feat: add policy bot configuration (#48)

This allows us to have different configurations for the workflows and at
the same time have a single configuration for what's required to pass in
order to merge a PR.

Signed-off-by: Marcelo E. Magallon <[email protected]>

Author: mem

.github/workflows/validate-policy-bot-config.yml

@@ -0,0 +1,33 @@
+name: Validate Policy Bot Config
+
+on:
+  pull_request:
+    paths:
+      - ".policy.yml"
+
+  push:
+    branches:
+      - main
+    paths:
+      - ".policy.yml"
+
+jobs:
+  validate:
+    name: Validate policy bot config
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          persists-credentials: false
+
+      - name: Validate policy bot config
+        run: |
+          curl \
+            --silent \
+            --fail-with-body \
+            --request PUT \
+            --upload-file .policy.yml \
+            https://github-policy-bot.grafana-ops.net/api/validate

.policy.yml

@@ -0,0 +1,86 @@
+# This file is generated by generate-policy-bot-config.
+# Do not edit directly. Run "make .policy.yml" to update.
+
+# The contents of ".policy.yml.tmpl" were merged with the generated parts of this config.
+# To add additional policies to the config, update this file and then run "make .policy.yml".
+
+policy:
+  approval:
+    - or:
+        - and:
+            - Workflow .github/workflows/lint.yaml succeeded or skipped
+            - Workflow .github/workflows/push-pr-release.yaml succeeded or skipped
+            - Workflow .github/workflows/renovate-validate.yaml succeeded or skipped
+            - Workflow .github/workflows/validate-policy-bot-config.yml succeeded or skipped
+            - default to approval
+        - override policies
+    - policy bot config is valid when modified
+approval_rules:
+  - name: Workflow .github/workflows/lint.yaml succeeded or skipped
+    requires:
+      conditions:
+        has_workflow_result:
+          conclusions:
+            - skipped
+            - success
+          workflows:
+            - .github/workflows/lint.yaml
+  - name: Workflow .github/workflows/push-pr-release.yaml succeeded or skipped
+    requires:
+      conditions:
+        has_workflow_result:
+          conclusions:
+            - skipped
+            - success
+          workflows:
+            - .github/workflows/push-pr-release.yaml
+  - name: Workflow .github/workflows/renovate-validate.yaml succeeded or skipped
+    if:
+      changed_files:
+        paths:
+          - ^renovate\.(?:[^/]*)$
+          - ^\.renovate\.(?:[^/]*)$
+          - ^\.github\/renovate\.(?:[^/]*)$
+          - ^\.github\/workflows\/renovate(?:[^/]*)$
+    requires:
+      conditions:
+        has_workflow_result:
+          conclusions:
+            - skipped
+            - success
+          workflows:
+            - .github/workflows/renovate-validate.yaml
+  - name: Workflow .github/workflows/validate-policy-bot-config.yml succeeded or skipped
+    if:
+      changed_files:
+        paths:
+          - ^\.policy\.yml$
+    requires:
+      conditions:
+        has_workflow_result:
+          conclusions:
+            - skipped
+            - success
+          workflows:
+            - .github/workflows/validate-policy-bot-config.yml
+  - name: default to approval
+  - name: policy bot config is valid when modified
+    if:
+      changed_files:
+        paths:
+          - ^\.policy\.yml
+    requires:
+      conditions:
+        has_successful_status:
+          - Validate policy bot config
+  - name: override policies
+    options:
+      methods:
+        comments:
+          - 'policy bot: approve'
+          - 'policy-bot: approve'
+        github_review: false
+    requires:
+      count: 1
+      permissions:
+        - write

.policy.yml.tmpl

@@ -0,0 +1,34 @@
+# Require some statuses to pass only if certain files are modified. This is a
+# template file. You can edit it and the generated contents (to enforce that
+# conditional workflows pass when they are triggered) will be inserted where
+# `MERGE_WITH_GENERATED` is.
+
+policy:
+  approval:
+    - or:
+        - MERGE_WITH_GENERATED
+        - override policies
+    - policy bot config is valid when modified
+
+approval_rules:
+  - name: policy bot config is valid when modified
+    if:
+      changed_files:
+        paths:
+          - ^\.policy\.yml
+    requires:
+      conditions:
+        has_successful_status:
+          - Validate policy bot config
+
+  - name: override policies
+    requires:
+      count: 1
+      permissions:
+        - write
+    options:
+      methods:
+        comments:
+          - "policy bot: approve"
+          - "policy-bot: approve"
+        github_review: false

scripts/gen-policy-bot-config

@@ -0,0 +1,26 @@
+#!/bin/sh
+
+set -e
+set -u
+
+IMAGE=ghcr.io/grafana/generate-policy-bot-config:latest
+
+targetdir=${1:-}
+mergearg=
+
+if test -z "${targetdir}" ; then
+	targetdir=$(git rev-parse --show-toplevel)
+fi
+
+if test -f "${targetdir}/.policy.yml.tmpl" ; then
+	mergearg="--merge-with=.policy.yml.tmpl"
+fi
+
+docker run --rm                       \
+	--volume "${targetdir}:/work" \
+	--user "$(id -u):$(id -g)"    \
+	--workdir /work               \
+	"${IMAGE}"                    \
+	--output /work/.policy.yml    \
+	"${mergearg}"                 \
+	.

scripts/make/620_generate_policy_bot_config.mk

@@ -0,0 +1,5 @@
+.PHONY: generate-policy-bot-config
+generate-policy-bot-config: ## Generate policy bot config.
+	$(S) echo 'Generating policy bot configuration...'
+	$(V) $(ROOTDIR)/scripts/gen-policy-bot-config "$(ROOTDIR)"
+	$(S) echo 'Done.'