This directory contains Conftest policies that
validate GitHub Actions workflows and composite actions. They are evaluated
by the conftest workflow on every push and pull
request that touches .github/.
- Create a new
.regofile underrules/. - Use
package mainand add violations todeny. - Include a comment block at the top of the file explaining the rule and how to fix violations.
- Push — the conftest workflow picks up new rules automatically.
Note that workflows and composite actions have different YAML schemas.
Workflows define jobs under jobs.<name>.steps, while composite actions define
steps under runs.steps. Rules that inspect steps must handle both.
# Install conftest (macOS)
brew install conftest
# Run all policies against workflows and composite actions
conftest test \
.github/workflows/*.yml \
.github/actions/*/action.yml \
--policy .github/conftest/rules- Conftest — policy testing tool for configuration files
- Rego — the policy language used by Conftest and OPA
- Workflow syntax — YAML schema for
.github/workflows/*.yml - Composite actions — YAML schema for
action.ymlin composite actions - Security hardening — GitHub's guide to securing workflows
- Using third-party actions — why pinning to commit SHAs matters