Push policy

Purpose

Git push policies are triggered on a per-stack basis to determine the action that should be taken for each individual Stack or Module in response to a Git push or Pull Request notification. There are three possible outcomes:
    track: set the new head commit on the stack / module and create a tracked Run, ie. one that can be applied;
    propose: create a proposed Run against a proposed version of infrastructure;
    ignore: do not schedule a new Run;
Using this policy it is possible to create a very sophisticated, custom-made setup. We can think of two main - and not mutually exclusive - use cases. The first one would be to ignore changes to certain paths - something you'd find useful both with classic monorepos and repositories containing multiple Terraform projects under different paths. The second one would be to only attempt to apply a subset of changes - for example, only commits tagged in a certain way.

Git push policy and tracked branch

Each stack and module points at a particular Git branch called a tracked branch. By default, any push to the tracked branch triggers a tracked Run that can be applied. This logic can be changed entirely by a Git push policy, but the tracked branch is always reported as part of the Stack input to the policy evaluator and can be used as a point of reference.

Push and Pull Request events

Pull Request events are currently only available for GitHub and GitLab.
Spacelift can currently react to two types of events - push and pull request (also called merge request by GitLab). Push events are the default - even if you don't have a push policy set up, we will respond to those events. Pull request events are supported for some VCS providers and are generally received when you open, synchronize (push a new commit), label, or merge the pull request.
There are some valid reasons to use pull request events in addition or indeed instead of push ones. One is that when making decisions based on the paths of affected files, push events are often confusing:
    they contain affected files for all commits in a push, not just the head commit;
    they are not context-aware, making it hard to work with pull requests - if a given push is ignored on an otherwise relevant PR, then the Spacelift status check is not provided;
But there are more reasons depending on how you want to structure your workflow. Here are a few samples of PR-driven policies from real-life use cases, each reflecting a slightly different way of doing things.
First, let's only trigger proposed runs if a PR exists, and allow any push to the tracked branch to trigger a tracked run:
1
package spacelift
2
3
track { input.push.branch = input.stack.branch }
4
propose { not is_null(input.pull_request) }
5
ignore { not track; not propose }
Copied!
If you want to enforce that tracked runs are always created from PR merges (and not from direct pushes to the tracked branch), you can tweak the above policy accordingly to just ignore all non-PR events:
1
package spacelift
2
3
track { is_pr; input.push.branch = input.stack.branch }
4
propose { is_pr }
5
ignore { not is_pr }
6
is_pr { not is_null(input.pull_request) }
Copied!
Here's another example where you respond to a particular PR label ("deploy") to automatically deploy changes:
1
package spacelift
2
3
track { is_pr, labeled }
4
propose { true }
5
is_pr { not is_null(input.pull_request) }
6
labeled { input.pull_request.labels[_] = "deploy" }
Copied!

Deduplicating events

If you're using pull requests in your flow, it is possible that we'll receive duplicate events. For example, if you push to a feature branch and then open a pull request, we first receive a push event, then a separate pull request (opened) event. When you push another commit to that feature branch, we again receive two events - push and pull request (synchronized). When you merge the pull request, we get two more - push and pull request (closed).
It is possible that push policies resolve to the same actionable (not ignore) outcome (eg. track or propose). In those cases instead of creating two separate runs, we debounce the events by deduplicating runs created by them on a per-stack basis.
The deduplication key consists of the commit SHA and run type. If your policy returns two different actionable outcomes for two different events associated with a given SHA, both runs will be created. In practice, this would be an unusual corner case and a good occasion to revisit your workflow.
When events are deduplicated and you're sampling policy evaluations, you may notice that there are two samples for the same SHA, each with different input. You can generally assume that it's the first one that creates a run.

Canceling in-progress runs

The push policy can also be used to have the new run pre-empt any runs that are currently in progress. The input document includes the in_progress key, which contains an array of runs that are currently either still queued or are awaiting human confirmation. You can use it in conjunction with the cancel rule like this:
1
cancel[run.id] { run := input.in_progress[_] }
Copied!
Of course, you can use a more sophisticated approach and only choose to cancel a certain type of run, or runs in a particular state. For example, the rule below will only cancel proposed runs that are currently queued (waiting for the worker):
1
cancel[run.id] {
2
run := input.in_progress[_]
3
run.type == "PROPOSED"
4
run.state = "QUEUED"
5
}
Copied!
Note that run preemption is best effort and not guaranteed. If the run is either picked up by the worker or approved by a human in the meantime then the cancelation itself is canceled.

