From 027027a4ab9763f7cea5e031148d7f45cbe7aeef Mon Sep 17 00:00:00 2001 From: Ryan Hall Date: Wed, 20 May 2026 10:55:14 +1200 Subject: [PATCH 1/3] feat: add examples for RequiresApproval and cross-environment feed validation in input schema --- .../docs/platform-hub/policies/schema.md | 62 +++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/src/pages/docs/platform-hub/policies/schema.md b/src/pages/docs/platform-hub/policies/schema.md index b22ce825cc..0578779c2a 100644 --- a/src/pages/docs/platform-hub/policies/schema.md +++ b/src/pages/docs/platform-hub/policies/schema.md @@ -95,6 +95,23 @@ The project group the project belongs to. | Name | string | The display name of the project group | | Slug | string | The URL-safe slug for the project group | +### RequiresApproval + +Indicates whether an ITSM change approval is required for this deployment. Derived from the change control settings configured on the target project and environment. + +**Example usage:** + +```ruby +package require_change_approvals + +default result := { "allowed": false } + +result := { + "allowed": input.RequiresApproval, + "reason": "No ITSM change request was found attached to this deployment or runbook run. Attach an approved change request, and try again.", +} +``` + ### Tenant The tenant for tenanted deployments. **This field is absent for non-tenanted deployments.** Always guard against its absence before using it. @@ -163,6 +180,7 @@ result := {"allowed": true} if { step.Source.SlugOrId == "" not step.Id in input.SkippedSteps step.Enabled == true + step.IsConditional == false } ``` @@ -197,6 +215,50 @@ result := {"allowed": true} if { } ``` +```ruby +package block_cross_environment_feeds + +default result := { + "allowed": true, + "reason": "All packages use feeds appropriate for the target environment.", +} + +# Collect all packages across all steps +all_packages contains pkg if { + some step in input.Steps + some pkg in step.Packages +} + +# Violation: dev feed used in production +violations contains msg if { + input.Environment.Slug == "prod" + some pkg in all_packages + contains(lower(pkg.Feed.Slug), "dev") + msg := sprintf( + "Non-compliant: Step '%s' uses dev feed '%s' but is deploying to Production.", + [pkg.Id, pkg.Feed.Name], + ) +} + +# Violation: prod feed used in dev +violations contains msg if { + input.Environment.Slug == "dev" + some pkg in all_packages + contains(lower(pkg.Feed.Slug), "prod") + msg := sprintf( + "Step '%s' uses prod feed '%s' but is deploying to Dev.", + [pkg.Id, pkg.Feed.Name], + ) +} + +result := { + "allowed": false, + "reason": concat(" ", violations), +} if { + count(violations) > 0 +} +``` + #### Feed object | Property | Type | Always Present | Description | From 25a8f720dee5ecf6a318d1bda5904d5cff9a7379 Mon Sep 17 00:00:00 2001 From: Ryan Hall Date: Wed, 20 May 2026 11:33:07 +1200 Subject: [PATCH 2/3] Add link to RequiresApproval field --- src/pages/docs/platform-hub/policies/schema.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/platform-hub/policies/schema.md b/src/pages/docs/platform-hub/policies/schema.md index 0578779c2a..b6dcaa7740 100644 --- a/src/pages/docs/platform-hub/policies/schema.md +++ b/src/pages/docs/platform-hub/policies/schema.md @@ -28,7 +28,7 @@ The table below summarizes every top-level field available to your policies. | [Steps](#steps) | array | Yes | All steps included in the deployment process | | [SkippedSteps](#steps-and-skippedsteps) | array | Yes | IDs of any steps excluded from this deployment | | [Execution](#execution) | array | Yes | Execution order and parallelism settings for each step | -| RequiresApproval | boolean | Yes | Whether the execution requires an [approval](/docs/approvals) | +| [RequiresApproval](#requiresapproval) | boolean | Yes | Whether the execution requires an [approval](/docs/approvals) | | [Tenant](#tenant) | object | **No** | Present only for tenanted deployments | | [Release](#release) | object | **No** | Present only for deployments (not runbook runs) | | [Runbook](#runbook) | object | **No** | Present only for runbook runs (not deployments) | From 0e3efd3af6701f1c2018b1676738b14215c4aaf0 Mon Sep 17 00:00:00 2001 From: Ryan Hall Date: Wed, 20 May 2026 17:24:06 +1200 Subject: [PATCH 3/3] Fix feed schema docs --- .../docs/platform-hub/policies/schema.md | 22 ++++++++++--------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/src/pages/docs/platform-hub/policies/schema.md b/src/pages/docs/platform-hub/policies/schema.md index b6dcaa7740..66eb5193c5 100644 --- a/src/pages/docs/platform-hub/policies/schema.md +++ b/src/pages/docs/platform-hub/policies/schema.md @@ -215,6 +215,18 @@ result := {"allowed": true} if { } ``` +#### Feed object + +| Property | Type | Always Present | Description | +| :--- | :--- | :--- | :--- | +| Id | string | Yes | The unique identifier for the feed | +| Name | string | Yes | Display name of the feed | +| Slug | string | Yes | The URL-safe slug for the feed | +| Type | string | Yes | The feed type (e.g. `BuiltIn`, `Docker`) | +| Uri | string | No | The configured endpoint for the feed | + +**Example usage:** + ```ruby package block_cross_environment_feeds @@ -259,16 +271,6 @@ result := { } ``` -#### Feed object - -| Property | Type | Always Present | Description | -| :--- | :--- | :--- | :--- | -| Id | string | Yes | The unique identifier for the feed | -| Name | string | Yes | Display name of the feed | -| Slug | string | Yes | The URL-safe slug for the feed | -| Type | string | Yes | The feed type (e.g. `BuiltIn`, `Docker`) | -| Uri | string | No | The configured endpoint for the feed | - :::div{.hint} See the [steps and skipping examples](/docs/platform-hub/policies/examples#check-that-a-step-isnt-skipped-in-a-deployment) for more patterns.