chore: plan validations update github check status

[adityachoudhari26]

fixes #1091

Summary by CodeRabbit

• New Features

  • Plan validation results can now be queried and retrieved by deployment target
  • GitHub checks now display policy validation violations in check run reports

• Improvements

  • Enhanced check rendering to surface policy violations in per-target sections
  • Check titles and conclusions now account for policy violations
  • Policy violations are aggregated and affect check failure determination

[coderabbitai]

Caution

Review failed

Failed to post review comments

📝 Walkthrough

Walkthrough

This PR adds a new database query and getter methods to retrieve plan validation results by target ID, then integrates violation loading and rendering into the GitHub check output. Violations are aggregated, parsed from JSON payloads, and displayed per agent alongside diff information.

Changes

Plan Validation Result Querying and Rendering

Layer / File(s)	Summary
Database Query & Types apps/workspace-engine/pkg/db/queries/plan_validation.sql, apps/workspace-engine/pkg/db/plan_validation.sql.go	New SQL query ListPlanValidationResultsByTargetID selects failed validation results for a target; corresponding exported type ListPlanValidationResultsByTargetIDRow and query method added.
Data Access Interface & Implementation apps/workspace-engine/svc/controllers/deploymentplanresult/getters.go, apps/workspace-engine/svc/controllers/deploymentplanresult/getters_postgres.go	Getter interface extended with ListPlanValidationResultsByTargetID method; PostgresGetter implements the method by delegating to the database query.
GitHub Check Rendering apps/workspace-engine/svc/controllers/deploymentplanresult/github_check.go	Core enhancement: agentResult struct gains ResultID and Violations fields; aggregate struct gains ValidationFailures counter. loadTargetContext loads violations by result ID and attaches them to agent results. checkConclusion and checkTitle now account for validation failures. New writeViolations helper renders violations in agent sections. New loadViolationsByResult fetches and maps violations; parseViolationMessages unmarshals violation JSON.
Tests & Mocking apps/workspace-engine/svc/controllers/deploymentplanresult/controller_test.go, apps/workspace-engine/svc/controllers/deploymentplanresult/github_check_test.go	Mock getter method added to support testing. New tests validate violation aggregation, violation rendering in agent sections, and conclusion/title behavior when violations are present.

Sequence Diagram

sequenceDiagram
    participant GHCheck as GitHub<br/>Check Renderer
    participant LoadCtx as Load Target<br/>Context
    participant DB as Database
    participant Agg as Aggregate &<br/>Format

    GHCheck->>LoadCtx: loadTargetContext(targetID)
    LoadCtx->>DB: ListPlanValidationResultsByTargetID(targetID)
    DB-->>LoadCtx: []ValidationResult{ResultID, RuleID, Violations}
    LoadCtx->>LoadCtx: parseViolationMessages(violations)
    LoadCtx->>LoadCtx: violationsByResult map[UUID][]ruleViolation
    LoadCtx-->>GHCheck: agentResults with Violations attached

    GHCheck->>Agg: aggregateResults(agentResults)
    Agg->>Agg: count ValidationFailures from len(violations)
    Agg-->>GHCheck: aggregate{ValidationFailures, ...}

    GHCheck->>Agg: checkConclusion(aggregate)
    alt has ValidationFailures
        Agg-->>GHCheck: "failure"
    else clean
        Agg-->>GHCheck: "success"
    end

    GHCheck->>Agg: checkTitle(aggregate)
    Agg->>Agg: compute suffix (+X -Y (N policy violations))
    Agg-->>GHCheck: title with violation count

    GHCheck->>GHCheck: formatAgentSection(agentResult)
    GHCheck->>GHCheck: writeViolations(violations)
    GHCheck-->>GHCheck: rendered output with violations

Loading

Estimated Code Review Effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly Related Issues

• feat: render plan validation results in github check #1091 — This PR directly implements the objectives of "render plan validation results in github check": loading validation results by target, rendering them in check output with rule names and denial messages, and updating the conclusion to failure when validation rules fail.

Possibly Related PRs

• ctrlplanedev/ctrlplane#1092 — Introduces the deployment_plan_target_result_validation and policy_rule_plan_validation_opa schema tables that this PR queries against.
• ctrlplanedev/ctrlplane#1023 — Also extends the deployment plan result GitHub check flow and adds per-target database list methods; directly overlaps in the github_check.go rendering integration.
• ctrlplanedev/ctrlplane#1094 — Introduces the plan-validation feature schema and core upsert/query methods; this PR extends that foundation to surface violations in the GitHub check UI.

Poem

🐰 A rabbit bounds through validation rows,
Fetching violations where policy flows,
Violations render in checks so bright,
Failures now glow red, successes glow white!
No more hidden rules—transparency thrives! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 20.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: adding plan validation result rendering to GitHub check status updates.
Linked Issues check	✅ Passed	The PR meets all coding requirements from #1091: querying validation results by target ID, rendering validation sections in GitHub checks with proper formatting, computing conclusion from validation status, and supporting idempotent renders.
Out of Scope Changes check	✅ Passed	All changes are directly related to querying and rendering plan validation results in GitHub checks; no unrelated modifications were introduced.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch plan-validation-gh

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}