implement apply_requirements flag (#2133)

* implement apply_requirements flag

* Update libs/digger_config/digger_config.go

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>

* add tests

* add apply requirement checks

* return nil

* support skippable merge check for cli too

* documentation

* reformat code

* Update docs/ce/howto/apply-requirements.mdx

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>

* Update docs/ce/howto/apply-requirements.mdx

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>

* Update docs/ce/howto/apply-requirements.mdx

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>

* Update docs/ce/howto/apply-requirements.mdx

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>

* Update libs/apply_requirements/apply_requirements.go

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>

* Update libs/apply_requirements/apply_requirements.go

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>

* Update libs/orchestrator/mock.go

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>

* Update libs/orchestrator/mock.go

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>

* Update libs/apply_requirements/apply_requirements.go

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>

---------

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>

Author: motatoes

backend/controllers/github_comment.go

@@ -9,6 +9,7 @@ import (
 	"github.com/diggerhq/digger/backend/models"
 	"github.com/diggerhq/digger/backend/segment"
 	"github.com/diggerhq/digger/backend/utils"
+	"github.com/diggerhq/digger/libs/apply_requirements"
 	"github.com/diggerhq/digger/libs/ci/generic"
 	github2 "github.com/diggerhq/digger/libs/ci/github"
 	"github.com/diggerhq/digger/libs/comment_utils/reporting"
@@ -124,7 +125,7 @@ func handleIssueCommentEvent(gh utils.GithubClientProvider, payload *github.Issu
 		"orgId", orgId,
 	)
 
-	diggerYmlStr, ghService, config, projectsGraph, branch, commitSha, changedFiles, err := getDiggerConfigForPR(gh, orgId, prLabelsStr, installationId, repoFullName, repoOwner, repoName, cloneURL, issueNumber)
+	diggerYmlStr, ghService, config, projectsGraph, prSourceBranch, commitSha, changedFiles, err := getDiggerConfigForPR(gh, orgId, prLabelsStr, installationId, repoFullName, repoOwner, repoName, cloneURL, issueNumber)
 	if err != nil {
 		slog.Error("Error getting Digger config for PR",
 			"issueNumber", issueNumber,
@@ -150,7 +151,7 @@ func handleIssueCommentEvent(gh utils.GithubClientProvider, payload *github.Issu
 			"repoFullName", repoFullName,
 		)
 
-		err = GenerateTerraformFromCode(payload, commentReporterManager, config, defaultBranch, ghService, repoOwner, repoName, commitSha, issueNumber, branch)
+		err = GenerateTerraformFromCode(payload, commentReporterManager, config, defaultBranch, ghService, repoOwner, repoName, commitSha, issueNumber, prSourceBranch)
 		if err != nil {
 			slog.Error("Terraform generation failed",
 				"issueNumber", issueNumber,
@@ -373,6 +374,15 @@ func handleIssueCommentEvent(gh utils.GithubClientProvider, payload *github.Issu
 		return nil
 	}
 
+	// Check for apply requirements
+	if *diggerCommand == scheduler.DiggerCommandApply {
+		err = apply_requirements.CheckApplyRequirements(ghService, impactedProjectsForComment, issueNumber, *prSourceBranch, targetBranch)
+		if err != nil {
+			commentReporterManager.UpdateComment(fmt.Sprintf(":x: Could not proceed with apply since apply requirements checks have failed: %v", err))
+			return nil
+		}
+	}
+
 	err = utils.ReportInitialJobsStatus(commentReporter, jobs)
 	if err != nil {
 		slog.Error("Failed to comment initial status for jobs",
@@ -460,7 +470,7 @@ func handleIssueCommentEvent(gh utils.GithubClientProvider, payload *github.Issu
 		impactedProjectsMap,
 		projectsGraph,
 		installationId,
-		*branch,
+		*prSourceBranch,
 		issueNumber,
 		repoOwner,
 		repoName,

cli/pkg/digger/digger_test.go

@@ -145,6 +145,11 @@ func (m *MockPRManager) IsClosed(prNumber int) (bool, error) {
 	return false, nil
 }
 
+// TODO implement me
+func (m *MockPRManager) IsDivergedFromBranch(sourceBranch string, targetBranch string) (bool, error) {
+	return false, nil
+}
+
 func (m *MockPRManager) GetComments(prNumber int) ([]ci.Comment, error) {
 	m.Commands = append(m.Commands, RunInfo{"GetComments", strconv.Itoa(prNumber), time.Now()})
 	return []ci.Comment{}, nil

docs/ce/howto/apply-requirements.mdx

@@ -2,83 +2,103 @@
 title: "Apply Requirements"
 ---
 
-Digger currently does not support `apply_requirements` (like in Atlantis). Coming soon - ([#1252](https://github.com/diggerhq/digger/issues/1252))
+Digger supports apply_requirements on the project level to enforce certain conditions are met before an apply action occurs.
 
