From fcebc7382c79ebcd0c1c7fb5451d23ea21979722 Mon Sep 17 00:00:00 2001 From: Qbandev Date: Thu, 5 Mar 2026 11:22:51 +0100 Subject: [PATCH] fix: gate release branch PRs with team review, scope fallback to non-release Replace the blanket "no approval necessary" fallback with two scoped rules: - "release branch review": requires release-team approval for all PRs targeting release/* branches that don't match cherry-pick criteria - "non-release fallback": auto-approves PRs targeting non-release branches using RE2-compatible negation regex This ensures PRs with wrong titles or large diffs on release branches get PENDING status instead of being silently approved. Co-Authored-By: Claude Opus 4.6 --- policy.yml | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/policy.yml b/policy.yml index 176c239..9ee43ee 100644 --- a/policy.yml +++ b/policy.yml @@ -8,7 +8,8 @@ policy: approval: - or: - "cherry-pick auto-approval" - - "no approval necessary" + - "release branch review" + - "non-release fallback" approval_rules: - name: "cherry-pick auto-approval" @@ -24,7 +25,22 @@ approval_rules: requires: count: 0 - - name: "no approval necessary" - description: "Fallback rule — matches all PRs so policy-bot reports a clean status instead of an error" + - name: "release branch review" + description: "Require release-team review for all PRs targeting release branches" + if: + targets_branch: + pattern: "^release/.*$" + requires: + count: 1 + teams: + - "MetaMask/release-team" + + # RE2-compatible negation of "^release/.*$" (Go regexp does not support lookaheads). + # Matches any branch name that does NOT start with "release/". + - name: "non-release fallback" + description: "Auto-approve PRs targeting non-release branches so policy-bot posts a clean status" + if: + targets_branch: + pattern: "^([^r]|r[^e]|re[^l]|rel[^e]|rele[^a]|relea[^s]|releas[^e]|release[^/]).*$|^.{0,7}$" requires: count: 0