Merge branch 'open-policy-agent:main' into main-chime

1debit · Dec 10, 2021 · 0d7627f · 0d7627f
2 parents 43e8a52 + edf5f25
commit 0d7627f
Show file tree

Hide file tree

Showing 2,757 changed files with 98,262 additions and 16,983 deletions.
diff --git a/.github/ISSUE_TEMPLATE/adopt-opa.yaml b/.github/ISSUE_TEMPLATE/adopt-opa.yaml
@@ -0,0 +1,65 @@
+name: Adopt OPA
+description: Let the community know you have adopted OPA.
+title: organization_name has adopted OPA
+labels: "adopt-opa"
+assignees: []
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thank you for supporting the OPA project. Adding your organization to the list of adopters raises awareness for the project and is more help than you think!
+
+        Check the current list of adopters:
+        https://github.com/open-policy-agent/opa/blob/main/ADOPTERS.md
+  - type: input
+    id: org-name
+    attributes:
+      label: Organization Name
+      description: Name of the organization.
+      placeholder: ex. OPA, Inc.
+    validations:
+      required: false
+  - type: input
+    id: org-url
+    attributes:
+      label: Organization Website
+      description: Provide a link to the organization website.
+      placeholder: ex. openpolicyagent.org
+    validations:
+      required: false
+  - type: input
+    id: org-logo
+    attributes:
+      label: Organization Logo (optional)
+      description: Provide a link to the organization logo.
+      placeholder: ex. https://d33wubrfki0l68.cloudfront.net/a5bf5cefceefdba8ab3a9297fddab246355169a2/4a6f4/img/logo-white.png
+    validations:
+      required: false
+  - type: textarea
+    id: opa-use-case
+    attributes:
+      label: How is your organization using OPA?
+      description: 2 or 3 sentences about how your organization has incorporated OPA.
+      placeholder: We secure all the things!
+    validations:
+      required: false
+  - type: input
+    id: source-code
+    attributes:
+      label: Source Code Link (optional)
+      description: Is your use case open source? Provide a link.
+      placeholder: ex. https://github.com/open-policy-agent/opa
+    validations:
+      required: false
+  - type: textarea
+    id: content-links
+    attributes:
+      label: Want to link blogs or videos? Share them here.
+      description: Please copy and paste links to content that shows how you're using OPA.
+  - type: checkboxes
+    id: existing-entry
+    attributes:
+      label: Update entry
+      options:
+        - label: Check this box if you want to update an existing entry.
+          required: false
diff --git a/.github/ISSUE_TEMPLATE.md → .github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE.md → .github/ISSUE_TEMPLATE/bug_report.md
@@ -1,15 +1,23 @@
-<!-- Thanks for opening an issue to request a feature or file a bug!
-If you provide some basic information it helps us address problems faster. -->
-
-## Expected Behavior
+---
+name: Bug report
+about: Report a problem for the OPA community to investigate
+title: ''
+labels: bug
+assignees: ''
 
-## Actual Behavior
+---
 
-## Steps to Reproduce the Problem
+<!-- Thanks for opening an issue to request a feature or file a bug!
+If you provide some basic information, it helps us address problems faster. -->
 
+## Short description 
 <!--
-If this is a bug report please provide as much detail as possible so that we can
-reproduce the problem. Examples:
+Any information you think might be helpful. Examples include the environment
+where OPA was running (e.g., if inside Kubernetes, what resource limits did you configure
+OPA with?), how long OPA had been running for, what was happening around the time
+when you identified the problem, etc.
+
+Examples:
 
 * OPA version
 * Example query, input, data, and policy that OPA was given
@@ -19,11 +27,20 @@ reproduce the problem. Examples:
 * For Go and Wasm, the arguments you invoked OPA with
 -->
 
-## Additional Info
+## Steps To Reproduce
+<!--
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See an error
+-->
 