-## Workaround
+The following apply conditions are supported:
 
-You can use mergeability requirements together with Status Checks to achieve the same.
-Digger will not apply if the pull request is not in a “mergeable” state as specified by GitHub api. This means that if you have a separate status check and you have this check as “required” by branch protection rules then an attempt of digger apply will not go ahead.
+```
+projects:
+   - name: dev
+     dir: dev
+     apply_requirements: []
+  - name: prod
+    dir: prod
+    apply_requirements: [mergeable, undiverged, approved]
+```
+
+Digger supports *mergeable*, *undiverged* and *approved* conditions. The default value for apply_requirements is [mergeable] if not set.
+Here is an explanation of each:
+
+## Mergeable
+
+The mergeable requirement will prevent applies unless a pull request is able to be merged.
+In GitHub, if you're not using Protected Branches then all pull requests are mergeable unless there is a conflict.
 
-Note: there is a [known issue](https://github.com/diggerhq/digger/issues/1180) that would
- cause the "mergability" check to conflict if you set the digger/apply check as required on github. We are working on a fix and in the meantime you have an option to turn off the mergability check if you want to have this digger/apply check as required. You can turn it off in the workflow configuration
-  by setting the `skip_merge_check` flag as follows (we have to set the other configurations since they are currently required):
+<Note>
+    There is a [known issue](https://github.com/diggerhq/digger/issues/1180) that would
+    cause the "mergability" check to conflict if you set the digger/apply check as required on github. We are working on a fix and in the meantime you have an option to turn off the mergability check if you want to have this digger/apply check as required. You can turn it off in the workflow configuration
+    by setting the `skip_merge_check` flag as follows (we have to set the other configurations since they are currently required):
+
+</Note>
+
+### Usage
+
+You can enable the mergeable requirement on the project level:
 
 ```
 projects:
-- name: dev
-  dir: dev
-  workflow: mydev
+   - name: dev
+     dir: dev
+     apply_requirements: [mergeable]
+```
 
-workflows:
-  mydev:
-    workflow_configuration:
-      on_pull_request_pushed: ["digger plan"]
-      on_pull_request_closed: ["digger unlock"]
-      on_commit_to_default: ["digger unlock"]
-      skip_merge_check: true
+Note that it is set by default so it would be enforced even if you don't specify it.
+
+## Approved
+The approved requirement will prevent applies unless the pull request is approved by at least one person other than the author.
+
+### Usage
+
+You can enable the approved requirement on the project level:
+
+```
+projects:
+   - name: dev
+     dir: dev
+     apply_requirements: [approved]
 ```
 
-## Requiring undiverged branches in PRs
+## Undiverged
 
 While PR locks prevent you from PRs stepping on eachother in parallel, they still do not protect you from a stale branch
-that is behind the current main head. In order to safeguard against this you have a few options:
+that is behind the current main head. The undiverged requirement helps enforce this by preventing applies if there are any changes on the base branch
+since the PR was opened. It can be resolved by merging main into the PR branch or rebasing the PR branch on top of main. In the case of github this is done by querying the comparecommits api on github side.
 
-Force your repo to always have rebased branches from main. In github this is done by adding the branch protection rule:
+### Usage
 
-Under settings > branch protection rules >  Require branches to be up to date before merging → check this
+You can enable the undiverged requirement on the project level:
 
-Since digger will always query github api for mergability status, this protects you from any stale apply from PRs being performed.
+```
+projects:
+   - name: dev
+     dir: dev
+     apply_requirements: [undiverged]
+```
 
-![](/images/howto/force-refactor-into-main.png)
+## Skipping mergeability check
 
-Understandably this may not be feasible to mark especially for monorepos that mix code and terraform. In such cases you can achieve a similar effect by using a custom workflow like below (digger.yml):
+The default behaviour of digger is to perform a mergeability check before applying a PR. In order to skip the
+mergeability check you can specify an empty list of apply requirements on the project level
 
 ```
 projects:
-- name: gcp-infra
-  dir: cloud/terraform/gcp
-  workflow: terraform-strict
+  - name: dev
+    dir: dev
+    apply_requirements: []
+
+Alternatively, you can also skip the mergeability check on the workflow level:
 
-workflows:
-  terraform-strict:
-    plan:
-      steps:
-        - run: |
-            echo "Checking if branch is up-to-date with main..."
-            git fetch --unshallow origin main || git fetch origin main
-            git fetch --unshallow origin HEAD || git fetch origin HEAD
-            if ! git merge-base --is-ancestor origin/main HEAD; then
-              echo "❌ Branch is not up-to-date with main. Please rebase or merge main into your branch."
-              echo "Run: git fetch origin && git rebase origin/main"
-              exit 1
-            fi
-            echo "✅ Branch is up-to-date with main"
-        - init
-        - plan
-    apply:
-      steps:
-        - run: |
-            echo "Checking if branch is up-to-date with main..."
-            git fetch --unshallow origin main || git fetch origin main
-            git fetch --unshallow origin HEAD || git fetch origin HEAD
-            if ! git merge-base --is-ancestor origin/main HEAD; then
-              echo "❌ Branch is not up-to-date with main. Please rebase or merge main into your branch."
-              echo "Run: git fetch origin && git rebase origin/main"
-              exit 1
-            fi
-            echo "✅ Branch is up-to-date with main"
-        - init
-        - apply
 ```
+projects:
+- name: dev
+  dir: dev
+  workflow: mydev
 
-We plan to eventually support this natively as a flag in digger
+workflows:
+  mydev:
+    workflow_configuration:
+      on_pull_request_pushed: ["digger plan"]
+      on_pull_request_closed: ["digger unlock"]
+      on_commit_to_default: ["digger unlock"]
+      skip_merge_check: true
+```

docs/ce/reference/digger.yml.mdx

@@ -26,6 +26,7 @@ pr_locks: true
 projects:
   - name: prod
     dir: prod
+    apply_requirements: [approved, mergeable, undiverged]
     branch: main
     workspace: default
     terragrunt: false
@@ -119,6 +120,7 @@ workflows:
 | name                     | string                                               |        | yes      | name of the project                                                | must be unique                                                                                             |
 | branch                   | string                                               |        | yes      | the target branch to match this project on                         | This field is optional and defaults to the repository's default branch when not set                        |
 | dir                      | string                                               |        | yes      | directory containing the project                                   |                                                                                                            |
+| apply_requirements       | []string                                             | [mergeable]       | no      | list of requirements to be met before merged                                   |  see [apply requirements](/ce/howto/apply-requirements) for details                  |
 | workspace                | string                                               | default | no       | terraform workspace to use                                         |                                                                                                           |
 | opentofu                 | boolean                                              | false   | no       | whether to use opentofu                                            |                                                                                                           |
 | terragrunt               | boolean                                              | false   | no       | whether to use terragrunt                                          |                                                                                                           |

libs/apply_requirements/apply_requirements.go

@@ -0,0 +1,41 @@
+package apply_requirements
+
+import (
+	"fmt"
+	"github.com/diggerhq/digger/libs/ci"
+	"github.com/diggerhq/digger/libs/digger_config"
+	"log/slog"
+)
+
+func CheckApplyRequirements(ghService ci.PullRequestService, impactedProjects []digger_config.Project, prNumber int, sourceBranch string, targetBranch string) error {
+	isMergeable, err := ghService.IsMergeable(prNumber)
+	if err != nil {
+		slog.Error("Error checking if PR is mergeable", "prNumber", prNumber)
+		return fmt.Errorf("error checking if PR is mergeable")
+	}
+	approvals, err := ghService.GetApprovals(prNumber)
+	if err != nil {
+		slog.Error("Error getting approvals", "prNumber", prNumber)
+		return fmt.Errorf("error getting approvals")
+	}
+	isApproved := len(approvals) > 0
+	isDiverged, err := ghService.IsDivergedFromBranch(sourceBranch, targetBranch)
+	if err != nil {
+		slog.Error("Error checking if PR is diverged", "prNumber", prNumber)
+		return fmt.Errorf("error checking if PR is diverged")
+	}
+	for _, proj := range impactedProjects {
+		for _, req := range proj.ApplyRequirements {
+			if req == digger_config.ApplyRequirementsApproved && isApproved == false {
+				return fmt.Errorf("PR fails apply requirements for project %v, Expected PR to be approved, a minimum of one approval is required before proceeding", proj.Name)
+			} else if req == digger_config.ApplyRequirementsUndiverged && isDiverged == true {
+				return fmt.Errorf("PR fails apply requirements for project %v, Expected PR to be undiverged from target branch. Merge main into the PR branch or rebase the PR branch on top of main", proj.Name)
+			} else if req == digger_config.ApplyRequirementsMergeable && isMergeable == false {
+				return fmt.Errorf("PR fails apply requirements for project %v, Expected PR to be mergable. Ensure all status checks are successful in order to proceed", proj.Name)
+			} else {
+				slog.Warn("unknown apply requirements found", "project", proj.Name, "requirement", req)
+			}
+		}
+	}
+	return nil
+}

libs/ci/azure/azure.go

@@ -315,6 +315,11 @@ func (a *AzureReposService) IsClosed(prNumber int) (bool, error) {
 	return *pullRequest.Status == git.PullRequestStatusValues.Abandoned, nil
 }
 
+// TODO implement me
+func (a *AzureReposService) IsDivergedFromBranch(sourceBranch string, targetBranch string) (bool, error) {
+	return false, nil
+}
+
 func (a *AzureReposService) IsMerged(prNumber int) (bool, error) {
 	pullRequest, err := a.Client.GetPullRequestById(context.Background(), git.GetPullRequestByIdArgs{
 		Project:       &a.ProjectName,

libs/ci/bitbucket/bitbucket.go

@@ -477,6 +477,11 @@ func (b BitbucketAPI) IsClosed(prNumber int) (bool, error) {
 	return pullRequest.State != "OPEN", nil
 }
 
+// TODO implement me
+func (b BitbucketAPI) IsDivergedFromBranch(sourceBranch string, targetBranch string) (bool, error) {
+	return false, nil
+}
+
 func (b BitbucketAPI) GetBranchName(prNumber int) (string, string, string, string, error) {
 	url := fmt.Sprintf("%s/repositories/%s/%s/pullrequests/%d", bitbucketBaseURL, b.RepoWorkspace, b.RepoName, prNumber)
 

libs/ci/ci.go

@@ -23,6 +23,7 @@ type PullRequestService interface {
 	IsMerged(prNumber int) (bool, error)
 	// IsClosed closed without merging
 	IsClosed(prNumber int) (bool, error)
+	IsDivergedFromBranch(sourceBranch string, targetBranch string) (bool, error)
 	GetBranchName(prNumber int) (string, string, string, string, error)
 	SetOutput(prNumber int, key string, value string) error
 }

libs/ci/generic/events.go

@@ -6,6 +6,7 @@ import (
 	"github.com/diggerhq/digger/libs/digger_config"
 	"github.com/diggerhq/digger/libs/scheduler"
 	"github.com/dominikbraun/graph"
+	"github.com/samber/lo"
 	"strings"
 )
 
@@ -146,6 +147,9 @@ func CreateJobsForProjects(projects []digger_config.Project, command string, eve
 		var skipMerge bool
 		if workflow.Configuration != nil {
 			skipMerge = workflow.Configuration.SkipMergeCheck
+		} else if !lo.Contains(project.ApplyRequirements, digger_config.ApplyRequirementsMergeable) {
+			// if mergeable isn't present in apply requirements we also skip merge check for it
+			skipMerge = true
 		} else {
 			skipMerge = false
 		}

libs/ci/github/github.go

@@ -415,6 +415,25 @@ func (svc GithubService) IsMerged(prNumber int) (bool, error) {
 	return *pr.Merged, nil
 }
 
+// IsDivergedFromBranch checks whether sourceBranch has diverged from targetBranch.
+// Diverged = both ahead and behind.
+func (svc GithubService) IsDivergedFromBranch(sourceBranch string, targetBranch string) (bool, error) {
+	ctx := context.Background()
+
+	// Compare the commits between the two branches
+	comp, _, err := svc.Client.Repositories.CompareCommits(ctx, svc.Owner, svc.RepoName, targetBranch, sourceBranch, nil)
+	if err != nil {
+		return false, fmt.Errorf("failed to compare %s..%s: %w", targetBranch, sourceBranch, err)
+	}
+
+	// Diverged means both sides have unique commits
+	if comp.GetAheadBy() > 0 && comp.GetBehindBy() > 0 {
+		return true, nil
+	}
+
+	return false, nil
+}
+
 func (svc GithubService) IsClosed(prNumber int) (bool, error) {
 	pr, _, err := svc.Client.PullRequests.Get(context.Background(), svc.Owner, svc.RepoName, prNumber)
 	if err != nil {