|
| 1 | +# ============================================================================= |
| 2 | +# Resource Management policy (GitHub "Policy Service" / GitOps). |
| 3 | +# |
| 4 | +# This file is consumed by Microsoft's GitOps Policy Service, NOT by GitHub |
| 5 | +# Actions. The service watches the repo and reconciles behavior against the |
| 6 | +# rules below. |
| 7 | +# |
| 8 | +# IMPORTANT SCOPING FACTS: |
| 9 | +# * The service reads .github/policies/* ONLY from the repository's DEFAULT |
| 10 | +# branch (currently `4.0`) and then applies the rules to PRs/issues |
| 11 | +# targeting ANY branch. You therefore cannot keep "3.0 rules" on the 3.0 |
| 12 | +# branch and "4.0 rules" on 4.0 -- everything lives here, on the default |
| 13 | +# branch, and is discriminated by CONDITIONS (e.g. `targetsBranch`). |
| 14 | +# * There is NO file- or group-level branch scope. Filenames are purely |
| 15 | +# organizational. To scope a SET of rules to a branch, put a single |
| 16 | +# `targetsBranch` guard in a parent task's top-level `if:` and nest the |
| 17 | +# rules under its `then:` -- the top-level `if:` is ANDed, so every nested |
| 18 | +# child inherits the guard (see the classic 3.0 group below). |
| 19 | +# * The repo layout differs by era and uses DISJOINT top-level paths, so the |
| 20 | +# area-label groups never collide: |
| 21 | +# - classic (3.0/3.0-dev): SPECS*/, toolkit/ |
| 22 | +# - azldev (4.0): base/, specs/, distro/, locks/, external/, ... |
| 23 | +# |
| 24 | +# Within a task, `if:` is a list of ANDed conditions and `then:` is a list of |
| 25 | +# actions; both can be nested arbitrarily. |
| 26 | +# ============================================================================= |
| 27 | + |
| 28 | +# Top-level scalars below are part of the primitive's template and intentionally |
| 29 | +# left empty. `id` is managed by the Policy Service; `owner`/`where`/`onFailure`/ |
| 30 | +# `onSuccess` are optional and unused. (`where:` selects which REPOS an |
| 31 | +# org-distributed policy targets -- it is NOT a branch/PR filter.) |
| 32 | +id: |
| 33 | +name: GitOps.PullRequestIssueManagement |
| 34 | +description: GitOps.PullRequestIssueManagement primitive |
| 35 | +owner: |
| 36 | +resource: repository |
| 37 | +disabled: false |
| 38 | +where: |
| 39 | +onFailure: |
| 40 | +onSuccess: |
| 41 | +configuration: |
| 42 | + resourceManagementConfiguration: |
| 43 | + scheduledSearches: [] |
| 44 | + eventResponderTasks: |
| 45 | + # ======================================================================= |
| 46 | + # GROUP: 4.0+ area labels (GATED to the 4.0 branch). |
| 47 | + # The single `or(targetsBranch ...)` guard scopes the ENTIRE group; every |
| 48 | + # nested `if/then` inherits it. |
| 49 | + # ======================================================================= |
| 50 | + - description: Area labels for PRs that target 4.0 |
| 51 | + if: |
| 52 | + - payloadType: Pull_Request |
| 53 | + - or: |
| 54 | + - targetsBranch: |
| 55 | + branch: "4.0" |
| 56 | + then: |
| 57 | + # Component definitions, rendered specs, and lock files -> Packaging. |
| 58 | + - if: |
| 59 | + - filesMatchPattern: |
| 60 | + pattern: "^(base/comps|specs|locks)/" |
| 61 | + matchAny: true # true = label if ANY changed file matches |
| 62 | + then: |
| 63 | + - addLabel: |
| 64 | + label: Packaging |
| 65 | + # Documentation |
| 66 | + - if: |
| 67 | + - filesMatchPattern: |
| 68 | + pattern: "^docs/" |
| 69 | + matchAny: true |
| 70 | + then: |
