Actions for gating workflows via CloudBees policy evaluation.
Two actions are available depending on whether you know the policy ID up front or want the platform to discover applicable policies automatically:
| Action | When to use | Caller reference |
|---|---|---|
You know the specific policy to evaluate. |
|
|
You want all policies applicable to the current workflow context discovered and evaluated automatically — no policy IDs needed. |
|
Both actions enforce results internally: BLOCK and ERROR outcomes cause the action to exit with a non-zero status, halting the workflow.
Evaluates a single named policy. Use this when you know exactly which policy applies.
| Input name | Data type | Required? | Description |
|---|---|---|---|
|
String |
Yes |
Policy identifier. Determines which policy to evaluate. |
|
String |
No |
JSON data to be passed into the policy evaluation as context. |
|
String |
No |
Path to a file containing JSON data to be passed into the policy evaluation as context. Takes precedence over |
| Output name | Data type | Description |
|---|---|---|
|
String |
The action to be taken following policy evaluation.
Possible values are |
|
String |
Details about the results of evaluation, including any check failures or validation errors. |
|
String |
The channel type for review. Present only when |
|
String |
The recipients for review. Present only when |
- name: Evaluate policy
id: policy-check
uses: cloudbees-io/policy-check@v1
with:
policy: 22f76106-3661-409f-b654-42ab4a052fe4
input-data: ${{ steps.scan.outputs.policy-subject }}To act on a REQUEST_APPROVAL result, read the action output from the step:
- name: Evaluate policy
id: policy-check
uses: cloudbees-io/policy-check@v1
with:
policy: 22f76106-3661-409f-b654-42ab4a052fe4
input-data: ${{ steps.scan.outputs.policy-subject }}
- name: Request approval
if: ${{ steps.policy-check.outputs.action == 'REQUEST_APPROVAL' }}
uses: cloudbees-io/request-approval@v1
with:
channel: ${{ steps.policy-check.outputs.review-channel }}
recipients: ${{ steps.policy-check.outputs.review-recipients }}Discovers and evaluates all policies applicable to the current workflow context automatically. No policy IDs are required — the platform resolves which policies apply based on the component, organization, and workflow run context read from CloudBees platform variables.
Use this action when policies are managed centrally and you want enforcement without coupling the workflow to specific policy identifiers.
The action builds a workflow_request_context payload from cloudbees.* platform variables and posts it to the evaluate-by-context endpoint.
The platform server-side:
-
Looks up the component type and resolves the automation metadata from the run ID.
-
Discovers all policies applicable to the resolved context.
-
Evaluates each policy independently.
-
Reconciles results into a single top-level
action(most severe wins:BLOCK>REQUEST_APPROVAL>CONTINUE).
If any policy evaluation returns an error, the overall action is ERROR (fail-closed).
If no policies are discovered, the action is CONTINUE.
| Input name | Data type | Required? | Description |
|---|---|---|---|
|
String |
No |
JSON data to be merged into the evaluation request as additional input context. |
|
String |
No |
Path to a file containing JSON data to be merged into the evaluation request as additional input context. Takes precedence over |
|
String |
No |
Checkpoint entity kind: |
|
String |
No |
Checkpoint entity name.
Omit when |
|
String |
No |
Position within the checkpoint: |
| Output name | Data type | Description |
|---|---|---|
|
String |
The reconciled action across all evaluated policies.
Possible values are |
|
String |
Details about the results of evaluation, including per-policy check failures and errors. |
|
String |
The channel type for review. Present only when |
|
String |
The aggregated recipients for review across all requesting policies. Present only when |
- name: Evaluate policies by context
uses: cloudbees-io/policy-check/actions/[email protected] - name: Evaluate policies at stage entry
uses: cloudbees-io/policy-check/actions/[email protected]
with:
checkpoint-type: stage
checkpoint-name: deploy-to-staging
checkpoint-position: entry - name: Evaluate policies with scan results
id: policy-context-check
uses: cloudbees-io/policy-check/actions/[email protected]
with:
checkpoint-type: stage
checkpoint-name: deploy-to-staging
checkpoint-position: entry
input-data: ${{ steps.scan.outputs.policy-subject }} - name: Evaluate policies by context
id: policy-context-check
uses: cloudbees-io/policy-check/actions/[email protected]
with:
checkpoint-type: stage
checkpoint-name: deploy-to-staging
checkpoint-position: entry
- name: Request approval
if: ${{ steps.policy-context-check.outputs.action == 'REQUEST_APPROVAL' }}
uses: cloudbees-io/request-approval@v1
with:
channel: ${{ steps.policy-context-check.outputs.review-channel }}
recipients: ${{ steps.policy-context-check.outputs.review-recipients }}-
Learn more about using actions in CloudBees workflows.
-
Learn about the CloudBees platform.