Make it easier to pull in OPA in Github Actions

[anderseknert]

Expected Behavior

In order to use OPA in a Github Actions workflows, I'd like to be able to do something like this:

- uses: openpolicyagent/setup-opa@v1
  with:
    opa-version: '^0.25.2'

# ...subsequent tasks using OPA here

with niceties like caching etc provided by the action.

("inspired" by the setup-go action)

Actual Behavior

Everyone having to manually download OPA, keep track of versions, handle caching, etc.. themselves.

[tsandall]

I'm not familiar with implementing actions. Would this be another artifact we have to publish with each release or can it be decoupled from the OPA release cycle. Obviously it would be nice not to have to build and publish another artifact.

[srenatus]

Here are the sources for the setup-go action: https://github.com/actions/setup-go/blob/main/src/installer.ts -- tl;dr: the version to be installed will be input to the script, there's no extra artifact to provide when releasing, as long as we keep the structures intact (https://github.com/open-policy-agent/releases/v${ver}/tarball/yadda/yadda).

[srenatus]

One thing -- I can imagine finding this useful, but having some actual feedback from the community would be great. Perhaps we can post this issue in Slack to gauge interest? 🤔

[anderseknert]

That OPA itself is useful as part of CI/CD pipelines is pretty much implied in this context, no? 😄

All this would do is to remove some of the current ceremony around that. IMO, we don't really need to look outside our own repositories to see how this is useful, but if we do I have at least 5-6 personal repos where this would be desirable too.

[srenatus]

😄 You're quite right. Let's do this. 🚀

[srenatus]

I've learnt recently that you don't need to use JS for actions; you can create "composite actions" that are basically shell script steps. This should make this a low-hanging fruit, shouldn't it? 🤔 Well, to support fancier "version matching", as outline above, we might need more than just bash, though.

[anderseknert]

My understanding of composite actions is basically that they allow you to extract a common task, and reuse that across other tasks and files. I'm not sure whether they can be "exported" to the Github marketplace.

[srenatus]

I could be wrong, but from the docs, https://docs.github.com/en/actions/creating-actions/publishing-actions-in-github-marketplace, it seems to be like "javascript actions" and "composite actions" were equals. That said, any more complicated feature will likely require JS (or TS) anyways.

[hongbo-miao]

Just add more info in case it helps design this one. 😃

For me, I am currently using like

  opa-test:
    name: OPA - Test
    runs-on: ubuntu-20.04
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: Download OPA Binary
        run: |
          curl -L -o opa https://openpolicyagent.org/downloads/latest/opa_linux_amd64
          chmod 755 ./opa
      - name: Test
        run: |
          ./opa test policies/*.rego -v

There is a third-party GitHub Action using shell script without JavaScript, which basically doing same thing underneath: https://github.com/petroprotsakh/opa-test-action

[ribbybibby]

For even greater brevity, you can use the openpolicyagent/opa docker image directly:

  opa:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: docker://openpolicyagent/opa
        with:
          args: "test --ignore=*.yaml --ignore=*.json -v policies"

[tim775]

@tsandall I was writing an example on how to setup cost polices with opa and I needed the setup-opa action, so I wrote it: infracost/setup-opa. I’d be happy to transfer it to you if you want to keep it under the open-policy-agent org. Let me know either way, I don’t want to scoop you on the marketplace name if you already have something in the works.

[tsandall]

@tim775 this looks great! I think it would be nice to host this under the OPA organization on GitHub so that people have an easier time finding it. If we transfer it to the OPA organization, would you be interested in continuing to maintain it? I'm guessing the support is quite minimal but things always come up from time to time.

[tim775]

If we transfer it to the OPA organization, would you be interested in continuing to maintain it?

Of course.

According to the github docs it looks like we transfer it directly to you, then you can transfer it into the org.

@alikhajeh1 could you please transfer infracost/setup-opa to @tsandall

[alikhajeh1]

I tried transferring infracost/setup-opa to tsandall and open-policy-agent but both showed error messages, e.g. "You can only transfer a repository from an organization to yourself at this time".

@tsandall I added you as admin to https://github.com/infracost/setup-opa, can you please try the transfer to see if it works for you? (given your access to the open-policy-agent GH org)

[srenatus]

🥳