Skip to content

Instantly share code, notes, and snippets.

@krrish175-byte
Last active June 8, 2026 13:25
Show Gist options
  • Select an option

  • Save krrish175-byte/859deffc008d1a8395c7f5d16dd9559b to your computer and use it in GitHub Desktop.

Select an option

Save krrish175-byte/859deffc008d1a8395c7f5d16dd9559b to your computer and use it in GitHub Desktop.
Minder rule test format experiment -- Starlark
# Minder Rule Test — Starlark Format
# Rule: branch_protection_allow_force_pushes (REST + jq)
# Demonstrates: inline mock bodies, no wrapper needed for simple rules
DEFAULT_ENTITY = {
"owner": "acme-corp",
"repo": "widgets",
"branch": "main",
}
PROTECTION_ENDPOINT = "GET /repos/acme-corp/widgets/branches/main/protection"
# ── Wrapper function ───────────────────────────────────────────────────────
def branch_protection_rule(force_pushes_enabled, status=200):
body = {"allow_force_pushes": {"enabled": force_pushes_enabled}}
if status == 404:
body = {"http_status": 404, "message": "Not Protected"}
return run_rule(
rule = "branch_protection_allow_force_pushes",
entity = DEFAULT_ENTITY,
mocks = {
PROTECTION_ENDPOINT: {"status": status, "body": body},
},
)
# ── Tests ──────────────────────────────────────────────────────────────────
def test_force_pushes_disabled():
result = branch_protection_rule(force_pushes_enabled=False)
check.eq(result.status, "pass")
def test_force_pushes_enabled():
result = branch_protection_rule(force_pushes_enabled=True)
check.eq(result.status, "fail")
def test_branch_not_protected():
result = branch_protection_rule(force_pushes_enabled=False, status=404)
check.eq(result.status, "error")
# Minder Rule Test — Starlark Format Experiment
# Rule: actions_check_pinned_tags (git ingest + Rego)
#
# Builtins exposed by the test runner:
# run_rule(rule, entity, mocks?, files?) → EvalResult
# load(path) → string (sandboxed to test directory)
# txtar(string) → dict (pure parser, filename→content)
# check.eq / check.contains / check.ne
# test(name, rule, ..., expect=) → integrates with Go testing.T
DEFAULT_ENTITY = {
"owner": "acme-corp",
"repo": "widgets",
"branch": "main",
}
PINNED_SHA = "b4ffde65f46336ab88eb53be808477a3936bae11"
FLOATING_TAG = "v4"
# ── Wrapper function replaces [defaults] block ────────────────────────────
# Default args carry shared setup. Tests only specify what varies.
# files=None means empty repo (no workflow files).
def workflow_rule(ref, files="check_pinned.txtar", entity=DEFAULT_ENTITY):
fs = {}
if files != None:
fs = {k: v.format(ref=ref) for k, v in txtar(load(files)).items()}
return run_rule(
rule = "actions_check_pinned_tags",
entity = entity,
files = fs,
)
# ── APPROACH A: test_* function discovery ────────────────────────────────
# Runner finds all no-arg functions named test_* and calls them.
# Function name becomes the test identifier in output.
# Note: assert is a reserved keyword in Starlark with no defined behavior.
# Use check.* module instead.
def test_workflow_pinned():
check.eq(workflow_rule(PINNED_SHA).status, "pass")
def test_workflow_floating_tag():
result = workflow_rule(FLOATING_TAG)
check.eq(result.status, "fail")
check.eq(len(result.violations), 1)
check.contains(result.violations[0].msg, "unpinned")
def test_no_workflows():
check.eq(workflow_rule(PINNED_SHA, files=None).status, "pass")
# ── APPROACH B: test() builtin ───────────────────────────────────────────
# Explicit name as first argument.
# test() stores result in Go's testing.T — no check.* needed.
# Closer to Go's t.Run("name", func() {...}) pattern.
# Uncomment to compare with Approach A above.
# pinned_fs = {k: v.format(ref=PINNED_SHA) for k, v in txtar(load("check_pinned.txtar")).items()}
# floating_fs = {k: v.format(ref=FLOATING_TAG) for k, v in txtar(load("check_pinned.txtar")).items()}
#
# test("workflow pinned to SHA", "actions_check_pinned_tags",
# files = pinned_fs,
# entity = DEFAULT_ENTITY,
# expect = "pass")
#
# test("workflow uses floating tag", "actions_check_pinned_tags",
# files = floating_fs,
# entity = DEFAULT_ENTITY,
# expect = "fail")
#
# test("no workflow files", "actions_check_pinned_tags",
# files = {},
# entity = DEFAULT_ENTITY,
# expect = "pass")
-- .github/workflows/ci.yml --
# Defanged workflow — {ref} is substituted by the test
name: CI
on: [push]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@{ref}
# Minder Rule Test — Starlark Format
# Rule: osps-ac-03-01 (REST + Rego + datasource)
# Demonstrates: multi-source mocking — REST + datasource in same mocks dict
DEFAULT_ENTITY = {
"owner": "acme-corp",
"repo": "widgets",
"branch": "main",
}
REST_ENDPOINT = "GET /repos/acme-corp/widgets/branches/main/protection"
DATASOURCE_ENDPOINT = "datasource:baselineghapi/branch_protection_status"
def osps_rule(rest_status, rest_body, ruleset_type):
return run_rule(
rule = "osps-ac-03-01",
entity = DEFAULT_ENTITY,
mocks = {
REST_ENDPOINT: {
"status": rest_status,
"body": rest_body,
},
# Datasource mock — test runner applies {"body":...,"status":200} wrapper
DATASOURCE_ENDPOINT: {
"body": {"applied_rulesets": [{"type": ruleset_type}]},
},
},
)
def test_classic_protection_blocks():
result = osps_rule(
rest_status = 200,
rest_body = {"allow_force_pushes": {"enabled": False}},
ruleset_type = "other",
)
check.eq(result.status, "pass")
def test_ruleset_blocks_no_classic():
result = osps_rule(
rest_status = 404,
rest_body = {"http_status": 404, "message": "Not Protected"},
ruleset_type = "non_fast_forward",
)
check.eq(result.status, "pass")
def test_no_protections():
result = osps_rule(
rest_status = 404,
rest_body = {"http_status": 404, "message": "Not Protected"},
ruleset_type = "other",
)
check.eq(result.status, "fail")
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment