policy-bot icon indicating copy to clipboard operation
policy-bot copied to clipboard
verified publisher icon palantir

Policy of last resort possible?

Open snuggie12 opened this issue 6 months ago • 1 comments

Is it possible to configure that if all other policies are skipped apply this policy? Or perhaps to say "apply this policy but not if this other policy is active"?

We have 4 or so policies and they are all on specific files in directories. However, another team is responsible for approving if all other files are touched. However, .* covers those other policies as well.

And sure, if it were just 4 policies with a single file each it wouldn't be bad to ignore them, but some of them contain more nuance like total lines changed in a file. So it'd be easier if you simply had the possibility of declaring if all other policies are skipped this is the one.

snuggie12 avatar Oct 09 '25 22:10 snuggie12

If I understand the behavior your are looking for, this is not directly possible today. We usually use one of the following patterns to implement logic like this.

When the team with default responsibility can also approve changes in the special-case files, an or condition works:

policy:
  approval:
    - or:
        - team A approved their files
        - team B approved their files
        - default team approved changes

When the special cases require the approval of the other teams, I think you can use an and condition with some extra rules:

policy:
  approval:
    - team A approved their files
    - team B approved their files
    - or:
        - only team A files changed
        - only team B files changed
        - default team approved changes

The team A files changed rule takes the predicates of the team A approved their files rule and uses them as conditions instead:

approval_rules:
  - name: team A approved their files
    if:
      changed_files:
        paths: ["files/teamA/.*"]
      modified_lines:
        total: "> 10"
        files:
          include: ["files/teamA/.*"]
    requires:
      count: 1
      teams: ["org/teamA"]

  - name: only team A files changed
    requires:
      conditions:
        only_changed_files:
          paths: ["files/teamA/.*"]
        modified_lines:
          total: "> 10"
          files:
            include: ["files/teamA/.*"]

While this requires some duplication, you can use YAML anchors to avoid duplicating all of the patterns. Note that some of the predicates changed between the rules: changed_files is used in the approval rule to make sure team A's approval is always required, but only_changed_files is used in the condition rule to make sure changing files owned by team A in combination with other files doesn't bypass approval of the other files.

Depending on the behavior your want when files owned by both team A and team B change in the same PR, you may need to adjust how the condition rules work or are combined.

bluekeyes avatar Oct 13 '25 16:10 bluekeyes