit-tests:
     name: Unit Tests
     runs-on: ubuntu-latest
 
     steps:
       - name: Check out
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Install OPA
         uses: open-policy-agent/setup-opa@v2
@@ -55,7 +52,7 @@ jobs:
 
       - name: Run unit tests
         run: |
-          tests=$(find . -type f -regex '.*_test\.rego$')
+          tests=$(find . -type f -name '*_test\.rego')
           for test in $tests; do
               opa test -v $test ${test/_test.rego/.rego}
           done
diff --git a/run_policy_tests.sh b/run_policy_tests.sh
@@ -1,7 +1,18 @@
 #!/bin/bash
 
-tests=$(find . -type f -regex '.*_test\.rego$')
+STATUS=0
+
+tests=$(find . -type f -name '*_test\.rego')
 for test in $tests; do
-    opa test -v $test ${test/_test.rego/.rego}
+    opa test -v "$test" "${test/_test\.rego/.rego}"
+    ((STATUS=$STATUS + $?))
     echo
 done
+
+# Instead of exiting on first failure as we would with "-e" set, exit at the
+# end with sum of exit codes.
+if [ $STATUS -gt 0 ]; then
+  echo "Failures detected: exiting with status $STATUS" >&2
+fi
+
+exit $STATUS