Discussion (Sharing) about CUE Policy Generator #1031

south-mer · 2025-09-02T06:46:52Z

south-mer
Sep 2, 2025

What are we trying to achieve

Mercari is using policy bot in production across an organization of over 4000 repositories, many of which have legacy workflows that require customized (least privilege) exceptions to our standard configuration. We have 1 policy file that applies to every single repository: repository-specific rules are achieved by making use of the repository predicate.

There are 2 main goals:

We want to be able to make new rules secure by default. For example, we enforce signed commits in repositories by default using branch rulesets, and would prefer it to be enforced by default in every single rule in Policy Bot (unless explicitly opted out from)
We would like to share snippets between rules. For example, the list of machine users, and the definition of "developers" excluding machine accounts.

How we are currently achieving the goal

We use CUE language to generate the final YAML used by Policy Bot. It allows us to share snippets like:

#MachineAccounts: [ /* List of machine accounts */  ]
#DeveloperDefinition: {
	user_types: ["User"]
	not: users: #MachineAccounts
}

// ...
ApprovalRules: "default": {
	requires: {
		#DeveloperDefinition
		count: 1
	}
}

and enforce (but allow exclusion from) requirement of signed commits by

ApprovalRules: [_]: {
	if: #do_not_require_valid_signatures: bool | *false
	if if.#do_not_require_valid_signatures {
		// Force unset (false = some commits must have invalid signatures)
		if: has_valid_signatures?: _|_
	}
	if !if.#do_not_require_valid_signatures {
		// Require valid signatures by default
		if: has_valid_signatures: bool | *true
	}
}

Part of the configuration is as follows.

import "list"

// This is the exported YAML content
Export: {
	policy: approval: [
		{or: [for ruleName, _ in ApprovalRules {ruleName}]},
	]

	approval_rules: [
		for ruleName, rule in ApprovalRules {
			{rule, name: ruleName}
		},
	]
}

ApprovalRules: [_]: {
	// Disable comment as method of approval
	options: methods: comments: []
	// Always require valid signatures by default
	if: #do_not_require_valid_signatures: bool | *false
	if if.#do_not_require_valid_signatures {
		// Force unset (false = some commits must have invalid signatures)
		if: has_valid_signatures?: _|_
	}

	if !if.#do_not_require_valid_signatures {
		// Require valid signatures by default
		if: has_valid_signatures: bool | *true
	}

	// Require at least one human approval, unless explicitly overridden
	requires: #override: bool | *false
	if !requires.#override {
		requires: #HumanDefinition & {count!: >=1}
	}

	// Require if.repository.matches to be set, unless explicitly specified to be #any_repository
	if: #any_repository: bool | *false
	if !if.#any_repository {
		if: repository: matches: [string, ...string]
	}

	// Disallow the use of features whose corresponding webhook has been disabled
	if: {
		// check_run
		has_successful_status?: _|_
		has_status?:            _|_
		// workflow_run
		has_workflow_result?: _|_
		// issues
		has_labels?: _|_
		// issue_comments is also disabled (we don't use comment as method of approval), but it is not used in predicates
	}
}

#AllMachineAccounts: [... string] // Content omitted
#TrustedBotsForContributorList: [...string] // Content omitted

#NHIDefinition: {
	#TrustedBots: [...string] | *[]
	#TrustedMachineAccounts: [...string] | *[]

	user_types: ["Bot"]
	users: [
		// Machine users, except excluded ones
		for user in #AllMachineAccounts if !list.Contains(#TrustedMachineAccounts, user) {user},
	]
	not: users: #TrustedBots
	...
}

#HumanDefinition: HumanDefinition={
	#TrustedBots: [...string] | *[]
	#TrustedMachineAccounts: [...string] | *[]

	users: list.Concat([#TrustedBots, #TrustedMachineAccounts])
	user_types: ["User"]
	not: #NHIDefinition & {
		#TrustedMachineAccounts: HumanDefinition.#TrustedMachineAccounts
		#TrustedBots:            HumanDefinition.#TrustedBots
	}
	...
}

ApprovalRules: "catch-all-2-approvals": {
	description: "Any PR with 2 human approvals is mergeable in all repositories"
	if: #any_repository: true
	requires: count:     2
	// Allow commit pushers to approve PRs; we would require last commit to be approved through branch protection rules
	options: allow_non_author_contributor: true
}

ApprovalRules: "human-created-pr-1-approval": {
	description: string | *"Human created PRs require 1 human approval other than the PR author."
	if: {
		#any_repository: true
		has_author_in:   #HumanDefinition
		only_has_contributors_in: #HumanDefinition & {
			#TrustedMachineAccounts: [...string] | *[]
			#TrustedBots: #TrustedBotsForContributorList
		}
	}
	requires: count: 1
	// Allow commit pushers to approve PRs; we would require last commit to be approved through branch protection rules
	options: allow_non_author_contributor: true
}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Discussion (Sharing) about CUE Policy Generator #1031

Uh oh!

{{title}}

Uh oh!

Replies: 0 comments

Select a reply

Uh oh!

Discussion (Sharing) about CUE Policy Generator #1031

Uh oh!

south-mer Sep 2, 2025

What are we trying to achieve

How we are currently achieving the goal

Replies: 0 comments

south-mer
Sep 2, 2025