From e8a013834e7e1e1de5c7c886863218446a492498 Mon Sep 17 00:00:00 2001
From: Gareth Healy <garethahealy@gmail.com>
Date: Fri, 11 Oct 2024 18:50:30 +0100
Subject: [PATCH] added schema checking to opa check

---
 .github/workflows/regal-lint.yaml | 16 +++++++++++++++-
 .pre-commit-config.yaml           |  2 +-
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/regal-lint.yaml b/.github/workflows/regal-lint.yaml
index 4305a73..80fb249 100644
--- a/.github/workflows/regal-lint.yaml
+++ b/.github/workflows/regal-lint.yaml
@@ -13,6 +13,8 @@ jobs:
       OPA_VERSION: v0.69.0
       # renovate: datasource=github-releases depName=StyraInc/regal
       REGAL_VERSION: v0.27.0
+      # renovate: datasource=github-releases depName=garethahealy/openshift-json-schema
+      OCP_SCHEMA_VERSION: 4.16.0
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
@@ -32,8 +34,20 @@ jobs:
         with:
           version: ${{ env.REGAL_VERSION }}
 
+      - name: Clone schemas
+        run: |
+          if [[ ! -d "_test/schema-generation/openshift-json-schema" ]]; then
+            mkdir -p _test/schema-generation/openshift-json-schema
+            rm -rf /tmp/openshift-json-schema
+        
+            # Download openshift-json-schema dynamically so it doesnt need to be added into source
+            git clone https://github.com/garethahealy/openshift-json-schema.git /tmp/openshift-json-schema --depth 1
+        
+            mv /tmp/openshift-json-schema/v${OCP_SCHEMA_VERSION}/schemas/* _test/schema-generation/openshift-json-schema
+          fi
+
       - name: Run OPA Check
-        run: opa check policy --strict
+        run: opa check policy --strict --schema _test/schema-generation/openshift-json-schema
 
       - name: Run Regal lint
         run: regal lint --format github policy
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index dfac168..e297962 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -5,7 +5,7 @@ repos:
         name: OPA check
         description: Check syntax of staged Rego files
         entry: opa check
-        args: [ 'policy', '--strict' ]
+        args: [ 'policy', '--strict', '--schema _test/schema-generation/openshift-json-schema' ]
         pass_filenames: false
         language: system
       - id: opa-fmt