.policy.yml

# Excavator auto-updates this file. Please contribute improvements to the central template.

policy:
  approval:
    - or:
      - one admin has approved (PR contributors not allowed)
      - two admins have approved
      - changelog only and contributor approval
      - fixing excavator
      - excavator only touched baseline, circle, gradle files, godel files, go dependencies, docker-compose-rule config or versions.props
      - excavator only touched config files
      - bots updated package.json and lock files
  disapproval:
    requires:
      organizations: [ "palantir" ]

approval_rules:
  - name: one admin has approved (PR contributors not allowed)
    options:
      allow_contributor: false
    requires:
      count: 1
      admins: true

  - name: two admins have approved
    options:
      allow_contributor: true
    requires:
      count: 2
      admins: true

  - name: changelog only and contributor approval
    options:
      allow_contributor: true
    requires:
      count: 1
      admins: true
    if:
      only_changed_files:
        paths:
          - "changelog/@unreleased/.*\\.yml"

  - name: fixing excavator
    options:
      allow_contributor: true
    requires:
      count: 1
      admins: true
    if:
      has_author_in:
        users: [ "svc-excavator-bot" ]

  - name: excavator only touched baseline, circle, gradle files, godel files, go dependencies, docker-compose-rule config or versions.props
    requires:
      count: 0
    if:
      has_author_in:
        users: [ "svc-excavator-bot" ]
      only_changed_files:
        # product-dependencies.lock should never go here, to force review of all product (SLS) dependency changes
        # this way excavator cannot change the deployability of a service or product via auto-merge
        paths:
          - "changelog/@unreleased/.*\\.yml"
          - "^\\.baseline/.*$"
          - "^\\.circleci/.*$"
          - "^\\.docker-compose-rule\\.yml$"
          - "^.*gradle$"
          - "^gradle/wrapper/.*"
          - "^gradlew$"
          - "^gradlew.bat$"
          - "^gradle.properties$"
          - "^settings.gradle$"
          - "^go.mod$"
          - "^go.sum$"
          - "^godelw$"
          - "^godel/config/godel.properties$"
          - "^godel/config/godel.yml$"
          - "^vendor/.*$"
          - "^versions.props$"
          - "^versions.lock$"
      has_valid_signatures_by_keys:
        key_ids: ["C9AF124A484882E0"]

  - name: excavator only touched config files
    requires:
      count: 0
    if:
      has_author_in:
        users: [ "svc-excavator-bot" ]
      only_changed_files:
        paths:
          - "^\\..*.yml$"
          - "^\\.github/.*$"
      has_valid_signatures_by_keys:
        key_ids: ["C9AF124A484882E0"]

  - name: bots updated package.json and lock files
    requires:
      count: 0
    if:
      has_author_in:
        users:
        - "svc-excavator-bot"
        - "dependabot[bot]"
      only_changed_files:
        paths:
          - "^.*yarn.lock$"
          - "^.*package.json$"
      has_valid_signatures_by_keys:
        key_ids: ["C9AF124A484882E0"]