| 71 | + - addLabel: |
| 72 | + label: documentation |
| 73 | + # Branch-name label. The group is already gated to 4.0, so every PR |
| 74 | + # reaching here targets 4.0 -- no nested condition needed. |
| 75 | + - addLabel: |
| 76 | + label: "4.0" |
| 77 | + |
| 78 | + # ======================================================================= |
| 79 | + # GROUP: 3.0-era area labels (GATED to the 3.0 branches). |
| 80 | + # The single `or(targetsBranch ...)` guard in this parent `if:` scopes the |
| 81 | + # ENTIRE group; every nested `if/then` below inherits it. To stop labeling |
| 82 | + # a retired branch, just remove its line from the `or:` list. |
| 83 | + # ======================================================================= |
| 84 | + - description: Area labels for the classic (SPECS/toolkit) layout, 3.0 only |
| 85 | + if: |
| 86 | + - payloadType: Pull_Request |
| 87 | + - or: |
| 88 | + - targetsBranch: |
| 89 | + branch: "3.0" |
| 90 | + - targetsBranch: |
| 91 | + branch: "3.0-dev" |
| 92 | + - targetsBranch: |
| 93 | + branch: "fasttrack/3.0" |
| 94 | + then: |
| 95 | + - if: |
| 96 | + - filesMatchPattern: |
| 97 | + pattern: "^(SPECS|SPECS-EXTENDED|SPECS-SIGNED)/" |
| 98 | + matchAny: true |
| 99 | + then: |
| 100 | + - addLabel: |
| 101 | + label: Packaging |
| 102 | + - if: |
| 103 | + - filesMatchPattern: |
| 104 | + pattern: "^SPECS-EXTENDED/" |
| 105 | + matchAny: true |
| 106 | + then: |
| 107 | + - addLabel: |
| 108 | + label: specs-extended |
| 109 | + - if: |
| 110 | + - filesMatchPattern: |
| 111 | + pattern: "^toolkit/docs/" |
| 112 | + matchAny: true |
| 113 | + then: |
| 114 | + - addLabel: |
| 115 | + label: documentation |
| 116 | + - if: |
| 117 | + - filesMatchPattern: |
| 118 | + pattern: "^toolkit/(tools|scripts)/" |
| 119 | + matchAny: true |
| 120 | + then: |
| 121 | + - addLabel: |
| 122 | + label: Tools |
| 123 | + - if: |
| 124 | + - filesMatchPattern: |
| 125 | + pattern: "^toolkit/(imageconfigs|tools/imagegen/configuration)/" |
| 126 | + matchAny: true |
| 127 | + then: |
| 128 | + - addLabel: |
| 129 | + label: Schema |
| 130 | + |
| 131 | + # Branch-name labels. We always add the '3.0' label for any PR targeting a |
| 132 | + # 3.0 branch, and *also* add a "fasttrack/3.0" label for PRs targeting the |
| 133 | + # fasttrack branch. |
| 134 | + - addLabel: |
| 135 | + label: "3.0" |
| 136 | + - if: |
| 137 | + - targetsBranch: |
| 138 | + branch: "fasttrack/3.0" |
| 139 | + then: |
| 140 | + - addLabel: |
| 141 | + label: "fasttrack/3.0" |
| 142 | + |
| 143 | + # ======================================================================= |
| 144 | + # Era-independent: label PRs opened by an automation bot account. |
| 145 | + # `issueAuthor: false` -> match when the BOT is the activity sender. |
| 146 | + # The `or:` block matches when EITHER known automation account opened the |
| 147 | + # PR; add more accounts here as they appear. |
| 148 | + # ======================================================================= |
| 149 | + - description: Label automated PRs opened by a bot account |
| 150 | + if: |
| 151 | + - payloadType: Pull_Request |
| 152 | + - isAction: |
| 153 | + action: Opened |
| 154 | + - or: |
| 155 | + - isActivitySender: |
| 156 | + user: CBL-Mariner-Bot |
| 157 | + issueAuthor: false |
| 158 | + - isActivitySender: |
| 159 | + user: azurelinux-security |
| 160 | + issueAuthor: false |
| 161 | + then: |
| 162 | + - addLabel: |
| 163 | + label: Automatic PR |
0 commit comments