feat: add skip field to policy group attachments #2564
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
Add support for explicitly disabling specific policies within a policy group by specifying their metadata names in a skip list. This allows users to selectively exclude policies from evaluation without modifying the policy group itself. Changes: - Add skip field to PolicyGroupAttachment protobuf message - Implement getPolicyName() helper to extract policy names from attachments - Filter skipped policies in both material and attestation evaluation paths - Add validateSkipList() to warn about non-existent policy names - Add comprehensive test coverage for skip functionality Example usage: ```yaml policyGroups: - ref: file://groups/sbom-quality.yaml with: bannedLicenses: AGPL-3.0 skip: - sbom-present - license-check ``` Policies are matched by metadata.name. Unknown policy names in the skip list generate warnings but allow execution to continue. Closes chainloop-dev#2557 Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
Change validateSkipList() to return an error instead of logging warnings directly. This allows the function to be reused in contexts where validation errors should block execution, while still supporting the current behavior of logging warnings and continuing. Changes: - Update validateSkipList() to collect unknown policy names and return error - Callers in VerifyMaterial() and VerifyStatement() log errors as warnings - Add comprehensive tests for validateSkipList() error returns - All existing tests continue to pass The current user-facing behavior is unchanged: unknown policy names generate warnings but do not block execution. Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
Update the warning log message to be more user-friendly. The error object already contains the group name and list of unknown policies, so the message now clearly indicates what the issue is. Changed message from "skip list validation warning" to "some policies in skip list were not found in the policy group". The error details include the specific policy names and group name. Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge. Suggestion cannot be applied right now. Please check back later.
Summary
Add support for explicitly disabling specific policies within a policy group by specifying their metadata names in a skip list.
Users can now selectively exclude policies from evaluation without modifying the policy group itself by adding a
skipfield to policy group attachments in workflow contracts.Implementation
skipfield toPolicyGroupAttachmentprotobuf messageUsage
Behavior
metadata.namefieldCloses #2557