helm diff --three-way-merge upgrade not detecting kubernetes manual change

[ceastman-r7]

this is a redacted version of the values.yaml:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  labels:
    app.kubernetes.io/managed-by: Helm
  name: allowedrepos-aws
spec:
  background: true
  rules:
  - match:
      any:
      - resources:
          kinds:
          - Pod
          namespaces:
          - kube-system
    name: aws-repos
    validate:
      deny:
        conditions:
          all:
          - key: '{{ images.[containers, initContainers, ephemeralContainers][].*.registry[]
              }}'
            operator: AnyNotIn
            value:
            - xyz.*.amazonaws.com
      message: All images in this Pod must come from an authorized repository.
  validationFailureAction: enforce

this is the manual change I made that the --three-way-merge does not detect:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  labels:
    app.kubernetes.io/managed-by: Helm
  name: allowedrepos-aws
spec:
  background: true
  rules:
  - match:
      any:
      - resources:
          kinds:
          - Pod
          namespaces:
          - kube-system
    name: aws-repos
    validate:
      deny:
        conditions:
          all:
          - key: '{{ images.[containers, initContainers, ephemeralContainers][].*.registry[]
              }}'
            operator: AnyNotIn
            value:
            - xyz.*.amazonaws.com
      message: All images in this Pod must come from an authorized repository.
  validationFailureAction: audit

notice the change in the value for validationFailureAction

the detailed exit code is 0

[drcrees]

I am seeing this as well on version 3.9.5 with three-way-merge and normalize manifests enabled.

I had manually updated a Deployment resource to include a nodeSelector and helm-diff did not detect it.

EDIT:
#176 (comment)

This is likely just how it works with Helm 3