Skip to content

cloudbees-io/policy-check

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

37 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

CloudBees policy check actions

Actions for gating workflows via CloudBees policy evaluation.

Two actions are available depending on whether you know the policy ID up front or want the platform to discover applicable policies automatically:

Action When to use Caller reference

You know the specific policy to evaluate.

cloudbees-io/policy-check@v1

You want all policies applicable to the current workflow context discovered and evaluated automatically — no policy IDs needed.

cloudbees-io/policy-check/actions/[email protected]

Both actions enforce results internally: BLOCK and ERROR outcomes cause the action to exit with a non-zero status, halting the workflow.


Evaluate a policy by ID

Evaluates a single named policy. Use this when you know exactly which policy applies.

Inputs

Table 1. Input details
Input name Data type Required? Description

policy

String

Yes

Policy identifier. Determines which policy to evaluate.

input-data

String

No

JSON data to be passed into the policy evaluation as context.

input-file

String

No

Path to a file containing JSON data to be passed into the policy evaluation as context. Takes precedence over input-data when both are provided.

Outputs

Table 2. Output details
Output name Data type Description

action

String

The action to be taken following policy evaluation. Possible values are CONTINUE, REQUEST_APPROVAL, BLOCK, and ERROR. BLOCK and ERROR results are enforced internally: the action exits with a non-zero status to halt the workflow. The action output is available to callers for cases not already handled internally, such as routing REQUEST_APPROVAL to a manual approval flow.

details

String

Details about the results of evaluation, including any check failures or validation errors.

review-channel

String

The channel type for review. Present only when action=REQUEST_APPROVAL.

review-recipients

String

The recipients for review. Present only when action=REQUEST_APPROVAL.

Usage example

      - name: Evaluate policy
        id: policy-check
        uses: cloudbees-io/policy-check@v1
        with:
          policy: 22f76106-3661-409f-b654-42ab4a052fe4
          input-data: ${{ steps.scan.outputs.policy-subject }}

To act on a REQUEST_APPROVAL result, read the action output from the step:

      - name: Evaluate policy
        id: policy-check
        uses: cloudbees-io/policy-check@v1
        with:
          policy: 22f76106-3661-409f-b654-42ab4a052fe4
          input-data: ${{ steps.scan.outputs.policy-subject }}

      - name: Request approval
        if: ${{ steps.policy-check.outputs.action == 'REQUEST_APPROVAL' }}
        uses: cloudbees-io/request-approval@v1
        with:
          channel: ${{ steps.policy-check.outputs.review-channel }}
          recipients: ${{ steps.policy-check.outputs.review-recipients }}

Evaluate policies by context

Discovers and evaluates all policies applicable to the current workflow context automatically. No policy IDs are required — the platform resolves which policies apply based on the component, organization, and workflow run context read from CloudBees platform variables.

Use this action when policies are managed centrally and you want enforcement without coupling the workflow to specific policy identifiers.

How it works

The action builds a workflow_request_context payload from cloudbees.* platform variables and posts it to the evaluate-by-context endpoint. The platform server-side:

  1. Looks up the component type and resolves the automation metadata from the run ID.

  2. Discovers all policies applicable to the resolved context.

  3. Evaluates each policy independently.

  4. Reconciles results into a single top-level action (most severe wins: BLOCK > REQUEST_APPROVAL > CONTINUE).

If any policy evaluation returns an error, the overall action is ERROR (fail-closed). If no policies are discovered, the action is CONTINUE.

Inputs

Table 3. Input details
Input name Data type Required? Description

input-data

String

No

JSON data to be merged into the evaluation request as additional input context.

input-file

String

No

Path to a file containing JSON data to be merged into the evaluation request as additional input context. Takes precedence over input-data when both are provided.

checkpoint-type

String

No

Checkpoint entity kind: stage, workflow, or job. When provided, scopes policy discovery to policies applicable at this checkpoint type.

checkpoint-name

String

No

Checkpoint entity name. Omit when checkpoint-type is workflow.

checkpoint-position

String

No

Position within the checkpoint: entry, exit, or within.

Outputs

Table 4. Output details
Output name Data type Description

action

String

The reconciled action across all evaluated policies. Possible values are CONTINUE, REQUEST_APPROVAL, BLOCK, and ERROR. BLOCK and ERROR results are enforced internally: the action exits with a non-zero status to halt the workflow.

details

String

Details about the results of evaluation, including per-policy check failures and errors.

review-channel

String

The channel type for review. Present only when action=REQUEST_APPROVAL.

review-recipients

String

The aggregated recipients for review across all requesting policies. Present only when action=REQUEST_APPROVAL.

Usage examples

Basic — evaluate all applicable policies

      - name: Evaluate policies by context
        uses: cloudbees-io/policy-check/actions/[email protected]

With checkpoint — scope to a specific stage boundary

      - name: Evaluate policies at stage entry
        uses: cloudbees-io/policy-check/actions/[email protected]
        with:
          checkpoint-type: stage
          checkpoint-name: deploy-to-staging
          checkpoint-position: entry

With additional input data

      - name: Evaluate policies with scan results
        id: policy-context-check
        uses: cloudbees-io/policy-check/actions/[email protected]
        with:
          checkpoint-type: stage
          checkpoint-name: deploy-to-staging
          checkpoint-position: entry
          input-data: ${{ steps.scan.outputs.policy-subject }}

Routing a REQUEST_APPROVAL outcome

      - name: Evaluate policies by context
        id: policy-context-check
        uses: cloudbees-io/policy-check/actions/[email protected]
        with:
          checkpoint-type: stage
          checkpoint-name: deploy-to-staging
          checkpoint-position: entry

      - name: Request approval
        if: ${{ steps.policy-context-check.outputs.action == 'REQUEST_APPROVAL' }}
        uses: cloudbees-io/request-approval@v1
        with:
          channel: ${{ steps.policy-context-check.outputs.review-channel }}
          recipients: ${{ steps.policy-context-check.outputs.review-recipients }}

References

About

Policy check action for workflows

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors