apply_requirements or similar way to block applies of unapproved PRs #1252
Comments
ZIJ
changed the title
ZIJ
changed the title
|
This would be really nice to have! |
|
This is a really key feature for us as well |
|
This actually works already (kind of). When a PR is not mergable (due to lacking reviews or failing checks), digger will not run applies and fail with the following error: For our use case this was enough. |
|
I did notice this yesterday for the GitHub CI. It looks like it checks IsMergeable so if you have approvals or status checks set up it will not allow they to apply to happen. What I would prefer now is a way to configure that at a project level. If you set up your repo to be a multi-account project, the most common case being a dev/prod environment that shares common modules. Then you run into a problem, as you may want to have your developer environment be able to apply without approvals, but your production environment still requires approval requirements be met. This is more of a request at the GitHub level being able to specify directory level checks in branch protection vs having to write a custom status check action; however, it would be nice to allow Digger to have an option to override the default behavior of always forcing a mergeable PR for lower level environments. Maybe something like projects:
- name: "{{github.org}}-{{github.repo}}-dev"
dir: dev
workflow: default
skip_merge_check: true # skips the isMergeable check on Digger Apply
include_patterns: [
"./modules/**",
"./config/dev/**",
]
workflow_file: digger_workflow.yml
aws_role_to_assume:
state: {{output.stsStateRole.dev}}
command: {{output.stsCommandRole.dev}}
- name: "{{github.org}}-{{github.repo}}-prod"
dir: prod
workflow: default
skip_merge_check: false # default anyway just here for illustration
include_patterns: [
"./modules/**",
"./config/prod/**",
]
workflow_file: digger_workflow.yml
aws_role_to_assume:
state: {{output.stsStateRole.prod}}
command: {{output.stsCommandRole.prod}}
|
Currently the only way to prevent applies of un-approved PRs is via Access Policy [EE feature] in the Management Repo
Atlantis has a simple
apply_requirementsconfig options; it might make sense to have smth similar in Digger CEThe text was updated successfully, but these errors were encountered: