Enforce git email policy in rush change and cover with regression tests

[Copilot]

@microsoft/rush-lib enforced gitPolicy.allowedEmailRegExps during rush install, but not during rush change. That allowed changefile/changelog flow to proceed with disallowed personal emails despite repository policy.

• Root cause

  • ChangeAction.runAsync() did not invoke PolicyValidator.validatePolicyAsync(), so git email policy checks were skipped in all rush change modes.

• Behavior change

  • rush change now runs policy validation up front, aligning enforcement with rush install.
  • Validation is wired with allowShrinkwrapUpdates: true so rush change checks git/environment policy without introducing shrinkwrap-policy coupling.

• Regression coverage

  • Added focused unit tests for ChangeAction to assert:
    • policy validation is invoked before --verify processing
    • command flow aborts early when policy validation fails
  • Added a minimal test fixture repo with gitPolicy.allowedEmailRegExps configured to represent the constrained-email scenario.

// libraries/rush-lib/src/cli/actions/ChangeAction.ts
await PolicyValidator.validatePolicyAsync(
  this.rushConfiguration,
  this.rushConfiguration.defaultSubspace,
  undefined,
  {
    allowShrinkwrapUpdates: true
  }
);

Original prompt

Investigate and fix an issue in microsoft/rushstack affecting the @microsoft/rush-lib project: changelogs in pull requests against this repository are showing personal email addresses that do not match the repository's git email policy.

Expected behavior:

• Git email policy validation should run during rush install.
• Git email policy validation should also run during rush change.
• The validation should prevent or catch generation/acceptance of changelog entries that include disallowed personal email addresses when the repo policy requires a different email pattern.

Tasks:

1. Inspect the current implementation of git email policy validation in @microsoft/rush-lib and determine why it is not being enforced for the affected PR/changelog flow.
2. Identify where rush install and rush change should invoke this validation, and whether one or both code paths are currently skipping it.
3. Implement a fix so the policy is enforced in both commands.
4. Add or update automated tests covering the regression, especially cases where a personal email appears in changelog-related output or metadata and should be rejected according to repo policy.
5. Ensure the fix is scoped appropriately to @microsoft/rush-lib and does not break valid repository configurations.
6. Open a pull request with the changes.

Please include a concise explanation in the PR description of the root cause and how the fix addresses it.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: It looks like there might be an issue with the git email policy validation. I'm seeing changelogs with personal emails, not matching the email policy in this repo, in PRs against this repo. It should run during rush install and rush change at least. Can you investigate and fix the issue?

Assistant: Please confirm the repository: do you want me to open a pull request against microsoft/rushstack to investigate and fix the git email policy validation so it runs during rush install and rush change?Please confirm the repository: do you want me to open a pull request against microsoft/rushstack to investigate and fix the git email policy validation so it runs during rush install and rush change?

User: Yes. The problem is in the @microsoft/rush-lib project.

Assistant: I’m waiting for your approval of the pull request task so I can continue investigating and fixing it in microsoft/rushstack.

This pull request was created from Copilot chat.