+## Expected behavior
 <!--
-Any additional information you think might be helpful. Examples include the environment
-where OPA was running (e.g., if inside Kubernetes, what resource limits did you configure
-OPA with?), how long OPA had been running for, what was happening around the time
-when you identified the problem, etc.
+Describe what you expected to happen.
+-->
+
+## Additional context
+<!--
+Add any other context about the problem here.
 -->
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -0,0 +1,33 @@
+---
+name: Feature request
+about: Let us know how we could improve OPA
+title: ''
+labels: feature-request
+assignees: ''
+
+---
+
+<!-- Thanks for opening an issue to request a feature or file a bug!
+If you provide some basic information, it helps us address problems faster. -->
+
+## What part of OPA would you like to see improved?
+<!--
+Is there something challenging or frustrating about OPA that you are trying to improve?
+Do you want OPA to integrate with another project or tool?
+Why would this improvement make your experience with OPA better?
+-->
+
+## Describe the ideal solution
+<!--
+In the ideal scenario, there are more than enough resources to solve any problem. Describe what this solution would look like if the resources were available.
+-->
+
+## Describe a "Good Enough" solution
+<!--
+In a more realistic world, we have limited time and resources to solve a problem. Describe what a minimum viable solution would look like that still satisfies the requirements. Think about what is a must-have and what is a nice-to-have; now list out the must-haves. Is there an alternate solution that would work just as well?
+-->
+
+## Additional Context
+<!--
+Add in additional information that would help. Do you have links to similar solutions, screenshots of a problem, or mockups of a solution? 
+-->
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
@@ -19,14 +19,11 @@ you changed. Use active voice. Keep the subject line under 50
 characters or so.
 
 * All commits must be signed off by the author. If you are not
-familiar with signing off, see CONTRIBUTING.md below.
+familiar with signing off, see our contributor guide below.
 
 For more information on contributing to OPA see:
 
-* [CONTRIBUTING.md](https://github.com/open-policy-agent/opa/blob/main/CONTRIBUTING.md)
-  for high-level contribution guidelines.
-
-* [DEVELOPMENT.md](https://github.com/open-policy-agent/opa/blob/main/docs/devel/DEVELOPMENT.md)
-  for development workflow and environment setup.
+* [Contributing Guide](https://www.openpolicyagent.org/docs/latest/contributing/)
+  for high-level contributing guidelines and development setup.
 
 -->
diff --git a/.github/stale.yml b/.github/stale.yml
@@ -0,0 +1,60 @@
+# Configuration for probot-stale - https://github.com/probot/stale
+
+# Number of days of inactivity before an Issue or Pull Request becomes stale
+daysUntilStale: 30
+
+# Number of days of inactivity before an Issue or Pull Request with the stale label is closed.
+# Set to false to disable. If disabled, issues still need to be closed manually, but will remain marked as stale.
+# daysUntilClose: 7
+daysUntilClose: false
+
+# Only issues or pull requests with all of these labels are check if stale. Defaults to `[]` (disabled)
+onlyLabels: []
+
+# Issues or Pull Requests with these labels will never be considered stale. Set to `[]` to disable
+# exemptLabels:
+# - security
+# - "[Status] Maybe Later"
+exemptLabels: []
+
+# Set to true to ignore issues in a project (defaults to false)
+exemptProjects: true
+
+# Set to true to ignore issues in a milestone (defaults to false)
+exemptMilestones: false
+
+# Set to true to ignore issues with an assignee (defaults to false)
+exemptAssignees: false
+
+# Label to use when marking as stale
+staleLabel: inactive
+
+# Comment to post when marking as stale. Set to `false` to disable
+markComment: >
+  This issue has been automatically marked as inactive because it has not had
+  any activity in the last 30 days.
+
+# Comment to post when removing the stale label.
+# unmarkComment: >
+#   Your comment here.
+
+# Comment to post when closing a stale Issue or Pull Request.
+# closeComment: >
+#   Your comment here.
+
+# Limit the number of actions per hour, from 1-30. Default is 30
+limitPerRun: 30
+
+# Limit to only `issues` or `pulls`
+# only: issues
+
+# Optionally, specify configuration settings that are specific to just 'issues' or 'pulls':
+pulls:
+   #daysUntilStale: 30
+   markComment: >
+     This pull request has been automatically marked as stale because it has not had
+     any activity in the last 30 days.
+
+# issues:
+#   exemptLabels:
+#     - confirmed
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -51,21 +51,12 @@ jobs:
         # Prefix the list here with "+" to use these queries and those in the config file.
         # queries: ./path/to/local/query, your-org/your-repo/queries@main
 
-    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-    # If this step fails, then you should remove it and run the build manually (see below)
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
-
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 https://git.io/JvXDl
-
     # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
     #    and modify them (or add more) to build your code if your project
     #    uses a compiled language
 
