the force-reconcile-helmreleases Kyverno policy misses some criteria

I analyzed a broken CI run (Orange CI job 299256255), where the update of a HelmRelease failed but the force-reconcile-helmreleases Kyverno policy did not act at all.

The status of the HelmRelease was:

  status:
    conditions:
    - lastTransitionTime: "2026-02-06T00:22:55Z"
      message: Failed to upgrade after 1 attempt(s)
      observedGeneration: 2
      reason: RetriesExceeded
      status: "True"
      type: Stalled
    - lastTransitionTime: "2026-02-06T00:22:54Z"
      message: Unlocked Helm release kyverno/kyverno.v2 with chart kyverno@3.4.6 in
        pending-upgrade state
      observedGeneration: 2
      reason: PendingRelease
      status: "False"
      type: Ready
    - lastTransitionTime: "2026-02-06T00:22:54Z"
      message: Unlocked Helm release kyverno/kyverno.v2 with chart kyverno@3.4.6 in
        pending-upgrade state
      observedGeneration: 2
      reason: PendingRelease
      status: "False"
      type: Released

but the preconditions for the policy are:

      # Install or upgrade has failed
      - key: "{{ request.object.status.conditions || `[]` | [?type == 'Ready'].reason | [0] || 'NotFound' }}"
        operator: AnyIn
        value:
        - InstallFailed
        - UpgradeFailed
      # Request reconciliation once flux is not reconciling any more
      - key: "{{ request.object.status.conditions || `[]` | [?type == 'Reconciling'] | length(@) }}"
        operator: Equals
        value: 0

... so they won't match this state.