feat(actions): add validation and drift-detection actions

.github/workflows/drift.yml

@@ -0,0 +1,26 @@
+name: Check for .policy.yml drift
+
+on:
+  pull_request:
+    types:
+      - edited
+      - opened
+      - ready_for_review
+      - synchronize
+  push:
+    branches:
+      - main
+
+jobs:
+  drift:
+    name: Check for drift
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check repository out
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Check for drift
+        uses: ./actions/check-for-drift
+        with:
+          input_file: .policy.yml
+          merge_with: policy.yml

actions/check-for-drift/action.yml

@@ -0,0 +1,56 @@
+name: Check for Drift
+description: Checks if the generated output is different from the input file
+
+inputs:
+  input_file:
+    description: The input file to compare
+    required: true
+
+  merge_with:
+    description: The file to merge with the input file
+    required: false
+
+runs:
+  using: composite
+
+  steps:
+    - name: Check repository out
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        path: ${{ github_workspace }}/generate-policy-bot-config
+        repo: ${{ github.action_repository }}
+        ref: ${{ github.action_ref }}
+
+    - name: Set up Go
+      uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      with:
+        go-mod-file: ${{ github.workspace }}/generate-policy-bot-config/go.mod
+
+    - name: Build the program
+      shell: sh
+      run: |
+        cd "${{ github.workspace }}/generate-policy-bot-config"
+
+        DESTDIR="$(go env GOPATH)/bin"
+        mkdir -p "${DESTDIR}"
+
+        go build -o "${DESTDIR}/generate-policy-bot-config" cmd/generate-policy-bot-config/main.go
+
+    - name: Generate new config
+      id: new
+      shell: sh
+      run: |
+        generate-policy-bot-config \
+          --output - \
+          --merge-with ${{ inputs.input_file }} | \
+          ( echo -n "config=" && cat ) | tee -a "${GITHUB_OUTPUT}"
+
+    - name: Check for drift
+      shell: bash
+      run: |
+        if ! diff -u ${{ inputs.input_file }} - <<< "${{ steps.new.outputs.config }}"; then
+          echo "Drift detected: ${{ inputs.input_file }} is out-of-date. Regenerate it and commit the result.""
+          exit 1
+        fi
+
+        echo "No drift detected: ${{ inputs.input_file }} is up-to-date."

actions/validate/README.md

@@ -0,0 +1,33 @@
+# validate-policy-bot-config
+
+Validates the `.policy.yml` configuration file for [Policy Bot][policy-bot]. See
+[the documentation][policy-bot-docs] for more information on creating rules.
+
+[policy-bot]: https://github.com/palantir/policy-bot
+[policy-bot-docs]: https://github.com/palantir/policy-bot?tab=readme-ov-file#configuration
+
+## Inputs
+
+- `policy`: The path to the `.policy.yml` file to validate. Default: `.policy.yml`.
+- `validation_endpoint` (required): The endpoint to validate the configuration
+  against.
+
+Example workflow:
+
+```yaml
+name: validate-policy-bot
+on:
+  pull_request:
+    paths:
+      - .policy.yml
+  push:
+    paths:
+      - .policy.yml
+
+jobs:
+  validate-policy-bot:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Validate Policy Bot configuration
+        uses: grafana/generate-policy-bot-config/actions/validate@main
+```

actions/validate/action.yml

@@ -0,0 +1,26 @@
+name: Validate Policy Bot Config
+description: Validates the Policy Bot configuration file.
+
+inputs:
+  policy:
+    description: |
+      Path to the Policy Bot configuration file.
+    default: .policy.yml
+
+  validation_endpoint:
+    description: |
+      Validation API endpoint.
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Validate Policy Bot config
+      shell: bash
+      run: |
+        curl \
+          --silent \
+          --fail-with-body \
+          --request PUT \
+          --upload-file "${{ inputs.policy }}" \
+          "${{ inputs.validation_endpoint }}"