policy-bot icon indicating copy to clipboard operation
policy-bot copied to clipboard
verified publisher icon palantir

Enable status/workflow predicates for use in if condition

Open FloThinksPi opened this issue 9 months ago • 1 comments

This change is a proposal for the use-cases described in #921

It introduces new predicates status_check and workflow that compared to the currently existing status and workflow introduce the capability to specify resources by regular expression as well as defining the desired status workflows and status_checks should be in. Additionally the changes in naming of the GitHub documentation(1,2) is applied to these new predicates.

Also a status and conclusion any is introduced that will populate the statuses/conclusions with all possible values.

This now allows for more scenarios where a status check or workflow may be required in a rule but only if it exists.

policy:
  approval:
    - and:
      - Test Dependencies
      - All started workflow concluded(at least one)


approval_rules:
  - name: Test Dependencies
    description: Test Dependencies Checks Passed
    options:
      invalidate_on_push: true
    if:
      has_workflow:
        statuses: ["any"]
        conclusions: ["any"]
        workflows:
          - '\.github/workflows/test-dependencies\.yml'
    requires:
      conditions:
        has_workflow:
          conclusions: ["success", "skipped"]
          workflows:
            - '\.github/workflows/test-dependencies\.yml'
  - name: All started workflow concluded(at least one)
    description: All started workflow concluded(at least one)
    options:
      invalidate_on_push: true
    requires:
      conditions:
        has_workflow:
          conclusions: ["any"]
          workflows:
            - '.*'

Hereby the rule All started workflow concluded(at least one) makes sure all started workflows finished but at least one workflow needs to complete to fullfill the rule. This is to ensure the rules all does not get approved before all workflows are properly created in the api and can be used for rule evaluation. This assumes that it is "unlikely" for a workflow to be scheduled by github actions after a workflow completely finished timing wise. The rule Test Dependencies requires the workflow test-dependencies.yml(attention regex so this will match also random-test-dependencies.yml) to be present with any status or conclusion and if so it must finish with conclusion success or skipped. The usual regex escape mechanism can be applied here.

This allows now to require certain status checks, repo statuses and workflows to be in a certain state/conclusion if they exist at all, wich with the current predicates is not possible to cover efficiently. Currenlty the only workaround is to define the running condition twice with only_changed_files predicate which does not work reliably with good user experience. Also for status checks it might not be able to mimic the running condition in policy-bot of arbitrary statuses that could possibly have complex logic when they appear and when not.

Hereby the predicates has_workflow_result,has_status and has_successful_status remain identical and are just marked as deprecated. Internally they also use the meta predicate has_status_check and has_workflow so no code duplication exists.

FloThinksPi avatar Feb 26 '25 09:02 FloThinksPi

Thanks for your interest in palantir/policy-bot, @FloThinksPi! Before we can accept your pull request, you need to sign our contributor license agreement - just visit https://cla.palantir.com/ and follow the instructions. Once you sign, I'll automatically update this pull request.

palantirtech avatar Feb 26 '25 09:02 palantirtech