feat(policy): Avoid policy evaluation creation #1933
Conversation
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
| } | ||
|
|
||
| result = append(result, ev) | ||
| if ev != nil { |
There was a problem hiding this comment.
This would mean that there is no policy evaluation result for the attachment. This will happen when ALL execution paths of the multipolicy have been either not chosen (because the material type doesn't match), or ignored (because of this new feature), right?
There was a problem hiding this comment.
Exactly, the same that will happen with a multikind policy where all of the policies are ignored, no policy evaluation result.
We need to check the side implications.
There was a problem hiding this comment.
I think it will be fine, since the consequence is that the policy evaluation is not added to the attestation, which is what we wanted. I'll double check other side effects.
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
|
Tackled feedback coming back to the original proposal of |
This patch introduces a way for a policy definition to instruct the policy engine to completely ignore an evaluation and prevent the creation of a policy evaluation.
This is achieved through a new result field,
ignore, which signals whether the policy evaluation should be created. If a policy consists of multiple scripts and one of them returnsignore=true, that script’s evaluation is excluded from the final result. If it’s the only script, no policy evaluation is created at all.By default, all existing policies are not ignored unless explicitly modified.