smoke_test: Fix Failure on Windows GitHub Workflow

[rlxdev]

🗣 Description

Fixed the smoke test for the Windows workflow by correcting the use of the Python virtual environments for both OS flows. GitHub uses 2 drives in its VM/container when running a workflow on Windows, and it looks like OPA isn't handling it correctly when the current working directory is on one drive and is being passed input files on another drive. Regardless, we should be using the Python virtual environment correctly, and this fix takes care of the OPA issue as well (because OPA is run with the current working directory on the same drive as the input data).

The default OPA version used in the smoke test has been updated to v1.0.0. We really should be running the latest version of OPA for this test so we can catch any OPA issues before ScubaGoggles users encounter them.

Closes #529

🧪 Testing

Ran the smoke test workflow with both macOS and Windows runners and the tests complete successfully.

✅ Pre-approval checklist

• This PR has an informative and human-readable title.
• Changes are limited to a single goal - eschew scope creep!
• If applicable, All future TODOs are captured in issues, which are referenced in the PR description.
• The relevant issues PR resolves are linked preferably via closing keywords.
• All relevant type-of-change labels have been added.
• I have read and agree to the CONTRIBUTING.md document.
• These code changes follow cisagov code standards.
• All relevant repo and/or project documentation has been updated to reflect the changes in this PR.
• Tests have been added and/or modified to cover the changes in this PR.
• All new and existing tests pass.

✅ Pre-merge Checklist

• This PR has been smoke tested to ensure main is in a functional state when this PR is merged.
• Squash all commits into one PR level commit using the Squash and merge button.

✅ Post-merge Checklist

• Delete the branch to clean up.
• Close issues resolved by this PR if the closing keywords did not activate.

[buidav]

Recommend we pull in the latest OPA version rather than having to manually update default version of the input variable if we want latest. Then make this input optional but override the default if there's a diff.

OPA v1.0.0 is already out of date as OPA did a patch release to [OPA v1.0.1[(https://github.com/open-policy-agent/opa/releases/tag/v1.0.1) to address Go CVEs.

I did something similar on the ScubaGear side to check for latest OPA version updates

$LatestOPAVersion = Invoke-RestMethod -Uri "https://api.github.com/repos/open-policy-agent/opa/releases/latest" | Select-Object -ExpandProperty tag_name

Bash equivalent

latest_opa_version=$(curl -s https://api.github.com/repos/open-policy-agent/opa/releases/latest | grep '"tag_name"' | sed -E 's/.*"tag_name": "([^"]+)".*/\1/')

[mitchelbaker-cisa]

Other than in DownloadAndInstall.md where we indicate "v3.9 or higher", I don't see any references to a definitive minimum supported python version in the code. Recommend we move this out of the workflow in favor of a more maintainable location that doesn't require a code change when we decide to bump to v3.11, etc. Setting a GitHub secret as "MIN_PYTHON_VERSION"="3.10" may be a short-term alternative.

[mitchelbaker-cisa]

Ran workflow manually against windows/macos with python versions 3.10, 3.11, 3.12 and latest OPA. All passed, but had to rerun the windows 3.12 test due to Google Policy API rate limits (something to keep in mind if testing multiple versions).