open-policy-agent · JaydipGabani · Mar 12, 2026 · Mar 16, 2026 · Mar 18, 2026 · Apr 10, 2026
@@ -48,6 +48,13 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
+      - name: Set up Go
+        if: matrix.language == 'go'
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        with:
+          go-version: '1.23.x'
+          cache: false
+
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
         uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v3.29.5

@@ -4,10 +4,12 @@ on:
     branches:
       - master
     paths:
+      - ".github/workflows/generate-catalog.yaml"
       - "library/**"
       - "src/**"
   pull_request:
     paths:
+      - ".github/workflows/generate-catalog.yaml"
       - "library/**"
       - "src/**"
   workflow_dispatch:
@@ -45,7 +47,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
-          go-version: "1.24"
+          go-version: "1.25.x"
           check-latest: true
 
       - name: Build gator
@@ -69,7 +71,7 @@ jobs:
             --output=catalog.yaml \
             --name=gatekeeper-library \
             --version=${{ steps.version.outputs.version }} \
-            --repository=https://github.com/open-policy-agent/gatekeeper-library
+            --base-url=https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/refs/heads/master
 
       - name: Validate catalog
         run: |
@@ -126,7 +128,7 @@ jobs:
           labels: automation
 
       - name: Create PR comment (on PR)
-        if: github.event_name == 'pull_request' && steps.diff.outputs.changed == 'true'
+        if: github.event_name == 'pull_request' && steps.diff.outputs.changed == 'true' && github.event.pull_request.head.repo.full_name == github.repository
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |

@@ -5,6 +5,7 @@ on:
       - master
     paths:
       - ".github/workflows/scripts.yaml"
+      - "go.work"
       - "scripts/**"
 permissions:
   contents: read
@@ -24,7 +25,7 @@ jobs:
     steps:
       - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
-          go-version: '1.20'
+          go-version: '1.23.x'
           cache: false
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: golangci-lint

@@ -65,7 +65,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        gatekeeper: [ "3.20.1", "3.21.0" ]
+        gatekeeper: [ "3.21.1", "3.22.0" ]
         engine: [ "cel", "rego" ]
     name: "Integration test on Gatekeeper ${{ matrix.gatekeeper }} for ${{ matrix.engine }} policies"
     steps:
@@ -86,7 +86,7 @@ jobs:
 
       - name: Run integration test
         run: |
-          make test-integration
+          make test-integration POLICY_ENGINE=${{ matrix.engine }}
 
       - name: Save logs
         run: |
@@ -131,7 +131,7 @@ jobs:
     strategy:
       matrix:
         engine: [ "cel", "rego" ]
-        gatekeeper: [ "3.20.1", "3.21.0" ]
+        gatekeeper: [ "3.21.1", "3.22.0" ]
     name: "Verify assertions in suite.yaml files for ${{ matrix.engine }} policies"
     steps:
       - name: Harden Runner

@@ -45,7 +45,7 @@ uninstall:
 	helm uninstall -n gatekeeper-system gatekeeper
 
 test-integration:
-	bats -t test/bats/test.bats
+	POLICY_ENGINE=$(POLICY_ENGINE) bats -t test/bats/test.bats
 
 .PHONY: verify-gator
 verify-gator:

@@ -0,0 +1,22 @@
+version: 1.0.0
+name: k8sgpuactivedeadline
+displayName: GPU Active Deadline Required
+createdAt: "2026-03-17T00:04:28Z"
+description: Requires pods that request NVIDIA GPU resources (nvidia.com/gpu) to set activeDeadlineSeconds. This prevents runaway training jobs from holding GPU resources indefinitely.
+digest: f15fa92d15ee17101b77cea310b9766253332b9bfcd50447c4487f9eeaef856c
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/gpuactivedeadline
+keywords:
+    - gatekeeper
+    - open-policy-agent
+    - policies
+readme: |-
+    # GPU Active Deadline Required
+    Requires pods that request NVIDIA GPU resources (nvidia.com/gpu) to set activeDeadlineSeconds. This prevents runaway training jobs from holding GPU resources indefinitely.
+install: |-
+    ### Usage
+    ```shell
+    kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/general/gpuactivedeadline/1.0.0/template.yaml
+    ```
+provider:
+    name: Gatekeeper Library
@@ -0,0 +1,2 @@
+resources:
+  - template.yaml
@@ -0,0 +1,13 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sGpuActiveDeadline
+metadata:
+  name: require-gpu-deadline
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+  parameters:
+    maxActiveDeadlineSeconds: 86400
+    exemptImages:
+      - "nvidia/dcgm-exporter:*"
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: gpu-job-exempt
+spec:
+  containers:
+    - name: dcgm
+      image: nvidia/dcgm-exporter:3.1.7
+      resources:
+        limits:
+          nvidia.com/gpu: "1"
@@ -0,0 +1,11 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sGpuActiveDeadline
+metadata:
+  name: require-gpu-deadline
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+  parameters:
+    maxActiveDeadlineSeconds: 86400
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: gpu-job-with-deadline
+spec:
+  activeDeadlineSeconds: 3600
+  containers:
+    - name: training
+      image: nvidia/cuda:12.0-runtime
+      resources:
+        limits:
+          nvidia.com/gpu: "1"
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: gpu-job-exceeds-deadline
+spec:
+  activeDeadlineSeconds: 172800
+  containers:
+    - name: training
+      image: nvidia/cuda:12.0-runtime
+      resources:
+        limits:
+          nvidia.com/gpu: "1"
@@ -0,0 +1,9 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sGpuActiveDeadline
+metadata:
+  name: require-gpu-deadline
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: gpu-job-without-deadline
+spec:
+  containers:
+    - name: training
+      image: nvidia/cuda:12.0-runtime
+      resources:
+        limits:
+          nvidia.com/gpu: "1"
@@ -0,0 +1,9 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sGpuActiveDeadline
+metadata:
+  name: require-gpu-deadline
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: non-gpu-job
+spec:
+  containers:
+    - name: web
+      image: nginx:1.25
+      resources:
+        limits:
+          cpu: "500m"
+          memory: "128Mi"
@@ -0,0 +1,41 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+  name: gpuactivedeadline
+tests:
+- name: gpu-job-with-deadline
+  template: template.yaml
+  constraint: samples/gpu-job-with-deadline/constraint.yaml
+  cases:
+  - name: example-allowed
+    object: samples/gpu-job-with-deadline/example_allowed.yaml
+    assertions:
+    - violations: no
+  - name: example-disallowed-exceeds-max
+    object: samples/gpu-job-with-deadline/example_disallowed_exceeds_max.yaml
+    assertions:
+    - violations: yes
+- name: gpu-job-without-deadline
+  template: template.yaml
+  constraint: samples/gpu-job-without-deadline/constraint.yaml
+  cases:
+  - name: example-disallowed
+    object: samples/gpu-job-without-deadline/example_disallowed.yaml
+    assertions:
+    - violations: yes
+- name: non-gpu-job
+  template: template.yaml
+  constraint: samples/non-gpu-job/constraint.yaml
+  cases:
+  - name: example-allowed
+    object: samples/non-gpu-job/example_allowed.yaml
+    assertions:
+    - violations: no
+- name: gpu-job-exempt
+  template: template.yaml
+  constraint: samples/gpu-job-exempt/constraint.yaml
+  cases:
+  - name: example-allowed
+    object: samples/gpu-job-exempt/example_allowed.yaml
+    assertions:
+    - violations: no