From 1958155e2799ac67f49a0aafe09d84b6d6293eaf Mon Sep 17 00:00:00 2001 From: Chris Busillo Date: Mon, 1 Jun 2026 10:34:26 -0400 Subject: [PATCH] Seed authz policy grant authority --- docs/operations.md | 7 +++++++ scripts/deploy/ensure-authz-grants.sh | 11 +++++++++++ tests/test_product_onboarding.py | 11 +++++++++++ 3 files changed, 29 insertions(+) diff --git a/docs/operations.md b/docs/operations.md index e4821d3..6403d1d 100644 --- a/docs/operations.md +++ b/docs/operations.md @@ -148,6 +148,13 @@ DB-backed GitHub-human grants for `product_config.plan` and Leave those variables unset to skip reconciliation; do not hard-code human logins or product-specific operator grants in source. +The deploy workflow also reconciles its own `authz_policy_grant.write` grants +for product/context `launchplane`, covering both manual dispatches and automatic +CI-success deploys. Those grants are a staged migration path for authz policy +maintenance; authz grant routes can be narrowed to policy-admin authority after +the DB-backed grants are present, without relying on Launchplane self-deploy +authority for future grant reconciliation. + Routine local-operator product-config grants are scoped, not wildcard, and the deploy reconciliation skips them unless explicit product/context scopes are configured. Set `LAUNCHPLANE_LOCAL_OPERATOR_PRODUCT_CONFIG_SCOPES_JSON` only for diff --git a/scripts/deploy/ensure-authz-grants.sh b/scripts/deploy/ensure-authz-grants.sh index 2156d8e..40d2da0 100644 --- a/scripts/deploy/ensure-authz-grants.sh +++ b/scripts/deploy/ensure-authz-grants.sh @@ -614,6 +614,17 @@ post_grant \ deploy:merge-train-runner-schedule-grant \ merge-train-runner-schedule \ schedule +post_launchplane_service_grant \ + deploy-launchplane.yml \ + authz_policy_grant.write \ + deploy:authz-policy-grant-maintenance-dispatch \ + authz-policy-grant-maintenance-dispatch +post_launchplane_service_grant \ + deploy-launchplane.yml \ + authz_policy_grant.write \ + deploy:authz-policy-grant-maintenance-run \ + authz-policy-grant-maintenance-run \ + workflow_run post_grant \ "$GITHUB_REPOSITORY" \ merge-train-policy-import.yml \ diff --git a/tests/test_product_onboarding.py b/tests/test_product_onboarding.py index 2281238..b946e27 100644 --- a/tests/test_product_onboarding.py +++ b/tests/test_product_onboarding.py @@ -594,6 +594,17 @@ def test_deploy_authz_grants_seed_local_admin_self_deploy_authority(self) -> Non self.assertIn("local-admin-self-deploy", script_text) self.assertIn("launchplane_service_deploy.execute", script_text) + def test_deploy_authz_grants_stage_dedicated_policy_grant_authority(self) -> None: + script_text = Path("scripts/deploy/ensure-authz-grants.sh").read_text(encoding="utf-8") + + self.assertIn("deploy-launchplane.yml", script_text) + self.assertIn("authz_policy_grant.write", script_text) + self.assertIn("deploy:authz-policy-grant-maintenance-dispatch", script_text) + self.assertIn("authz-policy-grant-maintenance-dispatch", script_text) + self.assertIn("deploy:authz-policy-grant-maintenance-run", script_text) + self.assertIn("authz-policy-grant-maintenance-run", script_text) + self.assertIn("workflow_run", script_text) + def test_reusable_odoo_prod_promotion_fails_on_each_result_status(self) -> None: workflow_text = Path(".github/workflows/reusable-odoo-prod-promotion.yml").read_text( encoding="utf-8"