Skip to content

Latest commit

 

History

History

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 

README.md

Conftest policies for GitHub Actions

This directory contains Conftest policies that validate GitHub Actions workflows and composite actions. They are evaluated by the conftest workflow on every push and pull request that touches .github/.

Adding a new rule

  1. Create a new .rego file under rules/.
  2. Use package main and add violations to deny.
  3. Include a comment block at the top of the file explaining the rule and how to fix violations.
  4. Push — the conftest workflow picks up new rules automatically.

Note that workflows and composite actions have different YAML schemas. Workflows define jobs under jobs.<name>.steps, while composite actions define steps under runs.steps. Rules that inspect steps must handle both.

Running locally

# Install conftest (macOS)
brew install conftest

# Run all policies against workflows and composite actions
conftest test \
  .github/workflows/*.yml \
  .github/actions/*/action.yml \
  --policy .github/conftest/rules

References