Ensure all resources are returned for relation check when caveats are specified #2027
Conversation
github-actions
bot
added
area/tooling
| // found, as we need to ensure that all caveats are used for building the final expression. | ||
| resultsSetting := crc.resultsSetting | ||
| if hasCaveats { | ||
| resultsSetting = v1.DispatchCheckRequest_REQUIRE_ALL_RESULTS |
There was a problem hiding this comment.
Understanding check:
The issue is that we were short-circuiting when we found a single relation which matched the check but whose caveat was false and calling it false.
This fix says that when we have a caveat, we must find all relations that match the check so that we can evaluate the caveats on all of them and then OR them together so that we can decide whether the overall check was true.
The more efficient fix would be to continue evaluating relationships that match the check until we find one that also matches the caveat or we exhaust the set.
There was a problem hiding this comment.
Ah I'm reading slack and realizing that my "more efficient fix" isn't how it would work for the caching reasons described.
There was a problem hiding this comment.
Correct. We cannot just eval here because we build the full caveat expression and then evaluate outside of the dispatcher.
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
josephschorr
force-pushed
the
caveat-check-fix
branch
from
0e4c99e to
20855de
Compare
Fixes #2026