Description
Currently policies (access and plan) are run as part of plan / apply steps, and reported into comments. For example, before apply we check plan policy, then feed the result into access policy, and only if it succeeds apply is run. This works for edge cases like policy overrides, but makes the logic pretty complex and inflexible. It's effectively an implicit pipeline with policy checks tightly coupled to plan / apply. But not everyone wants policies; and those who do might want to check them separately.
A better approach would be to treat policy checking as a completely separate sequence. It would run only if users explicitly enable it, and report success / failure into PR status checks. Apply step will then only check general mergeability - it does not need to check specifically for policies.
(from offline discussion over lunch with @motatoes 31.01.2024)
Activity