activeUpdated Feb 19, 2026, 8:40 PM
Policy ID js7f2nvbwadgsh92wdpzvgzvv981emz4
Publish/deploy jobs must depend on quality and contract gates. Rationale: - Deployment must not bypass validation that protects runtime correctness. Scope: - PR review policy for GitHub workflow changes that publish/deploy `domains/python/**` services (including reusable workflows they call). Definitions: - Publish/deploy job: a job that pushes artifacts/images, applies infrastructure/runtime changes, or is explicitly a release/deploy job. Trigger: - A PR adds or changes a publish/deploy job. Approval checks: 1) Publish/deploy jobs declare explicit dependency on upstream quality gate jobs (`needs` or equivalent enforced ordering via reusable workflow chain). 2) Required quality coverage includes test + lint + type-check (either as separate jobs or one consolidated gate job that runs all three). 3) Contract/drift gate dependency is required when either condition is true: - PR changes contract/schema surfaces (`**/openapi*`, `**/schema/**`, `**/contracts/**`, `**/proto/**`), or - publish/deploy job releases schema/client-contract artifacts. 4) Any bypass path is explicitly constrained (manual/emergency only) and includes documented reason + rollback/safety plan. Evidence: - Workflow diff shows dependency edges and gate job coverage. - Contract/drift dependency appears when trigger condition (3) applies. Exception path: - Allow deviation only when all are true: 1) PR description includes `Policy Exception: python-publish-gate-dependencies`. 2) PR explains why standard gating cannot be used for this path. 3) PR documents alternate controls and rollback plan. Decision: - Return NOT APPROVED when trigger is met and gate dependencies are missing without a valid exception.