GitHub Action

[imjasonh]

It'd be great if users could run rbac-audit more easily in their CI, to identify overly broad permissions and to surface new behavior that adds newly required permissions. A way this could look for GitHub Actions is:

name: rbac-audit

on:
  pull_request:
    branches: ['main']

jobs:
  rbac-audit:
    name: RBAC Audit
    runs-on: ubuntu-latest
    steps:
    - name: actions/checkout
    - name: actions/setup-go

    - name: imjasonh/rbac-audit
      with:
        policy: config/rbac.yaml  # or: config/*.yaml
    - run: ./my-e2e-tests.sh

This config would check out the user's repo, install Go, set up a KinD cluster for rbac-audit and set KUBECONFIG, then run ./my-e2e-tests.sh. After the test, the action could check that RBAC config in config/rbac.yaml matches the policy generated by rbac-audit, and fail with diff output otherwise.

This would require:

• stable output from rbac-audit generated policies to avoid spurious diffs (mostly already there)
• semantic diff to ignore any non-RBAC config, differing whitespace/styling, etc., that is encountered in the user's rbac.yaml -- e.g., verbs: ['a', 'b', 'c'] is functionally equivalent to verbs: ['c', 'a', 'b'], and should be ignored.
• allowing users some way to mark a config as ignored for rbac-audit purposes, to account for manual edits

[imjasonh]

Only JavaScript-based GitHub Actions configs support post steps for actions configs, but that could just be a simple JS wrapper around bash.