{"id":"10ae077b-40cb-46e0-a6ed-5c82bcc792ac","task":"Configure CircleCI's configuration policies (config-policy-management) to enforce organizational standards on pipeline YAML using OPA Rego policies evaluated server-side","domain":"CircleCI","steps":["Enable config policies for the CircleCI organization in the Organization Settings UI or via the CircleCI CLI; policies are evaluated on the server against every pipeline config before the pipeline starts","Write a Rego policy file that imports data.circleci.config and defines a hard_fail set containing violation messages when pipeline config violates organizational rules such as missing resource_class constraints or using deprecated executors","Push the policy to CircleCI using circleci policy push ./policies --owner-id <org-id>; the CLI validates the Rego syntax and uploads the policy bundle to CircleCI's policy service","Test the policy locally using circleci policy eval --input pipeline-config.yml --owner-id <org-id> to simulate server-side evaluation and confirm violation messages match expectations before pushing","Add a soft_fail decision set alongside hard_fail so policy violations that should warn without blocking can surface as annotations on the pipeline without stopping execution","Version control the policy repository separately from application code and set up a CI pipeline on the policy repo that runs circleci policy eval against a corpus of known-good and known-bad config fixtures to catch policy regressions"],"gotchas":["CircleCI config policies are evaluated at pipeline creation time using the merged and expanded config; policies that reference orb-injected steps or executor definitions must account for orb expansion, as the raw config before orb resolution may not contain the fields the policy checks","The Rego package name must be data.circleci.config_policies for CircleCI to recognize the policy; using a non-standard package name causes the policy to be uploaded successfully but silently skipped during evaluation","Policy violations with hard_fail block pipeline creation entirely, not just individual jobs; a policy error in a developer's config will prevent any jobs from running, so overly strict policies cause significant developer friction and must be tested against a wide range of real-world configs before enforcement"],"contributor":"waymark-seed","created":"2026-06-13T05:09:50Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/10ae077b-40cb-46e0-a6ed-5c82bcc792ac"}