246246 has_labels :
247247 - " label-1"
248248 - " label-2"
249-
249+
250250 # "repository" is satisfied if the pull request repository matches any one of the
251251 # patterns within the "matches" list or does not match all of the patterns
252252 # within the "not_matches" list.
263263 # patterns within the "matches" list or does not match all of the patterns
264264 # within the "not_matches" list.
265265 # e.g. this predicate triggers for titles including "BREAKING CHANGE" or titles
266- # that are not marked as docs/style/chore changes (using conventional commits
266+ # that are not marked as docs/style/chore changes (using conventional commits
267267 # formatting)
268268 #
269269 # Note: Double-quote strings must escape backslashes while single/plain do not.
280280
281281 # "has_valid_signatures_by" is satisfied if the commits in the pull request
282282 # all have git commit signatures that have been verified by GitHub, and
283- # the authenticated signatures are attributed to a user in the users list
283+ # the authenticated signatures are attributed to a user in the users list
284284 # or belong to a user in any of the listed organizations or teams.
285285 has_valid_signatures_by :
286286 users : ["user1", "user2", ...]
@@ -350,7 +350,7 @@ options:
350350
351351 # mode modifies how reviewers are selected. `all-users` will request all users
352352 # who are able to approve the pending rule. `random-users` selects a small
353- # set of random users based on the required count of approvals. `teams` will
353+ # set of random users based on the required count of approvals. `teams` will
354354 # request teams to review. Teams must have explicit access defined under
355355 # https://github.com/<org>/<repo>/settings/access in order to be tagged,
356356 # at least until https://github.com/palantir/policy-bot/issues/165 is fixed.
@@ -471,18 +471,18 @@ Disapproval allows users to explicitly block pull requests if certain changes
471471must be made. Any member of in the set of allowed users can disapprove a change
472472or revoke another user's disapproval.
473473
474- Unlike approval, all disapproval predicates and options are specified as part
475- of the policy. Effectively, there is a single disapproval rule. The ` disapproval`
474+ Unlike approval, all disapproval predicates and options are specified as part
475+ of the policy. Effectively, there is a single disapproval rule. The ` disapproval`
476476policy has the following specification :
477477
478478` ` ` yaml
479479# "disapproval" is the top-level key in the policy block.
480480disapproval:
481- # "if" specifies a set of predicates which will cause disapproval if any are
481+ # "if" specifies a set of predicates which will cause disapproval if any are
482482 # true
483- #
484- # This block, and every condition within it are optional. If the block does
485- # not exist, a pull request is only disapproved if a user takes a disapproval
483+ #
484+ # This block, and every condition within it are optional. If the block does
485+ # not exist, a pull request is only disapproved if a user takes a disapproval
486486 # action.
487487 if:
488488 # All predicates from the approval rules section are valid here
@@ -492,7 +492,7 @@ disapproval:
492492 - "^BREAKING CHANGE: (\\ w| )+$"
493493 matches:
494494 - "^BLOCKED"
495-
495+
496496 # "options" sets behavior related to disapproval. If it does not exist, the
497497 # defaults shown below are used.
498498 options:
@@ -555,16 +555,15 @@ changes have no effect on the `policy-bot` status.
555555
556556# ### Interactions with GitHub Reviews
557557
558- GitHub Reviews allow a user to dismiss the last review they left, causing it
559- to no longer count towards rule evaluations. When this happens
560- ` policy-bot` will use a previous, non-dismissed review, if it exists, when evaluating
561- rules.
558+ GitHub Reviews allow a user to dismiss the last review they left, causing it to
559+ no longer count towards rule evaluations. When this happens `policy-bot` will
560+ use a previous, non-dismissed review, if it exists, when evaluating rules.
562561
563- For example, if a user leaves an "approval" review and follows up with a
564- " request changes" review, `policy-bot` will use the "request changes" review when
565- evaluating rules. However, if the user then dimisses their "request changes"
566- review, `policy-bot` will instead use the initial "approval" review in evaluating
567- any rules
562+ For example, if a user leaves an "approval" review and follows up with a
563+ " request changes" review, `policy-bot` will use the "request changes" review
564+ when evaluating rules. However, if the user then dimisses their "request
565+ changes" review, `policy-bot` will instead use the initial "approval" review in
566+ evaluating any rules.
568567
569568# ### `or`, `and`, and `if` (Rule Predicates)
570569
@@ -633,7 +632,7 @@ repository `admin` permissions as organization owners are not selected.
633632
634633The `teams` mode needs the team visibility to be set to `visibile` to enable this functionality for a given team.
635634
636- # ### Automatically Requesting Reviewers Example
635+ # #### Example
637636
638637Given the following example requirement rule,
639638
@@ -655,6 +654,34 @@ set of users of in
655654Where the Pull Request Author and any non direct collaborators have been removed
656655from the set.
657656
657+ # ### Invalidating Approval on Push
658+
659+ By default, `policy-bot` does not invalidate exisitng approvals when users add
660+ new commits to a pull request. You can control this behavior for each rule in a
661+ policy using the `invalidate_on_push` option.
662+
663+ To invalidate approvals, `policy-bot` compares an estimate of the push time of
664+ each commit with the time of each approval comment or review. The push time
665+ estimate uses the time of the oldest status check, or the current time during
666+ evaluation if there are no status checks. This is guaranteed to be after the
667+ actual push time, but the delay may be arbitrarily large based on GitHub
668+ webhook delivery behavior and processing time in `policy-bot`.
669+
670+ In practice, this means that adding an approval immediately after (within a few
671+ seconds of) a push may not approve the pull request. If this happens, leave a
672+ second approval comment or review after `policy-bot` adds the "pending" status
673+ check.
674+
675+ ` policy-bot` caches push times in memory to improve performance and reduce API
676+ requests.
677+
678+ Older versions of `policy-bot` (before 1.31.0) used the `pushedDate` field in
679+ GitHub's GraphQL API to estimate commit push times. GitHub removed this field
680+ in mid-2023 because computing it was unreliable and inaccurate (see issue
681+ [#598][] for more details.)
682+
683+ [#598]: https://github.com/palantir/policy-bot/issues/598
684+
658685# # Security
659686
660687While `policy-bot` can be used to implement security controls on GitHub
0 commit comments