Add policy publishing workflow and update release workflow for policy hub integration

[DakshithaS]

Purpose

Add a GitHub Actions workflow for publishing policies to the policy hub, including comprehensive validation of policy metadata, packaging, and API publishing. Update the existing release workflow to use environment variables for policy hub URL and adjust the API endpoint for policy registration.

Goals

• Enable manual publishing of policies via workflow dispatch with input validation
• Validate policy metadata.json against predefined categories and required fields
• Automate policy packaging and publishing to the policy hub API
• Update release workflow to use vars instead of secrets for policy hub URL

Approach

• Created publish-policy.yml workflow with steps for input validation, metadata parsing, package creation, and API publishing
• Implemented validation for policy name, version format, directory existence, and metadata.json structure
• Added predefined categories list for metadata validation
• Updated release-policy.yml to use vars.POLICY_HUB_URL and changed API endpoint to /policies/{policy}/versions/{version}/release

Related Issue

• Implement GitHub Actions workflow to publish policies api-platform#441

Summary by CodeRabbit

• Chores
  • Added a new automated workflow to publish policies: validates inputs and metadata, ensures required directory structure and package contents, creates a versioned package, and publishes it to the Policy Hub with detailed error reporting and cleanup.
  • Updated the policy release workflow to re-enable registration and adjust its integration with the Policy Hub API for improved release management and authentication handling.

[coderabbitai]

Walkthrough

Adds a new GitHub Actions workflow .github/workflows/publish-policy.yml to validate policy inputs, metadata, package docs/assets, and publish to a Policy Hub API; and updates .github/workflows/release-policy.yml to use a revised Policy Hub endpoint, api-key header, and payload structure.

Changes

Cohort / File(s)	Summary
New Publish Policy Workflow .github/workflows/publish-policy.yml	New workflow that validates policy_name and minor_version inputs, checks docs/ and policies/ layout, validates metadata.json fields (name, version, displayName, provider, categories, description), packages docs/assets into a zip, and publishes the package to Policy Hub API with optional api-key auth and detailed error handling.
Release Policy Workflow Update .github/workflows/release-policy.yml	Re-enabled registration step, switched POLICY_HUB_URL source from secrets to vars, changed API call to POST $POLICY_HUB_URL/policies/${policy}/versions/${version}/release, replaced Authorization: Bearer with api-key header, and simplified payload to a single definition field.

Sequence Diagram

sequenceDiagram
    participant GHA as GitHub Actions
    participant FS as File System
    participant API as Policy Hub API

    GHA->>GHA: Receive inputs (policy_name, minor_version)
    GHA->>FS: Verify `docs/` and `policies/` directories exist
    GHA->>FS: Read `policies/<policy>/metadata.json`
    GHA->>GHA: Validate metadata fields and match inputs
    GHA->>GHA: Validate categories against whitelist
    GHA->>FS: Package `docs/` and assets into `policy-version.zip`
    GHA->>API: POST package or definition with `api-key` header
    API-->>GHA: Return HTTP response (success/error)
    GHA->>GHA: Log response, show errors, cleanup artifacts

Loading

Estimated Code Review Effort

🎯 4 (Complex) | ⏱️ ~40 minutes

Poem

🐰 I hopped through files with a curious twitch,

Validated metadata, zipped docs in a stitch.
I nudged the release to call with an api-key,
Now policies voyage to the Hub—whee! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main changes: adding a policy publishing workflow and updating the release workflow for policy hub integration, which matches the changeset.
Description check	✅ Passed	The description covers Purpose, Goals, Approach, and Related Issue. However, it omits most template sections: User stories, Release note, Documentation, Training, Certification, Marketing, Automation tests, Security checks, Samples, Migrations, Test environment, and Learning.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In @.github/workflows/publish-policy.yml:
- Around line 34-81: The POLICY_NAME validation must reject unsafe values—modify
the validation block that sets and checks POLICY_NAME to trim whitespace and
enforce a strict allowed pattern (e.g., only letters, numbers, hyphen and
underscore: /^[A-Za-z0-9_-]+$/), and explicitly disallow any slashes or path
traversal tokens like ".."; update the error message accordingly and only export
POLICY_NAME (and derived paths VERSION_DIR, POLICIES_DIR) to GITHUB_ENV after
this stronger validation passes so filesystem and URL usage (references:
POLICY_NAME, DOCS_POLICY_DIR, VERSION_DIR, POLICIES_DIR) cannot be tricked by
whitespace or traversal.
- Around line 256-294: Replace the eval-based string building with a safe
array-style curl invocation and remove --insecure: build an args array (e.g.,
curl_args=("-s" "-w" "%{http_code}" "-o" "response.txt" "-X" "POST" "--max-time"
"30" "--connect-timeout" "10"
"$API_URL/policies/$METADATA_NAME/versions/$METADATA_VERSION")) then append form
fields with curl_args+=("-F"
"metadata=@$VERSION_DIR/metadata.json;type=application/json") and
curl_args+=("-F" "docs=@$GITHUB_WORKSPACE/$ZIP_NAME"); if POLICY_HUB_TOKEN is
set, append curl_args+=("-H" "api-key: $POLICY_HUB_TOKEN"); run curl with
"HTTP_STATUS=$(curl "${curl_args[@]}")" (no eval) and remove the --insecure
flag; keep using response.txt for the body and reuse existing checks on
HTTP_STATUS and response.txt.
- Around line 105-211: The categories validation can be bypassed when
.categories is missing, null, or not an array because the while loop reads
nothing; enable strict shell failure and add an explicit jq type/length check
before iterating: set strict mode (set -euo pipefail) at the top of this step,
validate with jq that .categories is an array and has length > 0 (e.g. using jq
'type=="array" and length>0'), fail with a clear error if that check fails, then
proceed to use jq -r '.categories[]' "$METADATA_FILE" to iterate and compare
entries against CLEAN_CATS/ PREDEFINED_CATS as currently implemented.