fix(policy): reevaluate approval status promptly (#13)

Author: denysvitali-kaiko

config/policy-bot.example.yml

@@ -156,6 +156,11 @@ sessions:
 #   # environment variable.
 #   pending_as_failure: false
 #
+#   # How long to coalesce rapid status/check/workflow events for the same PR
+#   # before running the trailing evaluation. Can also be set by the
+#   # POLICYBOT_OPTIONS_STATUS_DEBOUNCE_WINDOW environment variable.
+#   status_debounce_window: 5s
+#
 #   # Default options to use for all appoval rules processed by the server.
 #   # Policies can override these values with their own defaults or in individual
 #   # rules. This is equivalent to the "approval_defaults" option in a policy and

policy/approval/approve.go

@@ -43,14 +43,18 @@ type Requires struct {
 	Conditions predicate.Predicates `yaml:"conditions,omitempty"`
 }
 
+func (r Requires) needsApprovalCandidates() bool {
+	return r.Count > 0 || r.Actors.Codeowners
+}
+
 type Defaults struct {
 	Options *Options `yaml:"options,omitempty"`
 }
 
 func (r *Rule) Trigger() common.Trigger {
 	t := common.TriggerCommit
 
-	if r.Requires.Count > 0 {
+	if r.Requires.needsApprovalCandidates() {
 		m := r.Options.GetMethods()
 		if len(m.GetComments()) > 0 || len(m.GetCommentPatterns()) > 0 {
 			t |= common.TriggerComment
@@ -213,7 +217,7 @@ func (r *Rule) IsApproved(ctx context.Context, prctx pull.Context, candidates []
 func (r *Rule) isApprovedByActors(ctx context.Context, prctx pull.Context, candidates []*common.Candidate) (bool, []*common.Candidate, []common.OwnershipGroupResult, error) {
 	log := zerolog.Ctx(ctx)
 
-	if r.Requires.Count <= 0 && !r.Requires.Actors.Codeowners {
+	if !r.Requires.needsApprovalCandidates() {
 		log.Debug().Msg("rule requires no approvals")
 		return true, nil, nil, nil
 	}
@@ -306,7 +310,7 @@ func (r *Rule) isApprovedByConditions(ctx context.Context, prctx pull.Context) (
 // FilteredCandidates returns the potential approval candidates and any
 // candidates that should be dimissed due to rule options.
 func (r *Rule) FilteredCandidates(ctx context.Context, prctx pull.Context) ([]*common.Candidate, []*common.Dismissal, error) {
-	if r.Requires.Count <= 0 && !r.Requires.Actors.Codeowners {
+	if !r.Requires.needsApprovalCandidates() {
 		return nil, nil, nil
 	}
 

policy/approval/approve_test.go

@@ -874,6 +874,20 @@ func TestTrigger(t *testing.T) {
 		assert.True(t, r.Trigger().Matches(common.TriggerReview), "expected %s to match %s", r.Trigger(), common.TriggerReview)
 	})
 
+	t.Run("triggerReviewForCodeownersWithoutCount", func(t *testing.T) {
+		r := &Rule{
+			Options: Options{
+				Defaults: &defaultOptions,
+			},
+			Requires: Requires{
+				Actors: common.Actors{Codeowners: true},
+			},
+		}
+
+		assert.True(t, r.Trigger().Matches(common.TriggerCommit), "expected %s to match %s", r.Trigger(), common.TriggerCommit)
+		assert.True(t, r.Trigger().Matches(common.TriggerReview), "expected %s to match %s", r.Trigger(), common.TriggerReview)
+	})
+
 	t.Run("triggerReviewForGithubReviewCommentPatterns", func(t *testing.T) {
 		r := &Rule{
 			Options: Options{
@@ -928,6 +942,40 @@ func TestTrigger(t *testing.T) {
 	})
 }
 
