-
-
Save krrish175-byte/859deffc008d1a8395c7f5d16dd9559b to your computer and use it in GitHub Desktop.
Minder rule test format experiment -- Starlark
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Minder Rule Test — Starlark Format | |
| # Rule: branch_protection_allow_force_pushes (REST + jq) | |
| # Demonstrates: inline mock bodies, no wrapper needed for simple rules | |
| DEFAULT_ENTITY = { | |
| "owner": "acme-corp", | |
| "repo": "widgets", | |
| "branch": "main", | |
| } | |
| PROTECTION_ENDPOINT = "GET /repos/acme-corp/widgets/branches/main/protection" | |
| # ── Wrapper function ─────────────────────────────────────────────────────── | |
| def branch_protection_rule(force_pushes_enabled, status=200): | |
| body = {"allow_force_pushes": {"enabled": force_pushes_enabled}} | |
| if status == 404: | |
| body = {"http_status": 404, "message": "Not Protected"} | |
| return run_rule( | |
| rule = "branch_protection_allow_force_pushes", | |
| entity = DEFAULT_ENTITY, | |
| mocks = { | |
| PROTECTION_ENDPOINT: {"status": status, "body": body}, | |
| }, | |
| ) | |
| # ── Tests ────────────────────────────────────────────────────────────────── | |
| def test_force_pushes_disabled(): | |
| result = branch_protection_rule(force_pushes_enabled=False) | |
| check.eq(result.status, "pass") | |
| def test_force_pushes_enabled(): | |
| result = branch_protection_rule(force_pushes_enabled=True) | |
| check.eq(result.status, "fail") | |
| def test_branch_not_protected(): | |
| result = branch_protection_rule(force_pushes_enabled=False, status=404) | |
| check.eq(result.status, "error") |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Minder Rule Test — Starlark Format Experiment | |
| # Rule: actions_check_pinned_tags (git ingest + Rego) | |
| # | |
| # Builtins exposed by the test runner: | |
| # run_rule(rule, entity, mocks?, files?) → EvalResult | |
| # load(path) → string (sandboxed to test directory) | |
| # txtar(string) → dict (pure parser, filename→content) | |
| # check.eq / check.contains / check.ne | |
| # test(name, rule, ..., expect=) → integrates with Go testing.T | |
| DEFAULT_ENTITY = { | |
| "owner": "acme-corp", | |
| "repo": "widgets", | |
| "branch": "main", | |
| } | |
| PINNED_SHA = "b4ffde65f46336ab88eb53be808477a3936bae11" | |
| FLOATING_TAG = "v4" | |
| # ── Wrapper function replaces [defaults] block ──────────────────────────── | |
| # Default args carry shared setup. Tests only specify what varies. | |
| # files=None means empty repo (no workflow files). | |
| def workflow_rule(ref, files="check_pinned.txtar", entity=DEFAULT_ENTITY): | |
| fs = {} | |
| if files != None: | |
| fs = {k: v.format(ref=ref) for k, v in txtar(load(files)).items()} | |
| return run_rule( | |
| rule = "actions_check_pinned_tags", | |
| entity = entity, | |
| files = fs, | |
| ) | |
| # ── APPROACH A: test_* function discovery ──────────────────────────────── | |
| # Runner finds all no-arg functions named test_* and calls them. | |
| # Function name becomes the test identifier in output. | |
| # Note: assert is a reserved keyword in Starlark with no defined behavior. | |
| # Use check.* module instead. | |
| def test_workflow_pinned(): | |
| check.eq(workflow_rule(PINNED_SHA).status, "pass") | |
| def test_workflow_floating_tag(): | |
| result = workflow_rule(FLOATING_TAG) | |
| check.eq(result.status, "fail") | |
| check.eq(len(result.violations), 1) | |
| check.contains(result.violations[0].msg, "unpinned") | |
| def test_no_workflows(): | |
| check.eq(workflow_rule(PINNED_SHA, files=None).status, "pass") | |
| # ── APPROACH B: test() builtin ─────────────────────────────────────────── | |
| # Explicit name as first argument. | |
| # test() stores result in Go's testing.T — no check.* needed. | |
| # Closer to Go's t.Run("name", func() {...}) pattern. | |
| # Uncomment to compare with Approach A above. | |
| # pinned_fs = {k: v.format(ref=PINNED_SHA) for k, v in txtar(load("check_pinned.txtar")).items()} | |
| # floating_fs = {k: v.format(ref=FLOATING_TAG) for k, v in txtar(load("check_pinned.txtar")).items()} | |
| # | |
| # test("workflow pinned to SHA", "actions_check_pinned_tags", | |
| # files = pinned_fs, | |
| # entity = DEFAULT_ENTITY, | |
| # expect = "pass") | |
| # | |
| # test("workflow uses floating tag", "actions_check_pinned_tags", | |
| # files = floating_fs, | |
| # entity = DEFAULT_ENTITY, | |
| # expect = "fail") | |
| # | |
| # test("no workflow files", "actions_check_pinned_tags", | |
| # files = {}, | |
| # entity = DEFAULT_ENTITY, | |
| # expect = "pass") |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -- .github/workflows/ci.yml -- | |
| # Defanged workflow — {ref} is substituted by the test | |
| name: CI | |
| on: [push] | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@{ref} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Minder Rule Test — Starlark Format | |
| # Rule: osps-ac-03-01 (REST + Rego + datasource) | |
| # Demonstrates: multi-source mocking — REST + datasource in same mocks dict | |
| DEFAULT_ENTITY = { | |
| "owner": "acme-corp", | |
| "repo": "widgets", | |
| "branch": "main", | |
| } | |
| REST_ENDPOINT = "GET /repos/acme-corp/widgets/branches/main/protection" | |
| DATASOURCE_ENDPOINT = "datasource:baselineghapi/branch_protection_status" | |
| def osps_rule(rest_status, rest_body, ruleset_type): | |
| return run_rule( | |
| rule = "osps-ac-03-01", | |
| entity = DEFAULT_ENTITY, | |
| mocks = { | |
| REST_ENDPOINT: { | |
| "status": rest_status, | |
| "body": rest_body, | |
| }, | |
| # Datasource mock — test runner applies {"body":...,"status":200} wrapper | |
| DATASOURCE_ENDPOINT: { | |
| "body": {"applied_rulesets": [{"type": ruleset_type}]}, | |
| }, | |
| }, | |
| ) | |
| def test_classic_protection_blocks(): | |
| result = osps_rule( | |
| rest_status = 200, | |
| rest_body = {"allow_force_pushes": {"enabled": False}}, | |
| ruleset_type = "other", | |
| ) | |
| check.eq(result.status, "pass") | |
| def test_ruleset_blocks_no_classic(): | |
| result = osps_rule( | |
| rest_status = 404, | |
| rest_body = {"http_status": 404, "message": "Not Protected"}, | |
| ruleset_type = "non_fast_forward", | |
| ) | |
| check.eq(result.status, "pass") | |
| def test_no_protections(): | |
| result = osps_rule( | |
| rest_status = 404, | |
| rest_body = {"http_status": 404, "message": "Not Protected"}, | |
| ruleset_type = "other", | |
| ) | |
| check.eq(result.status, "fail") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment