From 641cb69ff6726048032127042bf7fad58c6fe33a Mon Sep 17 00:00:00 2001 From: bufdev <4228796+bufdev@users.noreply.github.com> Date: Mon, 26 Feb 2024 18:34:51 -0500 Subject: [PATCH] Support policy checks (#69) --- Makefile | 2 +- buf/registry/module/v1beta1/label.proto | 40 +++++++++++++++++++ .../module/v1beta1/label_service.proto | 23 +++++++++-- 3 files changed, 61 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index c9596d2..ca9b775 100644 --- a/Makefile +++ b/Makefile @@ -10,7 +10,7 @@ BIN := .tmp/bin export PATH := $(BIN):$(PATH) export GOBIN := $(abspath $(BIN)) -BUF_VERSION := v1.28.1 +BUF_VERSION := v1.29.0 COPYRIGHT_YEARS := 2023-2024 .PHONY: help diff --git a/buf/registry/module/v1beta1/label.proto b/buf/registry/module/v1beta1/label.proto index d5b7f30..969fda4 100644 --- a/buf/registry/module/v1beta1/label.proto +++ b/buf/registry/module/v1beta1/label.proto @@ -61,6 +61,7 @@ message Label { ]; // The id of the Commit currently associated with the Label. // + // If policy checks are enabled, this will point to the most recent Commit that passed or was approved. // To get the history of the Commits that have been associated with a Label, use ListLabelHistory. string commit_id = 8 [ (buf.validate.field).required = true, @@ -71,6 +72,45 @@ message Label { (buf.validate.field).required = true, (buf.validate.field).string.uuid = true ]; + // The CommitCheckState for the Commit the Label points to. + // + // The CommitCheckStatus will always be disabled, passed, or approved, since Labels will + // never point to pending or rejected Commits. + // + // TODO: Add custom CEL validation to validate the status field is one of DISABLED, PASSED, APPROVED. + CommitCheckState commit_check_state = 10 [(buf.validate.field).required = true]; +} + +// The state of a Commit's policy checks for a particular Label. +// +// Policy checks are an enterprise-only feature - contact us to learn more! +message CommitCheckState { + // The status of the policy check. + CommitCheckStatus status = 1 [ + (buf.validate.field).enum.defined_only = true, + (buf.validate.field).required = true + ]; + // The time the policy check state was last updated. + // + // If the status is disabled, this will be equal to the Commit create_time. + google.protobuf.Timestamp update_time = 3 [(buf.validate.field).required = true]; +} + +// A check status for a Commit. +// +// Policy checks are an enterprise-only feature - contact us to learn more! +enum CommitCheckStatus { + COMMIT_CHECK_STATUS_UNSPECIFIED = 0; + // Policy checks were not enabled when the Commit was created. + COMMIT_CHECK_STATUS_DISABLED = 1; + // The Commit did not fail any policy checks and therefore did not need review. + COMMIT_CHECK_STATUS_PASSED = 2; + // The Commit has not yet been reviewed after failing policy checks and is pending. + COMMIT_CHECK_STATUS_PENDING = 3; + // The Commit was reviewed after failing policy checks and was rejected. + COMMIT_CHECK_STATUS_REJECTED = 4; + // The Commit was reviewed after failing policy checks and was approved. + COMMIT_CHECK_STATUS_APPROVED = 5; } // LabelRef is a reference to a Label, either an id or a fully-qualified name. diff --git a/buf/registry/module/v1beta1/label_service.proto b/buf/registry/module/v1beta1/label_service.proto index 37f751f..4491946 100644 --- a/buf/registry/module/v1beta1/label_service.proto +++ b/buf/registry/module/v1beta1/label_service.proto @@ -96,7 +96,8 @@ message ListLabelsRequest { // Once the resource is resolved, the following Labels are listed: // - If a Module is referenced, all Labels for the Module are returned. // - If a Label is referenced, this Label is returned. - // - If a Commit is referenced, all Labels for the Commit are returned. + // - If a Commit is referenced, all Labels that currently point to the Commit are returned. Note that + // Labels only point to passed or approved Commits, or Commits where policy checks were disabled. ResourceRef resource_ref = 3 [(buf.validate.field).required = true]; // The order to return the Labels. // @@ -106,6 +107,15 @@ message ListLabelsRequest { // TODO: We are purposefully not making the default the zero enum value, however // we may want to consider this. Order order = 4 [(buf.validate.field).enum.defined_only = true]; + // Only return Labels that point to a Commit with one of these CommitCheckStatus values. + // + // If not set, Labels that point to a Commit with any CommitCheckStatus value are returned. + // + // It is an error to filter on CommitCheckStatuses of pending or rejected, as Labels will only + // point to Commits that are passed or approved, or that have policy checks disabled. + // + // TODO: Add custom CEL validation to validate the status field is one of DISABLED, PASSED, APPROVED. + repeated CommitCheckStatus commit_check_statuses = 5 [(buf.validate.field).repeated.items.enum.defined_only = true]; } message ListLabelsResponse { @@ -157,12 +167,19 @@ message ListLabelHistoryRequest { } message ListLabelHistoryResponse { + message Value { + // The Commit. + Commit commit = 1 [(buf.validate.field).required = true]; + // The CommitCheckState for this Commit on this Label. + CommitCheckState commit_check_state = 2 [(buf.validate.field).required = true]; + } + // The next page token. // /// If empty, there are no more pages. string next_page_token = 1 [(buf.validate.field).string.max_len = 4096]; - // The listed Commits that represent the history of the Label. - repeated Commit commits = 2; + // The ordered history of the Label. + repeated Value values = 2; } message CreateOrUpdateLabelsRequest {