Comments (2)
bluekeyes
commented on June 6, 2024
In the case you describe, can the admin group C always approve all changes? Or are there certain changes that require approval from groups A/B in addition to the admins in group C?
If the former, I think you can do something like this:
policy:
approval:
- or:
# no file conditions for admin approval
- admins approved
# each group rule uses changed_files for its paths
- and:
- group A approved any group A changes
- group B approved any group B changes
# ...If the non-admin groups must always approve changes to their files, you can do something like this:
policy:
approval:
# each group rule uses changed_files for its paths
- group A approved any group A changes
- group B approved any group B changes
# ...
- or:
# no file conditions for admin approval
- admins approved
# uses only_changed_files with ALL of the files from the group rules above
- only group files were changedThat doesn't require negative lookahead (which isn't supported), but does require listing out all of the files for each non-admin group a second time. But if you're generating the policy based on the groups to begin with, maybe adding the same paths in a second place isn't that bad.
from policy-bot.
dsw2127
commented on June 6, 2024
In my particular case the admin group C can always approve. That said, your first example wouldn't work because if a PR was submitted that for example touched a group A file and a "restricted" file, the "and" block would pass and thus the overall policy would pass, which is not what we want (we should require group C approval for a PR like that).
I ended up doing something like:
policy:
approval:
- or:
# Group files block - iff all changes to any group files have been approved by the relevant groups,
# and only group files have been modified, this block will pass
- and:
- changes to A files have been approved by group A
- changes to B files have been approved by group B
- or:
# If non-group files have been modified, the below rule will be skipped, so we need
# to have the admin rules to make sure changes to other files are sufficiently approved
- if only group files have been modified allow
- admin team has approved
# The below rules are duplicated to allow approval even if not all relevant groups have
# approved their owned files, for emergency or broad changes
- admin team has approved
This works for this case, especially as we are programmatically generating the policy file. However, since all of the files need to be added both as rules allowing their group to approve them, AND added to the "if only group files have been modified allow" rule, it would be easy to make a mistake.
from policy-bot.
Related Issues (20)
- How to ignore a user's approval in one team when the user is member of two approval teams? HOT 2
- Policy bot stuck on `Commit hash does not have a pushed date` HOT 29
- Trouble loading policy from repo HOT 2
- Allow '=' as comparison operator HOT 1
- Misleading documentation about file path regular expressions HOT 1
- AppID ENV Variable not respected HOT 2
- Confusing behavior with skipped checks. HOT 5
- Add feature to use request more reviewers than required count in case of random-users HOT 1
- [Question] Approval by teams agregator
- Declarative Testing of Policies HOT 5
- Certain merges can lead to ignored commits during evaluation
- Request for Advice on Using Policy Bot in Open Source Projects for Testing, Approving, Merging of PRs HOT 3
- If no rule matches can policy-bot not set a failed status on the PR? HOT 1
- Unable to run policy-bot behind a reverse-prxoy HOT 3
- `common.IsActor()` does not actually use `ctx` and can be simplified.
- Condition for not having specific label(s) HOT 6
- has_successful_status causes review requests while PR has draft status HOT 5
- Status check clarification HOT 2
- Feature Request: Predicate to skip rule if a file was changed HOT 6
- Feature Request: Option to count skipped jobs in has_successful_status HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from policy-bot.