Safeguard Merges with Review and Approval Policy
Template Policy
This template policy blocks the merge action until the required number of approvals is reached. The policy assigns the next reviewer in the chain to review the code. It uses dictionaries to relate existing GitHub teams that should review the pull request based on files modified. When the required number of approvals is reached, the pull request is automatically merged.dictionaries:
- name: team-per-filepattern
spec:
'**/authentication/**': '"security"'
'**/db/**': '"dba"'
'.github/workflows/**': '"devops"'
workflows:
- name: Review Assignment, Approval and Merge Policy
run:
- if: '!$hasRequiredApprovals(1, $team("devs"))'
then:
- $failCheckStatus("Approval from 'devs' required")
- if: '!$any($reviewers(), ($r: String => $isElementOf($r, $team("devs"))))'
then: $assignReviewer($team("devs"), 1)
else:
- forEach:
key: $pat
value: $name
in: $dictionary("team-per-filepattern")
do:
- if: '$hasFilePattern($pat) && !$hasRequiredApprovals(1, $team($name))'
then:
- $failCheckStatus($sprintf("Approval from '%s' required", [$name]))
- if: '!$any($reviewers(),($r: String => $isElementOf($r, $team($name))))'
then: $assignReviewer($team($name), 1)
- $merge("squash")