Summary
Same root cause as #1198 (unmanaged_files not layered through extends: org). The dependencies.require field is also dropped when a repo apm-policy.yml declares extends: org and the org floor declares dependencies.require.
Repro
# Org floor (e.g. org/.github/apm-policy.yml)
version: 1
dependencies:
require:
- secure-baseline# Repo override (e.g. some-app/apm-policy.yml)
version: 1
extends: org
# (does NOT redeclare dependencies.require)
Run apm audit --ci --policy ./apm-policy.yml in the repo with secure-baseline removed from apm.yml. Expected: required-packages check fails with secure-baseline missing from manifest. Actual: check passes with No required packages configured — the org's required list never made it into the layered policy.
Workaround (proven)
Redeclare in the repo override:
version: 1
extends: org
dependencies:
require:
- secure-baseline # workaround: extends: org doesn't layer thisWhy this matters
Defeats the "required floor" governance pattern that the policy reference (https://microsoft.github.io/apm/enterprise/policy-reference/) is documented to support. Org wants to mandate secure-baseline everywhere; extends: org is the documented mechanism; today it silently downgrades the floor.
Likely fix location
Same place as #1198 — the inheritance-merge code path that handles extends:. Looks like an additive/union merge is missing for dependencies.require (and possibly dependencies.deny, untested).
Context
Discovered while wiring a 5-beat enterprise demo. Repro is reproducible end-to-end on a public org. Same workaround as #1198 unblocks; would prefer a fix so policy authors don't have to remember to redeclare two separate fields per override file.
Summary
Same root cause as #1198 (
unmanaged_filesnot layered throughextends: org). Thedependencies.requirefield is also dropped when a repoapm-policy.ymldeclaresextends: organd the org floor declaresdependencies.require.Repro
Run
apm audit --ci --policy ./apm-policy.ymlin the repo withsecure-baselineremoved fromapm.yml. Expected:required-packagescheck fails withsecure-baseline missing from manifest. Actual: check passes withNo required packages configured— the org's required list never made it into the layered policy.Workaround (proven)
Redeclare in the repo override:
Why this matters
Defeats the "required floor" governance pattern that the policy reference (https://microsoft.github.io/apm/enterprise/policy-reference/) is documented to support. Org wants to mandate
secure-baselineeverywhere;extends: orgis the documented mechanism; today it silently downgrades the floor.Likely fix location
Same place as #1198 — the inheritance-merge code path that handles
extends:. Looks like an additive/union merge is missing fordependencies.require(and possiblydependencies.deny, untested).Context
Discovered while wiring a 5-beat enterprise demo. Repro is reproducible end-to-end on a public org. Same workaround as #1198 unblocks; would prefer a fix so policy authors don't have to remember to redeclare two separate fields per override file.