Allow certain workspaces in TA tasks

The `trusted_artifacts` package now has a new polcy rule, `workspace`[1]` that aims to restrict the workspaces used by Tasks that implement the Trusted Artifacts pattern. By default, it does not allow any. This commit adds a list of allow workspaces which are meant for providing authentication details. Ref: EC-258 [1] https://enterprisecontract.dev/docs/ec-policies/task_policy.html#trusted_artifacts__workspace Signed-off-by: Luiz Carvalho <[email protected]>
konflux-ci · Jun 6, 2024 · 8ab28e4 · 8ab28e4
1 parent 3778abd
commit 8ab28e4
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/policies/all-tasks.yaml b/policies/all-tasks.yaml
@@ -6,6 +6,11 @@ sources:
     data:
       - oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest
       - github.com/release-engineering/rhtap-ec-policy//data
+    ruleData:
+      allowed_trusted_artifacts_workspaces:
+        - git-basic-auth
+        - basic-auth
+        - ssh-directory
     config:
       include:
         - kind