Corner case: track, don't trigger

The track decision sets the new head commit on the affected stack or module. This head commit is what is going to be used when a tracked run is manually triggered, or a task is started on the stack. Usually what you want in this case is to have a new tracked Run, so this is what we do by default.
Sometimes, however, you may want to trigger those tracked runs in a specific order or under specific circumstances - either manually or using a trigger policy. So what you want is an option to set the head commit, but not trigger a run. This is what the boolean notrigger rule can do for you. notrigger will only work in conjunction with track decision and will prevent the tracked run from being created.
Please note that notrigger does not depend in any way on the track rule - they're entirely independent. Only when interpreting the result of the policy, we will only look at notrigger if track evaluates to true. Here's an example of using the two rules together to always set the new commit on the stack, but not trigger a run - for example, because it's either always triggered manually, through the API, or using a trigger policy:
1
track { input.push.branch == input.stack.branch }
2
propose { not track }
3
notrigger { true }
Copied!

Data input

As input, Git push policy receives the following document:
1
{
2
"pull_request": {
3
"action": "string - opened, reopened, closed, merged, edited, labeled, synchronize, unlabeled",
4
"base": {
5
"affected_files": ["string"],
6
"author": "string",
7
"branch": "string",
8
"created_at": "number (timestamp in nanoseconds)",
9
"message": "string",
10
"tag": "string"
11
},
12
"diff": ["string - list of files changed between base and head commit"],
13
"head": {
14
"affected_files": ["string"],
15
"author": "string",
16
"branch": "string",
17
"created_at": "number (timestamp in nanoseconds)",
18
"message": "string",
19
"tag": "string"
20
},
21
"labels": ["string"],
22
"title": "string"
23
}
24
"push": {
25
// For Git push events, this contains the pushed commit.
26
// For Pull Request events,
27
// this contains the head commit or merge commit if available (merge event).
28
"affected_files": ["string"],
29
"author": "string",
30
"branch": "string",
31
"created_at": "number (timestamp in nanoseconds)",
32
"message": "string",
33
"tag": "string"
34
},
35
"stack": {
36
"administrative": "boolean",
37
"branch": "string",
38
"labels": ["string - list of arbitrary, user-defined selectors"],
39
"locked_by": "optional string - if the stack is locked, this is the name of the user who did it",
40
"name": "string",
41
"namespace": "string - repository namespace, only relevant to GitLab repositories",
42
"project_root": "optional string - project root as set on the Stack, if any",
43
"repository": "string",
44
"state": "string",
45
"terraform_version": "string or null"
46
},
47
"stacks": [{
48
"administrative": "boolean - is the stack administrative",
49
"autodeploy": "boolean - is the stack currently set to autodeploy",
50
"branch": "string - tracked branch of the stack",
51
"id": "string - unique stack identifier",
52
"labels": ["string - list of arbitrary, user-defined selectors"],
53
"locked_by": "optional string - if the stack is locked, this is the name of the user who did it",
54
"name": "string - name of the stack",
55
"namespace": "string - repository namespace, only relevant to GitLab repositories",
56
"project_root": "optional string - project root as set on the Stack, if any",
57
"repository": "string - name of the source GitHub repository",
58
"state": "string - current state of the stack",
59
"terraform_version": "string or null - last Terraform version used to apply changes"
60
}],
61
"in_progress": [{
62
"based_on_local_workspace": "boolean - whether the run stems from a local preview",
63
"changes": [
64
{
65
"action": "string enum - added | changed | deleted",
66
"entity": {
67
"address": "string - full address of the entity",
68
"name": "string - name of the entity",
69
"type": "string - full resource type or \"output\" for outputs"
70
},
71
"phase": "string enum - plan | apply"
72
}
73
],
74
"created_at": "number - creation Unix timestamp in nanoseconds",
75
"runtime_config": {
76
"before_init": ["string - command to run before run initialization"],
77
"project_root": "string - root of the Terraform project",
78
"runner_image": "string - Docker image used to execute the run",
79
"terraform_version": "string - Terraform version used to for the run"
80
},
81
"triggered_by": "string or null - user or trigger policy who triggered the run, if applicable",
82
"type": "string - PROPOSED or TRACKED",
83
"updated_at": "number - last update Unix timestamp in nanoseconds",
84
"user_provided_metadata": ["string - blobs of metadata provided using spacectl or the API when interacting with this run"]
85
}]
86
}
Copied!
Note the presence of two similar keys: stack and stacks. The former is the Stack that the newly finished Run belongs to. The other is a list of all Stacks referencing the same git repository. The schema for both is the same.
Based on this input, the policy may define boolean track, propose and ignore rules. The positive outcome of at least one ignore rule causes the push to be ignored, no matter the outcome of other rules. The positive outcome of at least one track rule triggers a tracked run. The positive outcome of at least one propose rule triggers a proposed run.
If no rules are matched, the default is to ignore the push. Therefore it is important to always supply an exhaustive set of policies - that is, making sure that they define what to track and what to propose in addition to defining what they ignore.
It is also possible to define an auxiliary rule called ignore_track, which overrides a positive outcome of the track rule but does not affect other rules, most notably the propose one. This can be used to turn some of the pushes that would otherwise be applied into test runs.

