feat(api): add resource_ids to role assignments, restructure executable deny list in policies

stainless-app[bot] · stainless-app[bot] · commit b30fc2332c0d · 2026-02-19T19:14:34.000Z
diff --git a/.stats.yml b/.stats.yml
@@ -1,4 +1,4 @@
 configured_endpoints: 175
-openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/gitpod%2Fgitpod-3017822d8c133c3d60f2bf1a65bc81fa8e11737d46d90d2316d5ef57285ed30f.yml
-openapi_spec_hash: 2a1219326c8d17de457653ca29023ebf
+openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/gitpod%2Fgitpod-6a3ce4fa1cddca171e56bb663ad37610241027c3e149cdda77d579e1c5f4411a.yml
+openapi_spec_hash: fd261ea098c45e8ab600e18bbd9650c5
 config_hash: b478642d4e5f97aab620afc5c51bb2ea
diff --git a/src/gitpod/types/groups/role_assignment_list_params.py b/src/gitpod/types/groups/role_assignment_list_params.py
@@ -5,6 +5,7 @@
 from typing import List
 from typing_extensions import Annotated, TypedDict
 
+from ..._types import SequenceNotStr
 from ..._utils import PropertyInfo
 from ..shared.resource_role import ResourceRole
 from ..shared.resource_type import ResourceType
@@ -34,11 +35,20 @@ class Filter(TypedDict, total=False):
     """
 
     resource_id: Annotated[str, PropertyInfo(alias="resourceId")]
+    """Filters by a single resource.
+
+    Use this when listing all groups that have access to a specific resource (e.g.
+    share dialogs). Non-admin callers with :grant permission on the resource can see
+    role assignments from groups they don't belong to. Mutually exclusive with
+    resource_ids.
     """
-    resource_id filters the response to only role assignments for this specific
-    resource When provided, users with :grant permission on the resource can see its
-    role assignments even if they don't belong to the assigned groups Empty string
-    is allowed and means no filtering by resource
+
+    resource_ids: Annotated[SequenceNotStr[str], PropertyInfo(alias="resourceIds")]
+    """Filters by multiple resources in a single request.
+
+    Use this for batch permission lookups (e.g. checking the caller's own
+    permissions across several resources). Does not support the :grant permission
+    bypass. Mutually exclusive with resource_id.
     """
 
     resource_roles: Annotated[List[ResourceRole], PropertyInfo(alias="resourceRoles")]
diff --git a/tests/api_resources/groups/test_role_assignments.py b/tests/api_resources/groups/test_role_assignments.py
@@ -75,6 +75,7 @@ def test_method_list_with_all_params(self, client: Gitpod) -> None:
             filter={
                 "group_id": "groupId",
                 "resource_id": "resourceId",
+                "resource_ids": ["182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"],
                 "resource_roles": ["RESOURCE_ROLE_UNSPECIFIED"],
                 "resource_types": ["RESOURCE_TYPE_RUNNER"],
                 "user_id": "userId",
@@ -204,6 +205,7 @@ async def test_method_list_with_all_params(self, async_client: AsyncGitpod) -> N
             filter={
                 "group_id": "groupId",
                 "resource_id": "resourceId",
+                "resource_ids": ["182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"],
                 "resource_roles": ["RESOURCE_ROLE_UNSPECIFIED"],
                 "resource_types": ["RESOURCE_TYPE_RUNNER"],
                 "user_id": "userId",
