feat(cli): per-policy scoping for --policy-input-from-file#3258
Merged
javirln merged 1 commit intoJul 1, 2026
Merged
Conversation
Contributor
AI Session AnalysisMissing AI Coding SessionsWe detected commits in this PR that were AI-assisted, but the matching Chainloop Trace session(s) could not be found in Chainloop. Please make sure the AI coding session evidence has been sent by the Chainloop CLI, or add the Learn more about Chainloop Trace. Powered by Chainloop and Chainloop Trace |
There was a problem hiding this comment.
1 issue found across 13 files
Reply with feedback, questions, or to request a fix.
Re-trigger cubic
migmartri
previously approved these changes
Jul 1, 2026
Runtime policy inputs supplied via --policy-input-from-file previously lived in a single global namespace keyed only by input name, so an input was applied to every policy attachment that declared it and could not be targeted at a specific policy. This prevented feeding one curated list into different inputs on different policies (e.g. ignored_paths on a customer-signed gate versus third_party_paths on a vendor-keys gate). Add an optional policy-scope prefix to the flag value: [<policy>:]<input>=<file>[:<column>] The unscoped form keeps the previous global behavior. The scoped form applies the input only to the attachment whose policy name or ref matches the scope, normalizing scheme, org and @sha256: digest and honoring a pinned version. Global and scoped inputs for the same policy merge additively. A scope that matches no policy on the material is logged as a warning. runtime_input_overrides continues to record, per policy, which inputs applied. Assisted-by: Claude Code Signed-off-by: Javier Rodriguez <javier@chainloop.dev> Chainloop-Trace-Sessions: 21d09b3d-bdcb-4e52-9aca-56aa3c1b5139, 92f34c12-d29d-4d4a-897a-4afea9b1ee86
2ab706f to
971f452
Compare
migmartri
approved these changes
Jul 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Runtime policy inputs supplied via
--policy-input-from-filepreviously lived in a single global namespace keyed only by input name, so an input was applied to every policy attachment that declared it and could not be targeted at a specific policy. This prevented feeding one curated list into different inputs on different policies (e.g.ignored_pathson a customer-signed gate versusthird_party_pathson a vendor-keys gate).This adds an optional policy-scope prefix to the flag value:
@sha256:digest and honoring a pinned version.runtime_input_overridescontinues to record, per policy, which inputs applied.Relates to PFM-6530.
AI assistance
This contribution was produced with the assistance of Claude Code, as disclosed via the
Assisted-by:trailer on the commit.