From 814a763686d21ff2f861b9062c5f94266bb5e965 Mon Sep 17 00:00:00 2001
From: Jorge Carrasco <jorge.carrasco@consensys.net>
Date: Wed, 4 Mar 2026 17:32:45 +0100
Subject: [PATCH 1/6] feat(INFRA-3357): add policy-bot governance policy (#81)

Cherry-pick auto-approval for release branches + standard human review fallback.
---
 policy.yml | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 policy.yml

diff --git a/policy.yml b/policy.yml
new file mode 100644
index 0000000..568e7b2
--- /dev/null
+++ b/policy.yml
@@ -0,0 +1,32 @@
+# Shared policy-bot configuration for MetaMask org.
+# Applied to all repos where the GitHub App is installed
+# and no local .policy.yml exists.
+#
+# Docs: https://github.com/palantir/policy-bot#approval-rules
+
+policy:
+  approval:
+    - or:
+        - "cherry-pick auto-approval"
+        - "standard human review"
+
+approval_rules:
+  - name: "cherry-pick auto-approval"
+    description: "Auto-approve cherry-pick PRs to release branches that meet all criteria"
+    if:
+      title:
+        matches:
+          - "(?i)cherry.?pick"
+      targets_branch:
+        pattern: "^release/.*$"
+      modified_lines:
+        total: "< 200"
+    requires:
+      count: 0
+
+  - name: "standard human review"
+    description: "Default team-based review for all other PRs"
+    requires:
+      count: 1
+      teams:
+        - "MetaMask/release-team"

From 9d24585c9d77719ea0a10d94e26bc3c2ae383365 Mon Sep 17 00:00:00 2001
From: Jorge Carrasco <jorge.carrasco@consensys.net>
Date: Thu, 5 Mar 2026 10:29:30 +0100
Subject: [PATCH 2/6] fix: remove standard human review rule from policy-bot
 config (#82)

The "standard human review" rule had no `if` conditions, causing
policy-bot to post a `pending` status on every PR across all installed
repos. Removing it so only cherry-pick PRs targeting release/* branches
are evaluated; all other PRs will get a "skipped" status.

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
---
 policy.yml | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/policy.yml b/policy.yml
index 568e7b2..fdd09e1 100644
--- a/policy.yml
+++ b/policy.yml
@@ -8,7 +8,6 @@ policy:
   approval:
     - or:
         - "cherry-pick auto-approval"
-        - "standard human review"
 
 approval_rules:
   - name: "cherry-pick auto-approval"
@@ -23,10 +22,3 @@ approval_rules:
         total: "< 200"
     requires:
       count: 0
-
-  - name: "standard human review"
-    description: "Default team-based review for all other PRs"
-    requires:
-      count: 1
-      teams:
-        - "MetaMask/release-team"

From 91c2bf67fe9824ceac143c3614c957313ba88387 Mon Sep 17 00:00:00 2001
From: Jorge Carrasco <jorge.carrasco@consensys.net>
Date: Thu, 5 Mar 2026 10:52:42 +0100
Subject: [PATCH 3/6] fix: add fallback rule so non-matching PRs get approved
 status (#83)

When all rules have `if` conditions and none match, policy-bot posts
an error status ("All rules were skipped"). Adding a fallback rule
with no `if` and count:0 ensures non-matching PRs get a clean
"approved" status while cherry-pick PRs on release/* branches
continue to be evaluated by the targeted rule.

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
---
 policy.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/policy.yml b/policy.yml
index fdd09e1..176c239 100644
--- a/policy.yml
+++ b/policy.yml
@@ -8,6 +8,7 @@ policy:
   approval:
     - or:
         - "cherry-pick auto-approval"
+        - "no approval necessary"
 
 approval_rules:
   - name: "cherry-pick auto-approval"
@@ -22,3 +23,8 @@ approval_rules:
         total: "< 200"
     requires:
       count: 0
+
+  - name: "no approval necessary"
+    description: "Fallback rule — matches all PRs so policy-bot reports a clean status instead of an error"
+    requires:
+      count: 0

From bbe49d0a7e33430469e137ce9f28dcee804904b2 Mon Sep 17 00:00:00 2001
From: Jorge Carrasco <jorge.carrasco@consensys.net>
Date: Thu, 5 Mar 2026 11:32:32 +0100
Subject: [PATCH 4/6] fix: gate release branch PRs with team review, scope
 fallback to non-release (#84)

Replace the blanket "no approval necessary" fallback with two scoped rules:

- "release branch review": requires release-team approval for all PRs
  targeting release/* branches that don't match cherry-pick criteria
- "non-release fallback": auto-approves PRs targeting non-release
  branches using RE2-compatible negation regex

This ensures PRs with wrong titles or large diffs on release branches
get PENDING status instead of being silently approved.

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
---
 policy.yml | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/policy.yml b/policy.yml
index 176c239..9ee43ee 100644
--- a/policy.yml
+++ b/policy.yml
@@ -8,7 +8,8 @@ policy:
   approval:
     - or:
         - "cherry-pick auto-approval"
-        - "no approval necessary"
+        - "release branch review"
+        - "non-release fallback"
 
 approval_rules:
   - name: "cherry-pick auto-approval"
@@ -24,7 +25,22 @@ approval_rules:
     requires:
       count: 0
 
-  - name: "no approval necessary"
-    description: "Fallback rule — matches all PRs so policy-bot reports a clean status instead of an error"
+  - name: "release branch review"
+    description: "Require release-team review for all PRs targeting release branches"
+    if:
+      targets_branch:
+        pattern: "^release/.*$"
+    requires:
+      count: 1
+      teams:
+        - "MetaMask/release-team"
+
+  # RE2-compatible negation of "^release/.*$" (Go regexp does not support lookaheads).
+  # Matches any branch name that does NOT start with "release/".
+  - name: "non-release fallback"
+    description: "Auto-approve PRs targeting non-release branches so policy-bot posts a clean status"
+    if:
+      targets_branch:
+        pattern: "^([^r]|r[^e]|re[^l]|rel[^e]|rele[^a]|relea[^s]|releas[^e]|release[^/]).*$|^.{0,7}$"
     requires:
       count: 0

From 689a3cccda78d9e66f96b681713df5f5e7ff1f17 Mon Sep 17 00:00:00 2001
From: Jorge Carrasco <jorge.carrasco@consensys.net>
Date: Thu, 5 Mar 2026 16:25:45 +0100
Subject: [PATCH 5/6] fix(INFRA-3359): restrict cherry-pick auto-approval to
 MetaMask org members (#85)

Without an author check, any external user could open a fork PR targeting
a release/* branch with "cherry-pick" in the title and fewer than 200 LOC,
causing policy-bot to post a passing status check.

Add `has_author_in: organizations: ["MetaMask"]` to the cherry-pick
auto-approval rule so the auto-approval path is only reachable by members
of the MetaMask GitHub organization.

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 policy.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy.yml b/policy.yml
index 9ee43ee..1233337 100644
--- a/policy.yml
+++ b/policy.yml
@@ -15,6 +15,9 @@ approval_rules:
   - name: "cherry-pick auto-approval"
     description: "Auto-approve cherry-pick PRs to release branches that meet all criteria"
     if:
+      has_author_in:
+        organizations:
+          - "MetaMask"
       title:
         matches:
           - "(?i)cherry.?pick"

From 71afecafb37fabdef76516695aed749f6b6506bc Mon Sep 17 00:00:00 2001
From: Jorge Carrasco <jorge.carrasco@consensys.net>
Date: Fri, 6 Mar 2026 16:11:18 +0100
Subject: [PATCH 6/6] fix(INFRA-3390): remove policy-bot governance policy
 (#86)

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
---
 policy.yml | 49 -------------------------------------------------
 1 file changed, 49 deletions(-)
 delete mode 100644 policy.yml

diff --git a/policy.yml b/policy.yml
deleted file mode 100644
index 1233337..0000000
--- a/policy.yml
+++ /dev/null
@@ -1,49 +0,0 @@
-# Shared policy-bot configuration for MetaMask org.
-# Applied to all repos where the GitHub App is installed
-# and no local .policy.yml exists.
-#
-# Docs: https://github.com/palantir/policy-bot#approval-rules
-
-policy:
-  approval:
-    - or:
-        - "cherry-pick auto-approval"
-        - "release branch review"
-        - "non-release fallback"
-
-approval_rules:
-  - name: "cherry-pick auto-approval"
-    description: "Auto-approve cherry-pick PRs to release branches that meet all criteria"
-    if:
-      has_author_in:
-        organizations:
-          - "MetaMask"
-      title:
-        matches:
-          - "(?i)cherry.?pick"
-      targets_branch:
-        pattern: "^release/.*$"
-      modified_lines:
-        total: "< 200"
-    requires:
-      count: 0
-
-  - name: "release branch review"
-    description: "Require release-team review for all PRs targeting release branches"
-    if:
-      targets_branch:
-        pattern: "^release/.*$"
-    requires:
-      count: 1
-      teams:
-        - "MetaMask/release-team"
-
-  # RE2-compatible negation of "^release/.*$" (Go regexp does not support lookaheads).
-  # Matches any branch name that does NOT start with "release/".
-  - name: "non-release fallback"
-    description: "Auto-approve PRs targeting non-release branches so policy-bot posts a clean status"
-    if:
-      targets_branch:
-        pattern: "^([^r]|r[^e]|re[^l]|rel[^e]|rele[^a]|relea[^s]|releas[^e]|release[^/]).*$|^.{0,7}$"
-    requires:
-      count: 0