+func TestRequiresNeedsApprovalCandidates(t *testing.T) {
+	tests := map[string]struct {
+		requires Requires
+		expected bool
+	}{
+		"no approval requirements": {
+			requires: Requires{},
+			expected: false,
+		},
+		"explicit approval count": {
+			requires: Requires{Count: 1},
+			expected: true,
+		},
+		"codeowners without count": {
+			requires: Requires{Actors: common.Actors{Codeowners: true}},
+			expected: true,
+		},
+		"conditions only": {
+			requires: Requires{
+				Conditions: predicate.Predicates{
+					HasStatus: predicate.NewHasStatus([]string{"ci/test"}, nil),
+				},
+			},
+			expected: false,
+		},
+	}
+
+	for name, test := range tests {
+		t.Run(name, func(t *testing.T) {
+			assert.Equal(t, test.expected, test.requires.needsApprovalCandidates())
+		})
+	}
+}
+
 func TestIsPendingOnConditionsOnly(t *testing.T) {
 	tests := map[string]struct {
 		rule     Rule

server/config_test.go

@@ -0,0 +1,44 @@
+// Copyright 2026 Palantir Technologies, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package server
+
+import (
+	"testing"
+	"time"
+
+	"github.com/palantir/policy-bot/server/handler"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestParseConfigStatusDebounceWindow(t *testing.T) {
+	t.Setenv("POLICYBOT_ENV_PREFIX", "TEST_POLICYBOT_")
+
+	cfg, err := ParseConfig([]byte(`options:
+  status_debounce_window: 3s
+`))
+	require.NoError(t, err)
+
+	assert.Equal(t, 3*time.Second, cfg.Options.StatusDebounceWindow)
+}
+
+func TestParseConfigStatusDebounceWindowDefault(t *testing.T) {
+	t.Setenv("POLICYBOT_ENV_PREFIX", "TEST_POLICYBOT_")
+
+	cfg, err := ParseConfig([]byte(`options: {}`))
+	require.NoError(t, err)
+
+	assert.Equal(t, handler.DefaultDebounceWindow, cfg.Options.StatusDebounceWindow)
+}

server/handler/base.go

@@ -106,6 +106,14 @@ func (b *Base) PreparePRContext(ctx context.Context, installationID int64, pr *g
 }
 
 func (b *Base) NewEvalContext(ctx context.Context, installationID int64, loc pull.Locator) (*EvalContext, error) {
+	return b.newEvalContext(ctx, installationID, loc, nil)
+}
+
+func (b *Base) newEvalContextWithConfig(ctx context.Context, installationID int64, loc pull.Locator, fetchedConfig FetchedConfig) (*EvalContext, error) {
+	return b.newEvalContext(ctx, installationID, loc, &fetchedConfig)
+}
+
+func (b *Base) newEvalContext(ctx context.Context, installationID int64, loc pull.Locator, fetchedConfig *FetchedConfig) (*EvalContext, error) {
 	client, err := b.NewInstallationClient(installationID)
 	if err != nil {
 		return nil, err
@@ -122,17 +130,13 @@ func (b *Base) NewEvalContext(ctx context.Context, installationID int64, loc pul
 		return nil, err
 	}
 
-	// Start background fetches for commonly needed data
-	// This overlaps API calls with the config fetch below
-	if ghctx, ok := prctx.(*pull.GitHubContext); ok {
-		ghctx.Prefetch()
-	}
-
 	baseBranch, _ := prctx.Branches()
 	owner := prctx.RepositoryOwner()
 	repository := prctx.RepositoryName()
 
-	fetchedConfig := b.ConfigFetcher.ConfigForRepositoryBranch(ctx, client, owner, repository, baseBranch)
+	if fetchedConfig == nil {
+		fetchedConfig = github.Ptr(b.ConfigFetcher.ConfigForRepositoryBranch(ctx, client, owner, repository, baseBranch))
+	}
 
 	return &EvalContext{
 		Client:   client,
@@ -142,7 +146,7 @@ func (b *Base) NewEvalContext(ctx context.Context, installationID int64, loc pul
 		PublicURL: b.BaseConfig.PublicURL,
 
 		PullContext: prctx,
-		Config:      fetchedConfig,
+		Config:      *fetchedConfig,
 	}, nil
 }