digger icon indicating copy to clipboard operation
digger copied to clipboard

Published 20 hours ago verified publisher icon diggerhq

apply_requirements or similar way to block applies of unapproved PRs

Open ZIJ opened this issue 11 months ago • 4 comments

Currently the only way to prevent applies of un-approved PRs is via Access Policy [EE feature] in the Management Repo

Atlantis has a simple apply_requirements config options; it might make sense to have smth similar in Digger CE

ZIJ avatar Mar 07 '24 10:03 ZIJ

This would be really nice to have!

al-lac avatar Mar 07 '24 11:03 al-lac

This is a really key feature for us as well

ben-of-codecraft avatar May 15 '24 18:05 ben-of-codecraft

This actually works already (kind of). When a PR is not mergable (due to lacking reviews or failing checks), digger will not run applies and fail with the following error: CleanShot 2024-05-16 at 09 06 51@2x

For our use case this was enough.

al-lac avatar May 16 '24 07:05 al-lac

I did notice this yesterday for the GitHub CI. It looks like it checks IsMergeable so if you have approvals or status checks set up it will not allow they to apply to happen.

What I would prefer now is a way to configure that at a project level. If you set up your repo to be a multi-account project, the most common case being a dev/prod environment that shares common modules. Then you run into a problem, as you may want to have your developer environment be able to apply without approvals, but your production environment still requires approval requirements be met.

This is more of a request at the GitHub level being able to specify directory level checks in branch protection vs having to write a custom status check action; however, it would be nice to allow Digger to have an option to override the default behavior of always forcing a mergeable PR for lower level environments.

Maybe something like

projects:
    - name: "{{github.org}}-{{github.repo}}-dev"
      dir: dev
      workflow: default
      skip_merge_check: true   # skips the isMergeable check on Digger Apply
      include_patterns: [
        "./modules/**",
        "./config/dev/**",
      ]
      workflow_file: digger_workflow.yml
      aws_role_to_assume:
        state: {{output.stsStateRole.dev}}
        command: {{output.stsCommandRole.dev}}              

    - name: "{{github.org}}-{{github.repo}}-prod"
      dir: prod
      workflow: default
      skip_merge_check: false      # default anyway  just here for illustration 
      include_patterns: [
        "./modules/**",
        "./config/prod/**",
      ]
      workflow_file: digger_workflow.yml
      aws_role_to_assume:
        state: {{output.stsStateRole.prod}}
        command: {{output.stsCommandRole.prod}}

ben-of-codecraft avatar May 17 '24 14:05 ben-of-codecraft