diff --git a/.policy.yml b/.policy.yml index b9dc830..3593a39 100644 --- a/.policy.yml +++ b/.policy.yml @@ -18,23 +18,25 @@ approval_rules: - name: one admin has approved (PR contributors not allowed) options: allow_contributor: false + invalidate_on_push: true requires: count: 1 - admins: true + permissions: ["admin", "maintain"] - name: two admins have approved options: allow_contributor: true + invalidate_on_push: true requires: count: 2 - admins: true + permissions: ["admin", "maintain"] - name: changelog only and contributor approval options: allow_contributor: true requires: count: 1 - admins: true + permissions: ["admin", "maintain"] if: only_changed_files: paths: @@ -45,23 +47,25 @@ approval_rules: allow_contributor: true requires: count: 1 - admins: true + permissions: ["admin", "maintain"] if: has_author_in: - users: [ "svc-excavator-bot" ] + users: [ "svc-excavator-bot", "dependabot[bot]" ] - name: excavator only touched baseline, circle, gradle files, godel files, generated code, go dependencies, docker-compose-rule config or versions.props requires: count: 0 if: has_author_in: - users: [ "svc-excavator-bot" ] + users: [ "svc-excavator-bot", "dependabot[bot]" ] only_changed_files: # product-dependencies.lock should never go here, to force review of all product (SLS) dependency changes # this way excavator cannot change the deployability of a service or product via auto-merge paths: - "changelog/@unreleased/.*\\.yml" - "^\\.baseline/.*$" + - "^(.+/)?Cargo.toml$" + - "^Cargo.lock$" - "^\\.circleci/.*$" - "^\\.docker-compose-rule\\.yml$" - "^.*gradle$" @@ -83,7 +87,7 @@ approval_rules: - "^internal/generated_src/.*" - "^gradle-baseline-java/src/main/resources/checkstyle.version$" has_valid_signatures_by_keys: - key_ids: ["C9AF124A484882E0"] + key_ids: ["C9AF124A484882E0", "4AEE18F83AFDEB23"] - name: excavator only touched config files requires: