blueprint/.policy.yml at develop · palantir/blueprint · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
# Policy for palantir/blueprint
#
# This policy splits approval rules by author type:
# - Blueprint team members: trusted, approvals NOT invalidated on push
# - External contributors: stricter, approvals invalidated on push (except update merges)

policy:
  approval:
    - or:
        # Blueprint team members - trusted
        - blueprint team member approved by one admin
        - blueprint team member approved by two admins (contributor allowed)
        # External contributors - stricter
        - external contributor approved by one admin
        - external contributor approved by two admins (contributor allowed)
        # Special cases
        - changelog only and contributor approval
        - fixing excavator
        - excavator only touched changelog or circle files
        - excavator only touched config files
        - bots updated package.json and lock files
  disapproval:
    requires:
      organizations: ["palantir"]

approval_rules:
  # ============================================
  # BLUEPRINT TEAM MEMBERS (trusted)
  # ============================================

  - name: blueprint team member approved by one admin
    description: >
      For PRs authored by Blueprint team members. Approvals are not invalidated
      when new commits are pushed, as team members are trusted.
    options:
      allow_contributor: false
      invalidate_on_push: false
      ignore_edited_comments: true
    if:
      has_author_in:
        teams: ["palantir/blueprint"]
    requires:
      count: 1
      permissions: ["admin", "maintain"]

  - name: blueprint team member approved by two admins (contributor allowed)
    description: >
      Alternative for Blueprint team members: allows the PR author to count as an
      approver (useful when a maintainer pushes fixes to someone's PR).
    options:
      allow_contributor: true
      invalidate_on_push: false
      ignore_edited_comments: true
    if:
      has_author_in:
        teams: ["palantir/blueprint"]
    requires:
      count: 2
      permissions: ["admin", "maintain"]

  # ============================================
  # EXTERNAL CONTRIBUTORS (stricter rules)
  # ============================================

  - name: external contributor approved by one admin
    description: >
      For PRs from external contributors. Approvals are invalidated when new
      commits are pushed.
    options:
      allow_contributor: false
      invalidate_on_push: true
      ignore_update_merges: false
      ignore_edited_comments: true
    requires:
      count: 1
      permissions: ["admin", "maintain"]

  - name: external contributor approved by two admins (contributor allowed)
    description: >
      Alternative for external contributors: allows contributors to count as
      approvers.
    options:
      allow_contributor: true
      invalidate_on_push: true
      ignore_update_merges: false
      ignore_edited_comments: true
    requires:
      count: 2
      permissions: ["admin", "maintain"]

  # ============================================
  # SPECIAL CASES (for all authors)
  # ============================================

  - name: changelog only and contributor approval
    options:
      allow_contributor: true
      ignore_edited_comments: true
    requires:
      count: 1
      permissions: ["admin", "maintain"]
    if:
      only_changed_files:
        paths:
          - "changelog/@unreleased/.*\\.yml"

  - name: fixing excavator
    options:
      allow_contributor: true
      ignore_edited_comments: true
    requires:
      count: 1
      permissions: ["admin", "maintain"]
    if:
      has_author_in:
        users: ["svc-excavator-bot", "dependabot[bot]"]

  - name: excavator only touched changelog or circle files
    requires:
      count: 0
    if:
      has_author_in:
        users: ["svc-excavator-bot", "dependabot[bot]"]
      only_changed_files:
        paths:
          - "changelog/@unreleased/.*\\.yml"
          - "^\\.circleci/.*$"
      has_valid_signatures_by_keys:
        key_ids: ["C9AF124A484882E0", "4AEE18F83AFDEB23"]

  - name: excavator only touched config files
    requires:
      count: 0
    if:
      has_author_in:
        users: ["svc-excavator-bot"]
      only_changed_files:
        paths:
          - "^\\..*.yml$"
          - "^\\.github/.*$"
      has_valid_signatures_by_keys:
        key_ids: ["C9AF124A484882E0"]

  - name: bots updated package.json and lock files
    requires:
      count: 0
    if:
      has_author_in:
        users:
          - "svc-excavator-bot"
          - "dependabot[bot]"
      only_changed_files:
        paths:
          - "^.*package.json$"
          - "^.*pnpm-lock.yaml$"
      has_valid_signatures_by_keys:
        key_ids: ["C9AF124A484882E0"]