Support policy checks (#69)

bufbuild · Feb 26, 2024 · 641cb69 · 641cb69
1 parent c559234
commit 641cb69
Show file tree

Hide file tree

Showing 3 changed files with 61 additions and 4 deletions.
diff --git a/Makefile b/Makefile
@@ -10,7 +10,7 @@ BIN := .tmp/bin
 export PATH := $(BIN):$(PATH)
 export GOBIN := $(abspath $(BIN))
 
-BUF_VERSION := v1.28.1
+BUF_VERSION := v1.29.0
 COPYRIGHT_YEARS := 2023-2024
 
 .PHONY: help

diff --git a/buf/registry/module/v1beta1/label.proto b/buf/registry/module/v1beta1/label.proto
@@ -61,6 +61,7 @@ message Label {
   ];
   // The id of the Commit currently associated with the Label.
   //
+  // If policy checks are enabled, this will point to the most recent Commit that passed or was approved.
   // To get the history of the Commits that have been associated with a Label, use ListLabelHistory.
   string commit_id = 8 [
     (buf.validate.field).required = true,
@@ -71,6 +72,45 @@ message Label {
     (buf.validate.field).required = true,
     (buf.validate.field).string.uuid = true
   ];
+  // The CommitCheckState for the Commit the Label points to.
+  //
+  // The CommitCheckStatus will always be disabled, passed, or approved, since Labels will
+  // never point to pending or rejected Commits.
+  //
+  // TODO: Add custom CEL validation to validate the status field is one of DISABLED, PASSED, APPROVED.
+  CommitCheckState commit_check_state = 10 [(buf.validate.field).required = true];
+}
+
+// The state of a Commit's policy checks for a particular Label.
+//
+// Policy checks are an enterprise-only feature - contact us to learn more!
+message CommitCheckState {
+  // The status of the policy check.
+  CommitCheckStatus status = 1 [
+    (buf.validate.field).enum.defined_only = true,
+    (buf.validate.field).required = true
+  ];
+  // The time the policy check state was last updated.
+  //
+  // If the status is disabled, this will be equal to the Commit create_time.
+  google.protobuf.Timestamp update_time = 3 [(buf.validate.field).required = true];
+}
+
+// A check status for a Commit.
+//
+// Policy checks are an enterprise-only feature - contact us to learn more!
+enum CommitCheckStatus {
+  COMMIT_CHECK_STATUS_UNSPECIFIED = 0;
+  // Policy checks were not enabled when the Commit was created.
+  COMMIT_CHECK_STATUS_DISABLED = 1;
+  // The Commit did not fail any policy checks and therefore did not need review.
+  COMMIT_CHECK_STATUS_PASSED = 2;
+  // The Commit has not yet been reviewed after failing policy checks and is pending.
+  COMMIT_CHECK_STATUS_PENDING = 3;
+  // The Commit was reviewed after failing policy checks and was rejected.
+  COMMIT_CHECK_STATUS_REJECTED = 4;
+  // The Commit was reviewed after failing policy checks and was approved.
+  COMMIT_CHECK_STATUS_APPROVED = 5;
 }
 
 // LabelRef is a reference to a Label, either an id or a fully-qualified name.

diff --git a/buf/registry/module/v1beta1/label_service.proto b/buf/registry/module/v1beta1/label_service.proto
@@ -96,7 +96,8 @@ message ListLabelsRequest {
   // Once the resource is resolved, the following Labels are listed:
   //   - If a Module is referenced, all Labels for the Module are returned.
   //   - If a Label is referenced, this Label is returned.
-  //   - If a Commit is referenced, all Labels for the Commit are returned.
+  //   - If a Commit is referenced, all Labels that currently point to the Commit are returned. Note that
+  //     Labels only point to passed or approved Commits, or Commits where policy checks were disabled.
   ResourceRef resource_ref = 3 [(buf.validate.field).required = true];
   // The order to return the Labels.
   //
@@ -106,6 +107,15 @@ message ListLabelsRequest {
   // TODO: We are purposefully not making the default the zero enum value, however
   // we may want to consider this.
   Order order = 4 [(buf.validate.field).enum.defined_only = true];
+  // Only return Labels that point to a Commit with one of these CommitCheckStatus values.
+  //
+  // If not set, Labels that point to a Commit with any CommitCheckStatus value are returned.
+  //
+  // It is an error to filter on CommitCheckStatuses of pending or rejected, as Labels will only
+  // point to Commits that are passed or approved, or that have policy checks disabled.
+  //
+  // TODO: Add custom CEL validation to validate the status field is one of DISABLED, PASSED, APPROVED.
+  repeated CommitCheckStatus commit_check_statuses = 5 [(buf.validate.field).repeated.items.enum.defined_only = true];
 }
 
 message ListLabelsResponse {
@@ -157,12 +167,19 @@ message ListLabelHistoryRequest {
 }
 
 message ListLabelHistoryResponse {
+  message Value {
+    // The Commit.
+    Commit commit = 1 [(buf.validate.field).required = true];
+    // The CommitCheckState for this Commit on this Label.
+    CommitCheckState commit_check_state = 2 [(buf.validate.field).required = true];
+  }
+
   // The next page token.
   //
   /// If empty, there are no more pages.
   string next_page_token = 1 [(buf.validate.field).string.max_len = 4096];
-  // The listed Commits that represent the history of the Label.
-  repeated Commit commits = 2;
+  // The ordered history of the Label.
+  repeated Value values = 2;
 }
 
 message CreateOrUpdateLabelsRequest {