feat: Add policy bot configuration

.github/workflows/validate-policy-bot-config.yml

@@ -0,0 +1,33 @@
+name: Validate Policy Bot Config
+
+on:
+  pull_request:
+    paths:
+      - ".policy.yml"
+
+  push:
+    branches:
+      - main
+    paths:
+      - ".policy.yml"
+
+jobs:
+  validate:
+    name: Validate policy bot config
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          persists-credentials: false
+
+      - name: Validate policy bot config
+        run: |
+          curl \
+            --silent \
+            --fail-with-body \
+            --request PUT \
+            --upload-file .policy.yml \
+            https://github-policy-bot.grafana-ops.net/api/validate

.policy.yml

@@ -0,0 +1,89 @@
+# This file is generated by generate-policy-bot-config.
+# Do not edit directly. Run "make .policy.yml" to update.
+
+# The contents of ".policy.yml.tmpl" were merged with the generated parts of this config.
+# To add additional policies to the config, update this file and then run "make .policy.yml".
+
+policy:
+  approval:
+    - or:
+        - and:
+            - Workflow .github/workflows/renovate-reviewer.yaml succeeded or skipped
+            - Workflow .github/workflows/renovate-validate.yaml succeeded or skipped
+            - Workflow .github/workflows/validate-policy-bot-config.yml succeeded or skipped
+            - Workflow .github/workflows/validate_pr.yaml succeeded or skipped
+            - default to approval
+        - override policies
+    - policy bot config is valid when modified
+approval_rules:
+  - name: Workflow .github/workflows/renovate-reviewer.yaml succeeded or skipped
+    requires:
+      conditions:
+        has_workflow_result:
+          conclusions:
+            - skipped
+            - success
+          workflows:
+            - .github/workflows/renovate-reviewer.yaml
+  - name: Workflow .github/workflows/renovate-validate.yaml succeeded or skipped
+    if:
+      changed_files:
+        paths:
+          - ^renovate\.(?:[^/]*)$
+          - ^\.renovate\.(?:[^/]*)$
+          - ^\.github\/renovate\.(?:[^/]*)$
+          - ^\.github\/workflows\/renovate(?:[^/]*)$
+    requires:
+      conditions:
+        has_workflow_result:
+          conclusions:
+            - skipped
+            - success
+          workflows:
+            - .github/workflows/renovate-validate.yaml
+  - name: Workflow .github/workflows/validate-policy-bot-config.yml succeeded or skipped
+    if:
+      changed_files:
+        paths:
+          - ^\.policy\.yml$
+    requires:
+      conditions:
+        has_workflow_result:
+          conclusions:
+            - skipped
+            - success
+          workflows:
+            - .github/workflows/validate-policy-bot-config.yml
+  - name: Workflow .github/workflows/validate_pr.yaml succeeded or skipped
+    if:
+      targets_branch:
+        pattern: (^main$)
+    requires:
+      conditions:
+        has_workflow_result:
+          conclusions:
+            - skipped
+            - success
+          workflows:
+            - .github/workflows/validate_pr.yaml
+  - name: default to approval
+  - name: policy bot config is valid when modified
+    if:
+      changed_files:
+        paths:
+          - ^\.policy\.yml
+    requires:
+      conditions:
+        has_successful_status:
+          - Validate policy bot config
+  - name: override policies
+    options:
+      methods:
+        comments:
+          - 'policy bot: approve'
+          - 'policy-bot: approve'
+        github_review: false
+    requires:
+      count: 1
+      permissions:
+        - write

.policy.yml.tmpl

@@ -0,0 +1,34 @@
+# Require some statuses to pass only if certain files are modified. This is a
+# template file. You can edit it and the generated contents (to enforce that
+# conditional workflows pass when they are triggered) will be inserted where
+# `MERGE_WITH_GENERATED` is.
+
+policy:
+  approval:
+    - or:
+        - MERGE_WITH_GENERATED
+        - override policies
+    - policy bot config is valid when modified
+
+approval_rules:
+  - name: policy bot config is valid when modified
+    if:
+      changed_files:
+        paths:
+          - ^\.policy\.yml
+    requires:
+      conditions:
+        has_successful_status:
+          - Validate policy bot config
+
+  - name: override policies
+    requires:
+      count: 1
+      permissions:
+        - write
+    options:
+      methods:
+        comments:
+          - "policy bot: approve"
+          - "policy-bot: approve"
+        github_review: false