Use cases

Ignoring certain paths

Ignoring changes to certain paths is something you'd find useful both with classic monorepos and repositories containing multiple Terraform projects under different paths. When evaluating a push, we determine the list of affected files by looking at all the files touched by any of the commits in a given push.
This list may include false positives - eg. in a situation where you delete a given file in one commit, then bring it back in another commit, and then push multiple commits at once. This is a safer default than trying to figure out the exact scope of each push.
Let's imagine a situation where you only want to look at changes to Terraform definitions - in HCL or JSON - inside one the production/ or modules/ directory, and have track and propose use their default settings:
1
package spacelift
2
3
track { input.push.branch == input.stack.branch }
4
propose { input.push.branch != "" }
5
ignore { not affected }
6
7
affected {
8
some i, j, k
9
10
tracked_directories := {"modules/", "production/"}
11
tracked_extensions := {".tf", ".tf.json"}
12
13
path := input.push.affected_files[i]
14
15
startswith(path, tracked_directories[j])
16
endswith(path, tracked_extensions[k])
17
}
Copied!
As an aside, note that in order to keep the example readable we had to define ignore in a negative way as per the Anna Karenina principle. A minimal example of this policy is available here.

Status checks and ignored pushes

By default when the push policy instructs Spacelift to ignore a certain change, no commit status check is sent back to the VCS. This behavior is explicitly designed to prevent noise in monorepo scenarios where a large number of stacks are linked to the same Git repo.
However, in certain cases one may still be interested in learning that the push was ignored, or just getting a commit status check for a given stack when it's set as required as part of GitHub branch protection set of rules, or simply your internal organization rules.
In that case, you may find the notify rule useful. The purpose of this rule is to override default notification settings. So if you want to notify your VCS vendor even when a commit is ignored, you can define it like this:
1
package spacelift
2
3
# other rules (including ignore), see above
4
5
notify { ignore }
Copied!
The notify rule (false by default) only applies to ignored pushes, so you can't set it to false to silence commit status checks for proposed runs.

Applying from a tag

Another possible use case of a Git push policy would be to apply from a newly created tag rather than from a branch. This in turn can be useful in multiple scenarios - for example, a staging/QA environment could be deployed every time a certain tag type is applied to a tested branch, thereby providing inline feedback on a GitHub Pull Request from the actual deployment rather than a plan/test. One could also constrain production to only apply from tags unless a Run is explicitly triggered by the user.
Here's an example of one such policy:
1
package spacelift
2
3
track { re_match(`^\d+\.\d+\.\d+ Push policy - Spacelift , input.push.tag) }
4
propose { input.push.branch != input.stack.branch }
Copied!

Default Git push policy

If no Git push policies are attached to a stack or a module, the default behavior is equivalent to this policy:
1
package spacelift
2
3
track { input.push.branch == input.stack.branch }
4
propose { input.push.branch != "" }
5
ignore { input.push.branch == "" }
Copied!
Last modified 17d ago