make policy rego dynamic, simplify documentation-flow

.github/workflows/attestor.yml

@@ -0,0 +1,86 @@
+name: Attestor Workflow
+
+on:
+    workflow_call:
+      inputs:
+        documentation-repo:
+          type: string
+          required: true
+          description: "Write down the Documentation Repository that needs to be merged first"
+
+        production-repos:
+          type: string
+          required: true
+          description: "Write down every repository that has to wait for documentation to be merged first."
+
+        policy-url:
+          type: string
+          required: true
+          description: "URL to the policy file via raw.githubusercontent.com"
+
+
+jobs:
+  attestor: 
+    runs-on: ubuntu-latest
+    container: ghcr.io/l3montree-dev/compliance-as-code-attestors:latest 
+    env:
+      PR_NUMBER: ${{ github.event.number }}
+      PR_TITLE: ${{ github.event.pull_request.title }}
+      ATTESTATION_FILE: /tmp/attest.json
+      POLICY_REGO: /tmp/policy.rego
+      DOCUMENTATION_REPO: /tmp/doc_repo.json
+
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - name: Env Sanity Check
+        run: echo $PR_NUMBER && echo $PR_TITLE
+
+      - name: Debug binary
+        run: |
+          ls -la /usr/local/bin
+          which compliance-as-code-attestor || true
+          /usr/local/bin/compliance-as-code-attestor --help || true
+
+      - name: Pull Request Check
+        run: |
+          /usr/local/bin/compliance-as-code-attestor prAttestation \
+            --repos "${{ inputs.documentation-repo }}" \
+            --repos "${{ inputs.production-repos }}" \
+            --pull_request_title "$PR_TITLE" \
+            --pull_request_number "$PR_NUMBER" > "$ATTESTATION_FILE"
+          cat "$ATTESTATION_FILE"
+          echo "created $ATTESTATION_FILE"
+
+      - name: upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: attestation-${{ env.PR_NUMBER }}
+          path: ${{ env.ATTESTATION_FILE }}
+
+      - name: fetch policy file
+        run: |
+          curl -o policy.rego "${{ inputs.policy-url }}"
+          cat policy.rego > "$POLICY_REGO"
+
+      - name: Download OPA
+        uses: open-policy-agent/setup-opa@v2
+        with:
+          version: 1.10.1
+
+      - name: Evaluate Policy
+
+        run: | 
+          echo '{"documentation_repo": "${{ inputs.documentation-repo }}"}' > /tmp/doc_repo.json
+          opa eval \
+            --data $POLICY_REGO \
+            --data $DOCUMENTATION_REPO \
+            --input $ATTESTATION_FILE \
+            'data.documentationMerged.failure_msg' \
+            --format  raw \
+            --fail-defined
+
+
+

.github/workflows/documentation-policy-check.yml

@@ -0,0 +1,24 @@
+# Copyright 2026 Lars Hermges @l3montree GMBH
+
+name: Documentation Policy Check
+on:
+  pull_request:
+  workflow_call:
+    inputs:
+      documentation-repo:
+        required: true
+        type: string
+      production-repos:
+        required: true
+        type: string
+      policy-url:
+        required: true
+        type: string
+
+jobs:
+  documentation_check:
+    uses: ./.github/workflows/attestor.yml
+    with:
+      documentation-repo: ${{ inputs.documentation-repo }}
+      production-repos: ${{ inputs.production-repos}}
+      policy-url: ${{ inputs.policy-url }}