-    #- run: |
-    #   make bootstrap
-    #   make release
+    - run: |
+        make build
 
     - name: Perform CodeQL Analysis
       uses: github/codeql-action/analyze@v1
diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml
@@ -25,6 +25,44 @@ jobs:
           status: ${{ job.status }}
           fields: repo,workflow
 
+  native-fuzzer:
+    name: Go Fuzzer (native)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+
+      - id: go_version
+        name: Read go version
+        run: echo "::set-output name=go_version::$(cat .go-version)"
+
+      - name: Install Go (${{ steps.go_version.outputs.go_version }})
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ steps.go_version.outputs.go_version }}
+
+      - name: Install gotip
+        run: |
+          go install golang.org/dl/gotip@latest
+          gotip download
+          gotip version
+
+      - name: gotip test -fuzz
+        run: gotip test ./ast -fuzz FuzzParseStatementsAndCompileModules -fuzztime 1h -v -run '^$'
+
+      - name: Dump crashers
+        if: ${{ failure() }}
+        run: find ast/testdata/fuzz ! -name '*.stmt' ! -type d -print -exec cat {} \;
+
+      - name: Slack Notification
+        uses: 8398a7/action-slack@v3
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK }}
+        if: ${{ failure() && env.SLACK_WEBHOOK_URL }}
+        with:
+          status: ${{ job.status }}
+          fields: repo,workflow
+
   fuzzer:
     name: Go Fuzzer
     runs-on: ubuntu-latest
@@ -35,6 +73,10 @@ jobs:
       - name: Run go-fuzz
         run: make ci-go-check-fuzz
 
+      - name: Dump crashers
+        if: ${{ failure() }}
+        run: find build/fuzzer/workdir/crashers -name '*.quoted' -print -exec cat {} \;
+
       - name: Upload Workdir
         if: ${{ failure() }}
         uses: actions/upload-artifact@v2
@@ -51,3 +93,22 @@ jobs:
           status: ${{ job.status }}
           fields: repo,workflow
 
+  go-proxy-check:
+    name: Go mod check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+
+      - name: Vendor without proxy
+        run: make check-go-module
+        timeout-minutes: 30
+
+      - name: Slack Notification
+        uses: 8398a7/action-slack@v3
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK }}
+        if: ${{ failure() && env.SLACK_WEBHOOK_URL }}
+        with:
+          status: ${{ job.status }}
+          fields: repo,workflow
diff --git a/.github/workflows/post-merge.yaml b/.github/workflows/post-merge.yaml
@@ -96,7 +96,7 @@ jobs:
           go-version: ${{ steps.go_version.outputs.go_version }}
 
       - name: Build Darwin
-        run: make ci-build-darwin
+        run: make ci-build-darwin ci-build-darwin-arm64-static
         timeout-minutes: 30
         env:
           TELEMETRY_URL: ${{ secrets.TELEMETRY_URL }}

diff --git a/.github/workflows/post-release.yaml b/.github/workflows/post-release.yaml
@@ -0,0 +1,17 @@
+name: Post Release
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  kick-netlify:
+    name: Kick Netlify
+    runs-on: ubuntu-18.04
+    steps:
+      - name: Trigger Netlify Deploy
+        env:
+          NETLIFY_BUILD_HOOK_URL: ${{ secrets.NETLIFY_BUILD_HOOK_URL }}
+        if: ${{ env.NETLIFY_BUILD_HOOK_URL }}
+        run: |
+          curl --fail --request POST -d {} ${{ env.NETLIFY_BUILD_HOOK_URL }}
diff --git a/.github/workflows/post-tag.yaml b/.github/workflows/post-tag.yaml
@@ -81,10 +81,6 @@ jobs:
         # Subsequent jobs will be have the computed tag name
         run: echo "TAG_NAME=${GITHUB_REF##*/}" >> $GITHUB_ENV
 
-      - name: Test
-        run: make ci-release-test
-        timeout-minutes: 60
-
       - name: Download release binaries
         uses: actions/download-artifact@v2
         with:
@@ -105,4 +101,4 @@ jobs:
         env:
           # Required for the `hub` CLI
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: ./build/github-release.sh --asset-dir=./_release/${TAG_NAME#v}/ --tag=${TAG_NAME}
+        run: ./build/github-release.sh --asset-dir=$(make release-dir) --tag=${TAG_NAME}