Skip to content

ci: enforce Rego v1 policies with Regal#408

Open
dakshhhhh16 wants to merge 4 commits into
mindersec:mainfrom
dakshhhhh16:ci/regal-rego-v1
Open

ci: enforce Rego v1 policies with Regal#408
dakshhhhh16 wants to merge 4 commits into
mindersec:mainfrom
dakshhhhh16:ci/regal-rego-v1

Conversation

@dakshhhhh16

@dakshhhhh16 dakshhhhh16 commented Jun 28, 2026

Copy link
Copy Markdown
Contributor

Part of mindersec/minder#5262
Resolves #409

Summary

Adds a CI guardrail that keeps official rule policies on Rego v1 and prevents formatting regressions.

What changed

  • Added a repository-level Regal configuration for use-rego-v1 and opa-fmt.
  • Added a small extraction utility for Rego policies embedded in rule-type YAML.
  • Check that embedded policies remain idempotent with opa fmt --v0-v1.
  • Run pinned OPA and Regal versions in CI.
  • Lint all 65 official policies across the main, security-baseline, and autofill rule directories.

The Regal job is intentionally limited to the two migration rules, so this PR does not introduce unrelated style cleanup.

Testing

python3 scripts/migrate-rego-v1.py --check .
python3 scripts/extract-rego.py \
  --output /tmp/minder-rego \
  rule-types security-baseline/rule-types autofill-insights/rule-types
find /tmp/minder-rego -name '*.rego' -exec opa fmt --write {} +
go run github.com/open-policy-agent/regal@v0.41.1 lint \
  --disable-all \
  --enable use-rego-v1 \
  --enable opa-fmt \
  --config-file .regal/config.yaml \
  /tmp/minder-rego
go test ./...

@dakshhhhh16 dakshhhhh16 marked this pull request as ready for review June 28, 2026 15:33
@dakshhhhh16 dakshhhhh16 requested a review from a team as a code owner June 28, 2026 15:33
Copilot AI review requested due to automatic review settings June 28, 2026 15:33

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds CI enforcement to keep all embedded Rego policies compliant with Rego v1 and prevent formatting drift by extracting YAML-embedded policies, normalizing them with OPA, and linting them with Regal.

Changes:

  • Added scripts/extract-rego.py to extract embedded Rego def: | blocks into standalone .rego files.
  • Added .regal/config.yaml to enforce Regal rules (use-rego-v1, opa-fmt) with pinned OPA capabilities.
  • Extended .github/workflows/lint.yaml to install OPA, check embedded formatting, extract/normalize policies, and lint with Regal.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
scripts/extract-rego.py New utility to extract embedded Rego blocks from YAML into standalone .rego files for linting/format checks.
.regal/config.yaml Regal configuration enabling use-rego-v1 and opa-fmt, plus OPA capabilities pinning.
.github/workflows/lint.yaml CI job additions to install OPA, validate embedded formatting, extract/normalize policies, and run Regal lint.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread scripts/extract-rego.py
Comment on lines +73 to +75
def output_name(path: pathlib.Path, policy_index: int) -> str:
normalized = "__".join(path.parts)
return f"{normalized}.{policy_index}.rego"
Comment thread .regal/config.yaml

@evankanderson evankanderson left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You may want to take a look at mindersec/minder#6558; that PR would allow us to move all the rego files to be .rego with comments for the rest of the RuleType definition, rather than embedded rego inside YAML.

@dakshhhhh16

Copy link
Copy Markdown
Contributor Author

You may want to take a look at mindersec/minder#6558; that PR would allow us to move all the rego files to be .rego with comments for the rest of the RuleType definition, rather than embedded rego inside YAML.

Thanks for pointing me to mindersec/minder#6558. It looks like that approach could remove the need to extract Rego from YAML before linting. Would you prefer that I wait for mindersec/minder#6558 and update this PR to lint the .rego files directly, or keep the current approach as a temporary check for the existing YAML format?

Comment thread scripts/extract-rego.py

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It feels like you're extracting a single (well-known) YAML field from a document here -- this should almost certainly use pyyaml rather than string processing. (Or you could use yq and some shell, but I'm okay with using Python)

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I personally like python more, can change it if it's necessary.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm happy to keep using python, but I'd like to use the yaml library for parsing, rather than ad-hoc parsing with regular expressions and python code.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will keep this in mind

@evankanderson evankanderson left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's fine to merge this now, when the rego change merges we can hopefully simplify a lot of this. (And seeing this pile higher motivated me to go in and try to fix things at the root.)

Comment thread scripts/extract-rego.py

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm happy to keep using python, but I'd like to use the yaml library for parsing, rather than ad-hoc parsing with regular expressions and python code.

@dakshhhhh16 dakshhhhh16 requested a review from evankanderson July 1, 2026 22:11
@dakshhhhh16

Copy link
Copy Markdown
Contributor Author

@evankanderson
Can you pls merge this one so that i can proceed forward?

@evankanderson evankanderson left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should use the standard YAML module for the extraction. (It's fine to use python rather than e.g. yq .def.eval.rego.def $filename), but let's not roll our own extraction code when the library handles that case just fine.)

Comment thread scripts/extract-rego.py Outdated
Comment on lines +52 to +70
lines = path.read_text().splitlines(True)
policies: list[str] = []
index = 0

while index < len(lines):
match = DEF_BLOCK_RE.match(lines[index])
if not match:
index += 1
continue

source, index = extract_block(
lines,
index + 1,
len(match.group("indent")),
)
if source.lstrip().startswith("package "):
policies.append(source)

return policies

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you use PyYAML, this is:

Suggested change
lines = path.read_text().splitlines(True)
policies: list[str] = []
index = 0
while index < len(lines):
match = DEF_BLOCK_RE.match(lines[index])
if not match:
index += 1
continue
source, index = extract_block(
lines,
index + 1,
len(match.group("indent")),
)
if source.lstrip().startswith("package "):
policies.append(source)
return policies
contents = yaml.load(path.read_text())
rego = contents.get('def', {}).get('eval', {}),.get('rego', {}).get('def', "")
if rego != "":
return [rego]
return []

And you don't need extract_block, etc.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done, it now reads def.eval.rego.def with safe_load, and the old extraction helpers are removed.

@dakshhhhh16

Copy link
Copy Markdown
Contributor Author

Apologies for a late revert, I was a bit busy from the past few days, I have made the changes, you can have a look now!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Enforce Rego V1 policies with Regal in CI

3 participants