You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
feat(cli): per-policy scoping for --policy-input-from-file
Runtime policy inputs supplied via --policy-input-from-file previously
lived in a single global namespace keyed only by input name, so an input
was applied to every policy attachment that declared it and could not be
targeted at a specific policy. This prevented feeding one curated list
into different inputs on different policies (e.g. ignored_paths on a
customer-signed gate versus third_party_paths on a vendor-keys gate).
Add an optional policy-scope prefix to the flag value:
[<policy>:]<input>=<file>[:<column>]
The unscoped form keeps the previous global behavior. The scoped form
applies the input only to the attachment whose policy name or ref matches
the scope, normalizing scheme, org and @sha256: digest and honoring a
pinned version. Global and scoped inputs for the same policy merge
additively. A scope that matches no policy on the material is logged as a
warning. runtime_input_overrides continues to record, per policy, which
inputs applied.
Assisted-by: Claude Code
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
Chainloop-Trace-Sessions: 21d09b3d-bdcb-4e52-9aca-56aa3c1b5139, 92f34c12-d29d-4d4a-897a-4afea9b1ee86
cmd.Flags().StringArrayVar(&policyInputFromFileFlag, "policy-input-from-file", nil, "feed a policy input from a column of a CSV or JSON file, in the format <input>=<file>[:<column>] (e.g. ignored_paths=exception.csv:Path); <column> is a single top-level column/field name and defaults to the input name; repeatable. The file is also recorded as EVIDENCE.")
167
+
cmd.Flags().StringArrayVar(&policyInputFromFileFlag, "policy-input-from-file", nil, "feed a policy input from a column of a CSV or JSON file, in the format [<policy>:]<input>=<file>[:<column>] (e.g. ignored_paths=exception.csv:Path); an optional <policy>: prefix scopes the input to a single policy (matched by name or ref), otherwise it applies to every declaring policy; <column> is a single top-level column/field name and defaults to the input name; repeatable. The file is also recorded as EVIDENCE.")
--policy-input-from-file stringArray feed a policy input from a column of a CSV or JSON file, in the format <input>=<file>[:<column>] (e.g. ignored_paths=exception.csv:Path); <column> is a single top-level column/field name and defaults to the input name; repeatable. The file is also recorded as EVIDENCE.
268
+
--policy-input-from-file stringArray feed a policy input from a column of a CSV or JSON file, in the format [<policy>:]<input>=<file>[:<column>] (e.g. ignored_paths=exception.csv:Path); an optional <policy>: prefix scopes the input to a single policy (matched by name or ref), otherwise it applies to every declaring policy; <column> is a single top-level column/field name and defaults to the input name; repeatable. The file is also recorded as EVIDENCE.
0 commit comments