Skip to content

feat(cli): per-policy scoping for --policy-input-from-file#3258

Merged
javirln merged 1 commit into
chainloop-dev:mainfrom
javirln:pfm-6530-per-policy-scoping-for-policy-input-fro
Jul 1, 2026
Merged

feat(cli): per-policy scoping for --policy-input-from-file#3258
javirln merged 1 commit into
chainloop-dev:mainfrom
javirln:pfm-6530-per-policy-scoping-for-policy-input-fro

Conversation

@javirln

@javirln javirln commented Jul 1, 2026

Copy link
Copy Markdown
Member

Summary

Runtime policy inputs supplied via --policy-input-from-file previously lived in a single global namespace keyed only by input name, so an input was applied to every policy attachment that declared it and could not be targeted at a specific policy. This prevented feeding one curated list into different inputs on different policies (e.g. ignored_paths on a customer-signed gate versus third_party_paths on a vendor-keys gate).

This adds an optional policy-scope prefix to the flag value:

[<policy>:]<input>=<file>[:<column>]
  • The unscoped form keeps the previous global behavior (applies to every policy that declares the input).
  • The scoped form applies the input only to the attachment whose policy name or ref matches the scope, normalizing scheme, org and @sha256: digest and honoring a pinned version.
  • Global and scoped inputs for the same policy merge additively.
  • A scope that matches no policy on the evaluated material is logged as a warning.
  • runtime_input_overrides continues to record, per policy, which inputs applied.

Relates to PFM-6530.

AI assistance

This contribution was produced with the assistance of Claude Code, as disclosed via the Assisted-by: trailer on the commit.

Review in cubic

@chainloop-platform

Copy link
Copy Markdown
Contributor

AI Session Analysis

Missing AI Coding Sessions

We detected commits in this PR that were AI-assisted, but the matching Chainloop Trace session(s) could not be found in Chainloop.

Please make sure the AI coding session evidence has been sent by the Chainloop CLI, or add the skip-ai-session label to this PR to bypass this check.

Learn more about Chainloop Trace.


Powered by Chainloop and Chainloop Trace

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 13 files

Reply with feedback, questions, or to request a fix.

Re-trigger cubic

Comment thread pkg/policies/runtime_inputs.go
migmartri
migmartri previously approved these changes Jul 1, 2026
Runtime policy inputs supplied via --policy-input-from-file previously
lived in a single global namespace keyed only by input name, so an input
was applied to every policy attachment that declared it and could not be
targeted at a specific policy. This prevented feeding one curated list
into different inputs on different policies (e.g. ignored_paths on a
customer-signed gate versus third_party_paths on a vendor-keys gate).

Add an optional policy-scope prefix to the flag value:

  [<policy>:]<input>=<file>[:<column>]

The unscoped form keeps the previous global behavior. The scoped form
applies the input only to the attachment whose policy name or ref matches
the scope, normalizing scheme, org and @sha256: digest and honoring a
pinned version. Global and scoped inputs for the same policy merge
additively. A scope that matches no policy on the material is logged as a
warning. runtime_input_overrides continues to record, per policy, which
inputs applied.

Assisted-by: Claude Code
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>

Chainloop-Trace-Sessions: 21d09b3d-bdcb-4e52-9aca-56aa3c1b5139, 92f34c12-d29d-4d4a-897a-4afea9b1ee86
@javirln javirln force-pushed the pfm-6530-per-policy-scoping-for-policy-input-fro branch from 2ab706f to 971f452 Compare July 1, 2026 12:07
@javirln javirln enabled auto-merge (squash) July 1, 2026 12:17
@javirln javirln merged commit c386baf into chainloop-dev:main Jul 1, 2026
14 of 15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants