From 6c70fafe73bfdfe1ccfd95455a933e756b74b7a7 Mon Sep 17 00:00:00 2001 From: Luiz Carvalho Date: Mon, 29 Jan 2024 15:12:52 -0500 Subject: [PATCH] Re-enable EC Task checks Ref: https://issues.redhat.com/browse/EC-359 Signed-off-by: Luiz Carvalho --- .tekton/pull-request.yaml | 17 +++++++------ .tekton/push.yaml | 8 +++++++ .tekton/tasks/ec-checks.yaml | 46 ++++++++++++++++-------------------- policies/build-tasks.yaml | 9 +++++++ 4 files changed, 45 insertions(+), 35 deletions(-) create mode 100644 policies/build-tasks.yaml diff --git a/.tekton/pull-request.yaml b/.tekton/pull-request.yaml index 9a02608ce5..05b9c2648d 100644 --- a/.tekton/pull-request.yaml +++ b/.tekton/pull-request.yaml @@ -201,15 +201,14 @@ spec: workspaces: - name: source workspace: workspace - # This will be re-enabled as part of https://issues.redhat.com/browse/EC-332 - # - name: ec-task-checks - # runAfter: - # - fetch-repository - # taskRef: - # name: ec-checks - # workspaces: - # - name: source - # workspace: workspace + - name: ec-task-checks + runAfter: + - fetch-repository + taskRef: + name: ec-checks + workspaces: + - name: source + workspace: workspace - name: check-task-migration-md runAfter: - fetch-repository diff --git a/.tekton/push.yaml b/.tekton/push.yaml index 3142d5e264..6f7c5fcc13 100644 --- a/.tekton/push.yaml +++ b/.tekton/push.yaml @@ -36,6 +36,14 @@ spec: workspaces: - name: output workspace: workspace + - name: ec-task-checks + runAfter: + - clone-repository + taskRef: + name: ec-checks + workspaces: + - name: source + workspace: workspace - name: build-container params: - name: IMAGE diff --git a/.tekton/tasks/ec-checks.yaml b/.tekton/tasks/ec-checks.yaml index 0d76854ea3..f1c958d3be 100644 --- a/.tekton/tasks/ec-checks.yaml +++ b/.tekton/tasks/ec-checks.yaml @@ -25,34 +25,28 @@ spec: - name: validate-all-tasks workingDir: "$(workspaces.source.path)/source" image: quay.io/enterprise-contract/ec-cli:snapshot - command: [ec] - args: - - validate - - definition - - "--file" - - "./all_tasks-ec" - - "--policy" - - "git::https://github.com/enterprise-contract/ec-policies//policy/task" - - "--policy" - - "git::https://github.com/enterprise-contract/ec-policies//policy/lib" - - "--data" - - "git::https://github.com/release-engineering/rhtap-ec-policy//data" - - "--strict" + script: | + set -euo pipefail + + # Generate list of file parameters, e.g. --file=foo.yaml --file=bar.yaml + files=$(ls all_tasks-ec -name/*.yaml | awk '{printf "--file=" $0}') + echo "[DEBUG] Files parameter: ${files}" + + policy='enterprise-contract-service/redhat-trusted-tasks' + + ec validate input --policy "${policy}" --output yaml --strict=true ${files} - name: validate-build-tasks workingDir: "$(workspaces.source.path)/source" image: quay.io/enterprise-contract/ec-cli:snapshot - command: [ec] - args: - - validate - - definition - - "--file" - - "./build_tasks-ec" - - "--policy" - - "git::https://github.com/enterprise-contract/ec-policies//policy/build_task" - - "--policy" - - "git::https://github.com/enterprise-contract/ec-policies//policy/lib" - - "--data" - - "git::https://github.com/release-engineering/rhtap-ec-policy//data" - - "--strict" + script: | + set -euo pipefail + + # Generate list of file parameters, e.g. --file=foo.yaml --file=bar.yaml + files=$(ls build_tasks-ec -name/*.yaml | awk '{printf "--file=" $0}') + echo "[DEBUG] Files parameter: ${files}" + + policy='./policies/build-tasks.yaml' + + ec validate input --policy "${policy}" --output yaml --strict=true ${files} workspaces: - name: source diff --git a/policies/build-tasks.yaml b/policies/build-tasks.yaml new file mode 100644 index 0000000000..62db8d5489 --- /dev/null +++ b/policies/build-tasks.yaml @@ -0,0 +1,9 @@ +--- +# These policies are meant to be applied to the build Tasks in this repo. These are policy rules +# that are very specific to the use cases in this repo. Thus, they are defined here instead of in a +# more generic location, e.g. infra-deployments repository. +sources: + - policy: + - quay.io/enterprise-contract/ec-build_task-policy:latest + data: + - git::https://github.com/release-engineering/rhtap-ec-policy//data