From ec86d49419ba019e4df998907bae2a3a5c90a354 Mon Sep 17 00:00:00 2001
From: "Marcelo E. Magallon" <marcelo.magallon@grafana.com>
Date: Wed, 15 Jan 2025 11:05:34 -0600
Subject: [PATCH] feat: Add policy bot configuration

Signed-off-by: Marcelo E. Magallon <marcelo.magallon@grafana.com>
---
 .../workflows/validate-policy-bot-config.yml  | 33 +++++++
 .policy.yml                                   | 89 +++++++++++++++++++
 .policy.yml.tmpl                              | 34 +++++++
 3 files changed, 156 insertions(+)
 create mode 100644 .github/workflows/validate-policy-bot-config.yml
 create mode 100644 .policy.yml
 create mode 100644 .policy.yml.tmpl

diff --git a/.github/workflows/validate-policy-bot-config.yml b/.github/workflows/validate-policy-bot-config.yml
new file mode 100644
index 000000000..1b3de4558
--- /dev/null
+++ b/.github/workflows/validate-policy-bot-config.yml
@@ -0,0 +1,33 @@
+name: Validate Policy Bot Config
+
+on:
+  pull_request:
+    paths:
+      - ".policy.yml"
+
+  push:
+    branches:
+      - main
+    paths:
+      - ".policy.yml"
+
+jobs:
+  validate:
+    name: Validate policy bot config
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          persists-credentials: false
+
+      - name: Validate policy bot config
+        run: |
+          curl \
+            --silent \
+            --fail-with-body \
+            --request PUT \
+            --upload-file .policy.yml \
+            https://github-policy-bot.grafana-ops.net/api/validate
diff --git a/.policy.yml b/.policy.yml
new file mode 100644
index 000000000..248a0afe0
--- /dev/null
+++ b/.policy.yml
@@ -0,0 +1,89 @@
+# This file is generated by generate-policy-bot-config.
+# Do not edit directly. Run "make .policy.yml" to update.
+
+# The contents of ".policy.yml.tmpl" were merged with the generated parts of this config.
+# To add additional policies to the config, update this file and then run "make .policy.yml".
+
+policy:
+  approval:
+    - or:
+        - and:
+            - Workflow .github/workflows/renovate-reviewer.yaml succeeded or skipped
+            - Workflow .github/workflows/renovate-validate.yaml succeeded or skipped
+            - Workflow .github/workflows/validate-policy-bot-config.yml succeeded or skipped
+            - Workflow .github/workflows/validate_pr.yaml succeeded or skipped
+            - default to approval
+        - override policies
+    - policy bot config is valid when modified
+approval_rules:
+  - name: Workflow .github/workflows/renovate-reviewer.yaml succeeded or skipped
+    requires:
+      conditions:
+        has_workflow_result:
+          conclusions:
+            - skipped
+            - success
+          workflows:
+            - .github/workflows/renovate-reviewer.yaml
+  - name: Workflow .github/workflows/renovate-validate.yaml succeeded or skipped
+    if:
+      changed_files:
+        paths:
+          - ^renovate\.(?:[^/]*)$
+          - ^\.renovate\.(?:[^/]*)$
+          - ^\.github\/renovate\.(?:[^/]*)$
+          - ^\.github\/workflows\/renovate(?:[^/]*)$
+    requires:
+      conditions:
+        has_workflow_result:
+          conclusions:
+            - skipped
+            - success
+          workflows:
+            - .github/workflows/renovate-validate.yaml
+  - name: Workflow .github/workflows/validate-policy-bot-config.yml succeeded or skipped
+    if:
+      changed_files:
+        paths:
+          - ^\.policy\.yml$
+    requires:
+      conditions:
+        has_workflow_result:
+          conclusions:
+            - skipped
+            - success
+          workflows:
+            - .github/workflows/validate-policy-bot-config.yml
+  - name: Workflow .github/workflows/validate_pr.yaml succeeded or skipped
+    if:
+      targets_branch:
+        pattern: (^main$)
+    requires:
+      conditions:
+        has_workflow_result:
+          conclusions:
+            - skipped
+            - success
+          workflows:
+            - .github/workflows/validate_pr.yaml
+  - name: default to approval
+  - name: policy bot config is valid when modified
+    if:
+      changed_files:
+        paths:
+          - ^\.policy\.yml
+    requires:
+      conditions:
+        has_successful_status:
+          - Validate policy bot config
+  - name: override policies
+    options:
+      methods:
+        comments:
+          - 'policy bot: approve'
+          - 'policy-bot: approve'
+        github_review: false
+    requires:
+      count: 1
+      permissions:
+        - write
diff --git a/.policy.yml.tmpl b/.policy.yml.tmpl
new file mode 100644
index 000000000..d85b98a95
--- /dev/null
+++ b/.policy.yml.tmpl
@@ -0,0 +1,34 @@
+# Require some statuses to pass only if certain files are modified. This is a
+# template file. You can edit it and the generated contents (to enforce that
+# conditional workflows pass when they are triggered) will be inserted where
+# `MERGE_WITH_GENERATED` is.
+
+policy:
+  approval:
+    - or:
+        - MERGE_WITH_GENERATED
+        - override policies
+    - policy bot config is valid when modified
+
+approval_rules:
+  - name: policy bot config is valid when modified
+    if:
+      changed_files:
+        paths:
+          - ^\.policy\.yml
+    requires:
+      conditions:
+        has_successful_status:
+          - Validate policy bot config
+
+  - name: override policies
+    requires:
+      count: 1
+      permissions:
+        - write
+    options:
+      methods:
+        comments:
+          - "policy bot: approve"
+          - "policy-bot: approve"
+        github_review: false