From 107e7dfdf6c456061aa227f2e6d328207ac4cbb5 Mon Sep 17 00:00:00 2001
From: Paul Meyer <katexochen0@gmail.com>
Date: Wed, 11 Jun 2025 12:58:01 +0200
Subject: [PATCH] ci/static-checks: install regorus

Make regorus available for static checks as prerequisite for rego checks.

Signed-off-by: Paul Meyer <katexochen0@gmail.com>
---
 .github/workflows/static-checks.yaml |  3 ++
 tests/install_regorus.sh             | 49 ++++++++++++++++++++++++++++
 2 files changed, 52 insertions(+)
 create mode 100755 tests/install_regorus.sh

diff --git a/.github/workflows/static-checks.yaml b/.github/workflows/static-checks.yaml
index 9488b13e13..f0af12b47b 100644
--- a/.github/workflows/static-checks.yaml
+++ b/.github/workflows/static-checks.yaml
@@ -127,6 +127,9 @@ jobs:
         run: |
           cd "${GOPATH}/src/github.com/${{ github.repository }}"
           ./tests/install_opa.sh
+      - name: Install regorus
+        run: |
+          "${GOPATH}/src/github.com/${{ github.repository }}/tests/install_regorus.sh"
       - name: Run check
         run: |
           export PATH="${PATH}:${GOPATH}/bin"
diff --git a/tests/install_regorus.sh b/tests/install_regorus.sh
new file mode 100755
index 0000000000..d47e72fb65
--- /dev/null
+++ b/tests/install_regorus.sh
@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) Edgeless Systems GmbH
+#
+# SPDX-License-Identifier: Apache-2.0
+
+[[ -n "${DEBUG}" ]] && set -o xtrace
+
+test_dir=$(realpath "$(dirname "${BASH_SOURCE[0]}")")
+source "${test_dir}/common.bash"
+
+install_regorus()
+{
+    command -v cargo &>/dev/null \
+        || die "cargo is not installed. Please install rust toolchain to install regorus."
+    command -v git &>/dev/null \
+        || die "git is not installed. Please install git."
+
+    if regorus --version 2>/dev/null | grep -q "${version}"; then
+        info "regorus version ${version} is already installed"
+        return 0
+    fi
+
+    # Get the regorus version from Cargo.toml of the agent policy crate instad of versions.yaml
+    # so we test the version we are actually using.
+    local cargo_toml="${test_dir}/../src/agent/policy/Cargo.toml"
+    [[ -f "${cargo_toml}" ]] \
+        || die "Cargo.toml not found at ${cargo_toml}"
+
+    version=$(
+        cargo tree -i regorus --edges normal --prefix none --manifest-path "${cargo_toml}" |
+            head -n1 |
+            cut -d' ' -f2 |
+            sed 's/v//'
+    ) || die "Failed to get regorus version from cargo.toml"
+
+    info "Installing regorus version ${version}"
+
+    cargo install regorus --version "${version}" --example regorus \
+        || die "Failed to cargo install regorus"
+
+    if ! echo "$PATH" | grep -q "${HOME}/.cargo/bin"; then
+        export PATH="${PATH}:${HOME}/.cargo/bin"
+    fi
+
+    info "Successfully installed regorus version ${version}"
+}
+
+install_regorus