Support reporting status checks from PR rules #5977
Description
Please describe the enhancement
Currently, all PR rules use custom evaluators (vulncheck, trusty, homoglyphs), and the rule evaluation has side effects of adding comments to the PR, even if alert and remediate are false.
PR comments (and status checks) should be available as standard remediation or alerting flows within PRs, so that PR evaluations can also be written in Rego.
Solution Proposal
PR comments should be available as a remediate type, and Check success / failure should be available as an alert type. Since we allow both remediation and alerts (but only one of each), this best fits in our current model, and would support cases like mindersec/minder-rules-and-profiles#354.
Describe alternatives you've considered
We could support multiple remediations (as a list) such that comments and status checks could both be remediations. We would need to define semantics for "apply all" or "apply until succeeded" for chained remediations, which we don't consider today.
We could also have a single "PR feedback" type which permits both a list of comments and a list of status check outcomes in a single execution. This would have the benefit of not conflating enabling security alerts with enabling PR feedback. Avoiding this conflation could also be addressed by putting the rules with security alert and the rules covering PR feedback in separate profiles.
Additional context
No response
Acceptance Criteria
No response