feat: add validate-policy-bot-action

.github/workflows/validate-policy-bot-config.yml

@@ -0,0 +1,21 @@
+name: Validate Policy Bot config
+
+on:
+  pull_request:
+    paths:
+      - .policy.yml
+  push:
+    branches:
+      - main
+    paths:
+      - .policy.yml
+
+jobs:
+  validate-policy-bot-config:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+
+      - name: Validate Policy Bot config
+        uses: ./actions/validate-policy-bot-config

.policy.yml

@@ -0,0 +1,217 @@
+policy:
+  approval:
+    - or:
+        - and:
+            - Workflow .github/workflows/build-trigger-argo-workflow.yaml succeeded or skipped
+            - Workflow .github/workflows/codeql.yml succeeded or skipped
+            - Workflow .github/workflows/lint-pr-title.yml succeeded or skipped
+            - Workflow .github/workflows/lint-shared-workflows.yaml succeeded or skipped
+            - Workflow .github/workflows/renovate.yml succeeded or skipped
+            - Workflow .github/workflows/test-find-pr-for-commit.yml succeeded or skipped
+            - Workflow .github/workflows/test-get-vault-secrets.yaml succeeded or skipped
+            - Workflow .github/workflows/test-lint-pr-title.yml succeeded or skipped
+            - Workflow .github/workflows/test-login-to-gar.yaml succeeded or skipped
+            - Workflow .github/workflows/test-publish-techdocs.yml succeeded or skipped
+            - Workflow .github/workflows/test-setup-argo.yml succeeded or skipped
+            - Workflow .github/workflows/test-techdocs-rewrite-relative-links.yaml succeeded or skipped
+            - Workflow .github/workflows/validate-policy-bot-config.yml succeeded or skipped
+            - default to approval
+        - override policies
+    - policy bot config is valid when modified
+approval_rules:
+  - name: Workflow .github/workflows/build-trigger-argo-workflow.yaml succeeded or skipped
+    if:
+      changed_files:
+        paths:
+          - ^actions\/trigger-argo-workflow\/(?:(?:[^/]*(?:/|$))*)$
+    requires:
+      conditions:
+        has_workflow_result:
+          conclusions:
+            - skipped
+            - success
+          workflows:
+            - .github/workflows/build-trigger-argo-workflow.yaml
+  - name: Workflow .github/workflows/codeql.yml succeeded or skipped
+    if:
+      targets_branch:
+        pattern: (^main$)
+    requires:
+      conditions:
+        has_workflow_result:
+          conclusions:
+            - skipped
+            - success
+          workflows:
+            - .github/workflows/codeql.yml
+  - name: Workflow .github/workflows/lint-pr-title.yml succeeded or skipped
+    requires:
+      conditions:
+        has_workflow_result:
+          conclusions:
+            - skipped
+            - success
+          workflows:
+            - .github/workflows/lint-pr-title.yml
+  - name: Workflow .github/workflows/lint-shared-workflows.yaml succeeded or skipped
+    requires:
+      conditions:
+        has_workflow_result:
+          conclusions:
+            - skipped
+            - success
+          workflows:
+            - .github/workflows/lint-shared-workflows.yaml
+  - name: Workflow .github/workflows/renovate.yml succeeded or skipped
+    if:
+      changed_files:
+        paths:
+          - ^\.github\/renovate-config\.json$
+          - ^\.github\/workflows\/renovate\.yml$
+    requires:
+      conditions:
+        has_workflow_result:
+          conclusions:
+            - skipped
+            - success
+          workflows:
+            - .github/workflows/renovate.yml
+  - name: Workflow .github/workflows/test-find-pr-for-commit.yml succeeded or skipped
+    if:
+      changed_files:
+        paths:
+          - ^actions\/find-pr-for-commit\/(?:(?:[^/]*(?:/|$))*)$
+          - ^\.github\/workflows\/test-find-pr-for-commit\.yml$
+    requires:
+      conditions:
+        has_workflow_result:
+          conclusions:
+            - skipped
+            - success
+          workflows:
+            - .github/workflows/test-find-pr-for-commit.yml
+  - name: Workflow .github/workflows/test-get-vault-secrets.yaml succeeded or skipped
+    if:
+      changed_files:
+        paths:
+          - ^actions\/get-vault-secrets\/(?:(?:[^/]*(?:/|$))*)$
+          - ^\.github\/workflows\/test-get-vault-secrets\.yaml$
+    requires:
+      conditions:
+        has_workflow_result:
+          conclusions:
+            - skipped
+            - success
+          workflows:
+            - .github/workflows/test-get-vault-secrets.yaml
+  - name: Workflow .github/workflows/test-lint-pr-title.yml succeeded or skipped
+    if:
+      changed_files:
+        paths:
+          - ^\.github\/workflows\/test-lint-pr-title\.yml$
+          - ^actions\/lint-pr-title\/(?:(?:[^/]*(?:/|$))*)$
+    requires:
+      conditions:
+        has_workflow_result:
+          conclusions:
+            - skipped
+            - success
+          workflows:
+            - .github/workflows/test-lint-pr-title.yml
+  - name: Workflow .github/workflows/test-login-to-gar.yaml succeeded or skipped
+    if:
+      changed_files:
+        paths:
+          - ^actions\/login-to-gar\/(?:(?:[^/]*(?:/|$))*)$
+          - ^\.github\/workflows\/test-login-to-gar\.yaml$
+    requires:
+      conditions:
+        has_workflow_result:
+          conclusions:
+            - skipped
+            - success
+          workflows:
+            - .github/workflows/test-login-to-gar.yaml
+  - name: Workflow .github/workflows/test-publish-techdocs.yml succeeded or skipped
+    if:
+      changed_files:
+        paths:
+          - ^\.github\/publish-techdocs-testdata\/(?:(?:[^/]*(?:/|$))*)$
+          - ^\.github\/workflows\/publish-techdocs\.yaml$
+          - ^\.github\/workflows\/test-publish-techdocs\.yml$
+          - ^\.github\/workflows\/test-techdocs-rewrite-relative-links\.yml$
+          - ^techdocs-rewrite-relative-links\/(?:(?:[^/]*(?:/|$))*)$
+      targets_branch:
+        pattern: (^main$)
+    requires:
+      conditions:
+        has_workflow_result:
+          conclusions:
+            - skipped
+            - success
+          workflows:
+            - .github/workflows/test-publish-techdocs.yml
+  - name: Workflow .github/workflows/test-setup-argo.yml succeeded or skipped
+    if:
+      changed_files:
+        paths:
+          - ^actions\/setup-argo\/(?:(?:[^/]*(?:/|$))*)$
+          - ^\.github\/workflows\/test-setup-argo\.yml$
+      targets_branch:
+        pattern: (^main$)
+    requires:
+      conditions:
+        has_workflow_result:
+          conclusions:
+            - skipped
+            - success
+          workflows:
+            - .github/workflows/test-setup-argo.yml
+  - name: Workflow .github/workflows/test-techdocs-rewrite-relative-links.yaml succeeded or skipped
+    if:
+      changed_files:
+        paths:
+          - ^actions\/techdocs-rewrite-relative-links\/(?:(?:[^/]*(?:/|$))*)$
+          - ^\.github\/workflows\/test-techdocs-rewrite-relative-links\.yaml$
+    requires:
+      conditions:
+        has_workflow_result:
+          conclusions:
+            - skipped
+            - success
+          workflows:
+            - .github/workflows/test-techdocs-rewrite-relative-links.yaml
+  - name: Workflow .github/workflows/validate-policy-bot-config.yml succeeded or skipped
+    if:
+      changed_files:
+        paths:
+          - ^\.policy\.yml$
+    requires:
+      conditions:
+        has_workflow_result:
+          conclusions:
+            - skipped
+            - success
+          workflows:
+            - .github/workflows/validate-policy-bot-config.yml
+  - name: default to approval
+  - name: policy bot config is valid when modified
+    if:
+      changed_files:
+        paths:
+          - ^\.policy\.yml
+    requires:
+      conditions:
+        has_successful_status:
+          - Validate policy bot config
+  - name: override policies
+    options:
+      methods:
+        comments:
+          - "policy bot: approve"
+          - "policy-bot: approve"
+        github_review: false
+    requires:
+      count: 1
+      permissions:
+        - write

actions/validate-policy-bot-config/README.md

@@ -0,0 +1,24 @@
+# validate-policy-bot-config
+
+Validates the `.policy.yml` configuration file.
+
+Example workflow:
+
+```yaml
+name: validate-policy-bot
+on:
+  pull_request:
+    paths:
+      - ".policy.yml"
+  push:
+    paths:
+      - ".policy.yml
+jobs:
+  validate-policy-bot:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Validate Policy Bot configuration
+        uses: grafana/shared-workflows/actions/validate-policy-bot-config@main
+```

actions/validate-policy-bot-config/action.yml

@@ -0,0 +1,21 @@
+name: Validate Policy Bot Config
+description: Validates the Policy Bot configuration file.
+
+inputs:
+  validation_endpoint:
+    description: |
+      Validation API endpoint.
+    default: https://github-policy-bot.grafana-ops.net/api/validate
+
+runs:
+  using: composite
+  steps:
+    - name: Validate Policy Bot config
+      shell: bash
+      run: |
+        curl \
+          --silent \
+          --fail-with-body \
+          --request PUT \
+          --upload-file .policy.yml \
+          ${{ inputs.validation_endpoint }}