ci/static-checks: install opa

Make open-policy-agent available for static checks as prerequisite for rego checks. Signed-off-by: Paul Meyer <katexochen0@gmail.com>
2025-07-15 08:02:31 +00:00 · 2025-06-11 12:56:48 +02:00 · 2025-06-11 12:56:48 +02:00 · 71796f7b12
commit 71796f7b12
parent 5baea34fff
3 changed files with 49 additions and 0 deletions
--- a/.github/workflows/static-checks.yaml
+++ b/.github/workflows/static-checks.yaml
@ -123,6 +123,10 @@ jobs:
      - name: Install system dependencies
        run: |
          sudo apt-get update && sudo apt-get -y install moreutils hunspell hunspell-en-gb hunspell-en-us pandoc
+      - name: Install open-policy-agent
+        run: |
+          cd "${GOPATH}/src/github.com/${{ github.repository }}"
+          ./tests/install_opa.sh
      - name: Run check
        run: |
          export PATH="${PATH}:${GOPATH}/bin"
--- a/tests/install_opa.sh
+++ b/tests/install_opa.sh
@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) Edgeless Systems GmbH
+#
+# SPDX-License-Identifier: Apache-2.0
+
+set -eou pipefail
+
+[[ -n "${DEBUG:-}" ]] && set -o xtrace
+
+test_dir=$(realpath "$(dirname "${BASH_SOURCE[0]}")")
+source "${test_dir}/common.bash"
+
+install_opa()
+{
+    local url
+    local version
+    url=$(get_test_version "externals.opa.url")
+    version=$(get_test_version "externals.opa.version")
+
+    if opa version 2>/dev/null | grep -q "${version}"; then
+        info "OPA version ${version} is already installed"
+        return 0
+    fi
+    info "Installing OPA version ${version} from ${url}"
+
+    curl -fsSL "${url}/releases/download/${version}/opa_linux_amd64_static" \
+        -o "/usr/local/bin/opa" \
+        || die "Failed to download OPA binary"
+
+    chmod +x "/usr/local/bin/opa" \
+        || die "Failed to make OPA binary executable"
+
+    command -v opa &>/dev/null \
+        || die "OPA binary not found in PATH after installation"
+
+    info "Successfully installed OPA version ${version}"
+}
+
+install_opa
--- a/versions.yaml
+++ b/versions.yaml
@ -347,6 +347,11 @@ externals:
    url: "https://github.com/containerd/nydus-snapshotter"
    version: "v0.13.14"

+  opa:
+    description: "Open Policy Agent"
+    url: "https://github.com/open-policy-agent/opa"
+    version: "v1.5.1"
+
  ovmf:
    description: "Firmware, implementation of UEFI for virtual machines."
    url: "https://github.com/tianocore/edk2"