Push policy»
Purpose»
Hint
This feature is only available to paid Spacelift accounts. Please check out our pricing page for more information.
Info
Please note, we currently don't support importing rego.v1
Git push policies are triggered on a per-stack basis to determine the action that should be taken for each individual Stack or Module in response to a Git push or Pull Request notification. There are three possible outcomes:
- track: set the new head commit on the stack / module and create a tracked Run, ie. one that can be applied;
- propose: create a proposed Run against a proposed version of infrastructure;
- ignore: do not schedule a new Run;
Using this policy it is possible to create a very sophisticated, custom-made setup. We can think of two main - and not mutually exclusive - use cases. The first one would be to ignore changes to certain paths - something you'd find useful both with classic monorepos and repositories containing multiple Terraform projects under different paths. The second one would be to only attempt to apply a subset of changes - for example, only commits tagged in a certain way.
Git push policy and tracked branch»
Each stack and module points at a particular Git branch called a tracked branch. By default, any push to the tracked branch that changes a file in the project root triggers a tracked Run that can be applied. This logic can be changed entirely by a Git push policy, but the tracked branch is always reported as part of the Stack input to the policy evaluator and can be used as a point of reference.
When a push policy does not track a new push, the head commit of the stack/module will not be set to the tracked branch head commit. We can address this by navigating to that stack and pressing the sync button (this syncs the tracked branch head commit with the head commit of the stack/module).
Push and Pull Request events»
Spacelift can currently react to two types of events - push and pull request (also called merge request by GitLab). Push events are the default - even if you don't have a push policy set up, we will respond to those events. Pull request events are supported for some VCS providers and are generally received when you open, synchronize (push a new commit), label, or merge the pull request.
There are some valid reasons to use pull request events in addition or indeed instead of push ones. One is that when making decisions based on the paths of affected files, push events are often confusing:
- they contain affected files for all commits in a push, not just the head commit;
- they are not context-aware, making it hard to work with pull requests - if a given push is ignored on an otherwise relevant PR, then the Spacelift status check is not provided;
But there are more reasons depending on how you want to structure your workflow. Here are a few samples of PR-driven policies from real-life use cases, each reflecting a slightly different way of doing things.
First, let's only trigger proposed runs if a PR exists, and allow any push to the tracked branch to trigger a tracked run:
1 2 3 4 5 |
|
If you want to enforce that tracked runs are always created from PR merges (and not from direct pushes to the tracked branch), you can tweak the above policy accordingly to just ignore all non-PR events:
1 2 3 4 5 6 |
|
Here's another example where you respond to a particular PR label ("deploy") to automatically deploy changes:
1 2 3 4 5 6 |
|
Info
When a run is triggered from a GitHub Pull Request and the Pull Request is mergeable (ie. there are no merge conflicts), we check out the code for something they call the "potential merge commit" - a virtual commit that represents the potential result of merging the Pull Request into its base branch. This should provide better quality, less confusing feedback.
Let us know if you notice any irregularities.
Deduplicating events»
If you're using pull requests in your flow, it is possible that we'll receive duplicate events. For example, if you push to a feature branch and then open a pull request, we first receive a push event, then a separate pull request (opened) event. When you push another commit to that feature branch, we again receive two events - push and pull request (synchronized). When you merge the pull request, we get two more - push and pull request (closed).
It is possible that push policies resolve to the same actionable (not ignore) outcome (eg. track or propose). In those cases instead of creating two separate runs, we debounce the events by deduplicating runs created by them on a per-stack basis.
The deduplication key consists of the commit SHA and run type. If your policy returns two different actionable outcomes for two different events associated with a given SHA, both runs will be created. In practice, this would be an unusual corner case and a good occasion to revisit your workflow.
When events are deduplicated and you're sampling policy evaluations, you may notice that there are two samples for the same SHA, each with different input. You can generally assume that it's the first one that creates a run.
Canceling in-progress runs»
The push policy can also be used to have the new run pre-empt any runs that are currently in progress. The input document includes the in_progress
key, which contains an array of runs that are currently either still queued or are awaiting human confirmation. You can use it in conjunction with the cancel rule like this:
1 |
|
Of course, you can use a more sophisticated approach and only choose to cancel a certain type of run, or runs in a particular state. For example, the rule below will only cancel proposed runs that are currently queued (waiting for the worker):
1 2 3 4 5 |
|
You can also compare branches and cancel proposed runs in queued state pointing to a specific branch using this example policy:
1 2 3 4 5 6 |
|
Please note there are some restrictions on cancelation to be aware of:
- Module test runs cannot be canceled. Only proposed and tracked stack runs can be canceled.
- Cancelation works based on a new run pre-empting existing runs. What this means is that if your push policy does not result in any runs being triggered, the cancelation will have no effect.
- A run can only cancel other runs of the same type. For example a proposed run can only cancel other proposed runs, and not tracked runs.
- Cancelation is best effort and not guaranteed. If the run is either picked up by the worker or approved by a human in the meantime then the cancelation itself is canceled.
Corner case: track, don't trigger»
The track
decision sets the new head commit on the affected stack or module. This head commit is what is going to be used when a tracked run is manually triggered, or a task is started on the stack. Usually what you want in this case is to have a new tracked Run, so this is what we do by default.
Sometimes, however, you may want to trigger those tracked runs in a specific order or under specific circumstances - either manually or using a trigger policy. So what you want is an option to set the head commit, but not trigger a run. This is what the boolean notrigger
rule can do for you. notrigger
will only work in conjunction with track
decision and will prevent the tracked run from being created.
Please note that notrigger
does not depend in any way on the track
rule - they're entirely independent. Only when interpreting the result of the policy, we will only look at notrigger
if track
evaluates to true. Here's an example of using the two rules together to always set the new commit on the stack, but not trigger a run - for example, because it's either always triggered manually, through the API, or using a trigger policy:
1 2 3 |
|
Take Action from Comment(s) on Pull Request(s)»
For more information on taking action from comments on Pull Requests, please view the documentation on pull request comments.
Customize Spacelift Ignore Event Behavior»
Customize VCS Check Messages for Ignored Run Events»
If you would like to customize messages sent back to your VCS when Spacelift runs are ignored, you can do so using the message
function within your Push policy. Please see the example policy below as a reference for this functionality.
Customize Check Status for Ignored Run Events»
By default, ignored runs on a stack will return a "skipped" status check event, rather than a fail event. If you would like ignored run events to have a failed status check on your VCS, you can do so using the fail
function within your Push policy. If a fail
result is desired, set this value to true.
Example Policy»
The following Push policy does not trigger any run within Spacelift. Using this policy, we can ensure that the status check within our VCS (in this case, GitHub) fails and returns the message "I love bacon."
1 2 |
|
As a result of the above policy, users would then see this behavior within their GitHub status check:
Info
Note that this behavior (customization of the message and failing of the check within the VCS), is only applicable when runs do not take place within Spacelift.
Tag-driven Terraform Module Release Flow»
Some users prefer to manage their Terraform Module versions using git tags, and would like git tag events to push their module to the Spacelift module registry. Using a fairly simple Push policy, this is supported. To do this, you'll want to make sure of the module_version
block within a Push policy attached your module, and then set the version using the tag information from the git push event.
For example, the following example Push policy will trigger a tracked run when a tag event is detected. The policy then parses the tag event data and uses that value for the module version, in the below example we remove a git tag prefixed with v
as the Terraform Module Registry only supports versions in a numeric X.X.X
format.
It's important to note that for this policy, you will need to provide a mock, non-existent version for proposed runs. This precaution has been taken to ensure that pull requests do not encounter check failures due to the existence of versions that are already in use.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
|
If you wish to add a track rule to your push policy, the below will start a tracked run when the module version is not empty and the push branch is the same as the one the module branch is tracking.
1 2 3 4 |
|
Allow forks»
By default, we don't trigger runs when a forked repository opens a pull request against your repository. This is because of a security concern: if let's say your infrastructure is open source, someone forks it, implements some unwanted junk in there, then opens a pull request for the original repository, it'd run automatically with the prankster's code included.
Info
The cause is very similar to GitHub Actions where they don't expose repository secrets when forked repositories open pull requests.
If you still want to allow it, you can explicitly do it with allow_fork
rule. For example, if you trust certain people or organizations:
1 2 3 4 5 |
|
In the above case, we'll allow a forked repository to run, only if the owner of the forked repository is either johnwayne
or microsoft
.
head_owner
field means different things in different VCS providers:
GitHub / GitHub Enterprise»
In GitHub, head_owner
is the organization or the person owning the forked repository. It's typically in the URL: https://github.com/<head_owner>/<forked_repository>
GitLab»
In GitLab, it is the group of the repository which is typically the URL of the repository: https://gitlab.com/<head_owner>/<forked_repository>
Azure DevOps»
Azure DevOps is a special case because they don't provide us the friendly name of the head_owner
. In this case, we need to refer to head_owner
as the ID of the forked repository's project which is a UUID. One way to figure out this UUID is to open https://dev.azure.com/<organization>/_apis/projects
website which lists all projects with their unique IDs. You don't need any special access to this API, you can just simply open it in your browser.
Official documentation of the API.
Bitbucket Cloud»
In Bitbucket Cloud, head_owner
means workspace. It's in the URL of the repository: https://www.bitbucket.org/<workspace>/<forked_repository>
.
Bitbucket Datacenter/Server»
In Bitbucket Datacenter/Server, it is the project key of the repository. The project key is not the display name of the project, but the abbreviation in all caps.
Approval and Mergeability»
The pull_request
property on the input to a push policy contains the following fields:
approved
- indicates whether the PR has been approved.mergeable
- indicates whether the PR can be merged.undiverged
- indicates that the PR branch is not behind the target branch.
The following example shows a push policy that will automatically deploy a PR's changes once it has been approved, any required checks have completed, and the PR has a deploy
label added to it:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
|
Each source control provider has slightly different features, and because of this the exact definition of approved
and mergeable
varies slightly between providers. The following sections explain the differences.
Azure DevOps »
approved
means the PR has at least one approving review (including approved with suggestions).mergeable
means that the PR branch has no conflicts with the target branch, and any blocking policies are approved.
Info
Please note that we are unable to calculate divergence across forks in Azure DevOps, so the undiverged
property will always be false
for PRs created from forks.
Bitbucket Cloud »
approved
means that the PR has at least one approving review from someone other than the PR author.mergeable
means that the PR branch has no conflicts with the target branch.
Bitbucket Datacenter/Server »
approved
means that the PR has at least one approving review from someone other than the PR author.mergeable
means that the PR branch has no conflicts with the target branch.
GitHub / GitHub Enterprise »
approved
means that the PR has at least one approval, and also meets any minimum approval requirements for the repo.mergeable
means that the PR branch has no conflicts with the target branch, and any branch protection rules have been met.
GitLab »
approved
means that the PR has at least one approval. If approvals are required, it is onlytrue
when all required approvals have been made.mergeable
means that the PR branch has no conflicts with the target branch, any blocking discussions have been resolved, and any required approvals have been made.
Data input»
As input, Git push policy receives the following document:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 |
|
When triggered by a new module version, this is the schema of the data input that each policy request will receive:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 |
|
Based on this input, the policy may define boolean track
, propose
and ignore
rules. The positive outcome of at least one ignore
rule causes the push to be ignored, no matter the outcome of other rules. The positive outcome of at least one track
rule triggers a tracked run. The positive outcome of at least one propose
rule triggers a proposed run.
Warning
If no rules are matched, the default is to ignore the push. Therefore it is important to always supply an exhaustive set of policies - that is, making sure that they define what to track and what to propose in addition to defining what they ignore.
It is also possible to define an auxiliary rule called ignore_track
, which overrides a positive outcome of the track
rule but does not affect other rules, most notably the propose
one. This can be used to turn some of the pushes that would otherwise be applied into test runs.
Examples»
Tip
We maintain a library of example policies that are ready to use or that you could tweak to meet your specific needs.
If you cannot find what you are looking for below or in the library, please reach out to our support and we will craft a policy to do exactly what you need.
Ignoring certain paths»
Ignoring changes to certain paths is something you'd find useful both with classic monorepos and repositories containing multiple Terraform projects under different paths. When evaluating a push, we determine the list of affected files by looking at all the files touched by any of the commits in a given push.
Info
This list may include false positives - eg. in a situation where you delete a given file in one commit, then bring it back in another commit, and then push multiple commits at once. This is a safer default than trying to figure out the exact scope of each push.
Let's imagine a situation where you only want to look at changes to Terraform definitions - in HCL or JSON - inside one the production/
or modules/
directory, and have track and propose use their default settings:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
|
As an aside, note that in order to keep the example readable we had to define ignore
in a negative way as per the Anna Karenina principle. A minimal example of this policy is available here.
Status checks and ignored pushes»
By default when the push policy instructs Spacelift to ignore a certain change, no commit status check is sent back to the VCS. This behavior is explicitly designed to prevent noise in monorepo scenarios where a large number of stacks are linked to the same Git repo.
However, in certain cases one may still be interested in learning that the push was ignored, or just getting a commit status check for a given stack when it's set as required as part of GitHub branch protection set of rules, or simply your internal organization rules.
In that case, you may find the notify
rule useful. The purpose of this rule is to override default notification settings. So if you want to notify your VCS vendor even when a commit is ignored, you can define it like this:
1 2 3 4 5 |
|
Info
The notify rule (false by default) only applies to ignored pushes, so you can't set it to false
to silence commit status checks for proposed runs.
Applying from a tag»
Another possible use case of a Git push policy would be to apply from a newly created tag rather than from a branch. This in turn can be useful in multiple scenarios - for example, a staging/QA environment could be deployed every time a certain tag type is applied to a tested branch, thereby providing inline feedback on a GitHub Pull Request from the actual deployment rather than a plan/test. One could also constrain production to only apply from tags unless a Run is explicitly triggered by the user.
Here's an example of one such policy:
1 2 3 4 |
|
Default Git push policy»
If no Git push policies are attached to a stack or a module, the default behavior is equivalent to this policy:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 |
|
Waiting for CI/CD artifacts»
There are cases where you want pushes to your repo to trigger a run in Spacelift, but only after a CI/CD pipeline (or a part of it) has completed. An example would be when you want to trigger an infra deploy after some docker image has been built and pushed to a registry. This is achievable via push policies by using the External Dependencies feature.
Prioritization»
Although we generally recommend using our default scheduling order (tracked runs and tasks, then proposed runs, then drift detection runs), you can also use push policies to prioritize certain runs over others. For example, you may want to prioritize runs triggered by a certain user or a certain branch. To that effect, you can use the boolean prioritize
rule to mark a run as prioritized. Here's an example:
1 2 3 4 5 |
|
The above example will prioritize runs on any stack that has the prioritize
label set. Please note that run prioritization only works for private worker pools. An attempt to prioritize a run on a public worker pool using this policy will be a no-op.
Stack Locking»
Stack locking can be particularly useful in workflows heavily reliant on pull requests. The push policy enables you to lock and unlock a stack based on specific criteria using the lock
and unlock
rules.
lock
rule behavior when a non-empty string is returned:
- Lock the stack if it's currently unlocked.
- No change if the stack is already locked by the same owner.
- Reject any runs if the stack is locked by a different owner and you attempt to lock it.
unlock
rule behavior when a non-empty string is returned:
- No change if the stack is currently unlocked.
- Unlock the stack if it's locked by the same owner.
- No change if the stack is locked by a different owner.
Info
Note that runs are only rejected if the push policy rules result in an attempt to acquire a lock on an already locked stack with a different lock key. If the lock
rule is undefined or results in an empty string, runs will not be rejected.
Below is an example policy snippet which locks a stack when a pull request is opened or synchronized, and unlocks it when the pull request is closed or merged. Ensure you have added import future.keywords
to your policy to use this exact snippet.
1 2 3 4 5 6 7 8 9 |
|
You can further customise this selectively locking and unlocking the stacks whose project root or project globs are set to track the files in the pull request. Here is an example of that:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
|
Futhermore, with the release of this functionality, you can also lock and unlock through comments. Here is an example:
1 2 3 4 |
|
Using the above addition to your push policy, you can then unlock your stack by commenting something such as:
1 |
|