Hello everyone, I'm trying to run Cerbos in a Docker container within a GitHub Actions workflow and test permission checks against the Cerbos server. However, I'm encountering an issue where the Cerbos server isn't loading the policy files correctly. Does anyone know what could be causing Cerbos to not recognize the policy file, or if there's something wrong with how I'm mounting or formatting the policy? • Goal Start Cerbos in a Docker container in GitHub Actions and test permission checks by mounting policy files. • Issue The policy file isn't being loaded, and the Cerbos server logs show:

Found 0 executable policies

. • Possible Cause: It seems that the policy file isn't being recognized by the Cerbos server, even though it's being mounted to the

/policies

directory. What I've Confirmed: • The policy file exists and is correctly mounted to

/policies

(confirmed by

ls -la

in GitHub Actions). • Cerbos logs show

Found 0 executable policies

, meaning the file isn't being read properly. • File permissions seem correct. • Similarly, when launched locally, it becomes`Found 1 executable policies` ・GitHub Actions Workflow (Simplified):

name: ci-server
on:
  workflow_call:
env:
  GO_VERSION: "1.20"
jobs:
  test:
    runs-on: ubuntu-latest
    services:
      cerbos:
        image: <http://ghcr.io/cerbos/cerbos:latest|ghcr.io/cerbos/cerbos:latest>
        ports:
          - 3592:3592
          - 3593:3593
        volumes:
          - ${{ github.workspace }}/policies:/policies
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-go@v4
        with:
          go-version: ${{ env.GO_VERSION }}
          cache-dependency-path: server/go.sum
      - name: Check policies directory
        run: ls -la ${{ github.workspace }}/policies
      - name: Check Cerbos logs
        run: docker logs $(docker ps -q --filter "name=cerbos")
      - name: Inspect Cerbos container mounts
        run: docker inspect $(docker ps -q --filter "name=cerbos") --format '{{json .Mounts}}'

・github workflows result

Run ls -la /home/runner/work/hoge/foo/policies
drwxr-xr-x 2 runner docker 4096 Sep 11 06:36 .
drwxr-xr-x 8 runner docker 4096 Sep 11 06:36 ..
-rw-r--r-- 1 runner docker  262 Sep 11 06:36 hoge.yaml

Run docker logs $(docker ps -q --filter "name=cerbos")
{"log.level":"info","@timestamp":"2024-09-11T06:36:04.619Z","log.logger":"cerbos.server","message":"maxprocs: Leaving GOMAXPROCS=2: CPU quota undefined"}
{"log.level":"info","@timestamp":"2024-09-11T06:36:04.619Z","log.logger":"cerbos.server","message":"Loading configuration from __default__"}
{"log.level":"warn","@timestamp":"2024-09-11T06:36:04.619Z","log.logger":"cerbos.otel","message":"Disabling OTLP traces because neither OTEL_EXPORTER_OTLP_ENDPOINT nor OTEL_EXPORTER_OTLP_TRACES_ENDPOINT is defined"}
{"log.level":"info","@timestamp":"2024-09-11T06:36:04.619Z","log.logger":"cerbos.disk.store","message":"Initializing disk store from /policies"}
{"log.level":"info","@timestamp":"2024-09-11T06:36:04.619Z","log.logger":"cerbos.index","message":"Found 0 executable policies"}
{"log.level":"info","@timestamp":"2024-09-11T06:36:04.620Z","log.logger":"cerbos.telemetry","message":"Anonymous telemetry enabled. Disable via the config file or by setting the CERBOS_NO_TELEMETRY=1 environment variable"}
{"log.level":"info","@timestamp":"2024-09-11T06:36:04.620Z","log.logger":"cerbos.grpc","message":"Starting gRPC server at :3593"}
{"log.level":"info","@timestamp":"2024-09-11T06:36:04.620Z","log.logger":"cerbos.dir.watch","message":"Watching directory for changes","dir":"/policies"}
{"log.level":"info","@timestamp":"2024-09-11T06:36:04.622Z","log.logger":"cerbos.http","message":"Starting HTTP server at :3592"}

Run docker inspect $(docker ps -q --filter "name=cerbos") --format '{{json .Mounts}}'
[{"Type":"volume","Name":"243de0b02256460be661e5ec2f0e7e658e9eebd431696af9cfaff55de41998a9","Source":"/var/lib/docker/volumes/243de0b02256460be661e5ec2f0e7e658e9eebd431696af9cfaff55de41998a9/_data","Destination":"/.cache","Driver":"local","Mode":"","RW":true,"Propagation":""},{"Type":"volume","Name":"9327449f5a13ff122f40ccda67471921626d50e360ae8a0810c8957cd604824b","Source":"/var/lib/docker/volumes/9327449f5a13ff122f40ccda67471921626d50e360ae8a0810c8957cd604824b/_data","Destination":"/tmp","Driver":"local","Mode":"","RW":true,"Propagation":""},{"Type":"bind","Source":"/home/runner/work/reearth-dashboard/reearth-dashboard/policies","Destination":"/policies","Mode":"","RW":true,"Propagation":"rprivate"}]

・hoge.yaml

apiVersion: api.cerbos.dev/v1
resourcePolicy:
  version: "default"
  resource: "hoge:foo"
  rules:
    - actions: ["read"]
      effect: EFFECT_ALLOW
      roles:
        - role1
    - actions: ["edit"]
      effect: EFFECT_ALLOW
      roles:
        - role3

Hey, the issue is that you're trying to run Cerbos as a GitHub actions service. Services start before your code is checked out so the Cerbos server can never see what's in your repository. This is a known limitation of GitHub actions. One way to run Cerbos on your policies is to use the Cerbos GitHub actions. There's a compile action that can compile and test your policies. If you want to start a Cerbos server on CI for tests, consider using the cerbos-setup-action to install Cerbos and then use cerbos run to run your test harness.

I was able to solve the issue using the above method. Thank you very much.