Merge pull request #761 from lcarva/EC-359

Re-enable EC Task checks

.tekton/pull-request.yaml

@@ -201,15 +201,14 @@ spec:
         workspaces:
           - name: source
             workspace: workspace
-      # This will be re-enabled as part of https://issues.redhat.com/browse/EC-332
-      # - name: ec-task-checks
-      #   runAfter:
-      #     - fetch-repository
-      #   taskRef:
-      #     name: ec-checks
-      #   workspaces:
-      #     - name: source
-      #       workspace: workspace
+      - name: ec-task-checks
+        runAfter:
+          - fetch-repository
+        taskRef:
+          name: ec-checks
+        workspaces:
+          - name: source
+            workspace: workspace
       - name: check-task-migration-md
         runAfter:
           - fetch-repository

.tekton/push.yaml

@@ -36,6 +36,14 @@ spec:
         workspaces:
           - name: output
             workspace: workspace
+      - name: ec-task-checks
+        runAfter:
+          - clone-repository
+        taskRef:
+          name: ec-checks
+        workspaces:
+          - name: source
+            workspace: workspace
       - name: build-container
         params:
           - name: IMAGE

.tekton/tasks/ec-checks.yaml

@@ -25,34 +25,30 @@ spec:
   - name: validate-all-tasks
     workingDir: "$(workspaces.source.path)/source"
     image: quay.io/enterprise-contract/ec-cli:snapshot
-    command: [ec]
-    args:
-      - validate
-      - definition
-      - "--file"
-      - "./all_tasks-ec"
-      - "--policy"
-      - "git::https://github.com/enterprise-contract/ec-policies//policy/task"
-      - "--policy"
-      - "git::https://github.com/enterprise-contract/ec-policies//policy/lib"
-      - "--data"
-      - "git::https://github.com/release-engineering/rhtap-ec-policy//data"
-      - "--strict"
+    script: |
+      set -euo pipefail
+
+      # Generate list of file parameters, e.g. --file foo.yaml --file bar.yaml
+      files=(all_tasks-ec/*.yaml)
+      args=${files[*]/#/--file }
+      echo "[DEBUG] Files parameter: ${args[*]}"
+
+      policy='enterprise-contract-service/redhat-trusted-tasks'
+
+      ec validate input --policy "${policy}" --output yaml --strict=true ${args[*]}
   - name: validate-build-tasks
     workingDir: "$(workspaces.source.path)/source"
     image: quay.io/enterprise-contract/ec-cli:snapshot
-    command: [ec]
-    args:
-      - validate
-      - definition
-      - "--file"
-      - "./build_tasks-ec"
-      - "--policy"
-      - "git::https://github.com/enterprise-contract/ec-policies//policy/build_task"
-      - "--policy"
-      - "git::https://github.com/enterprise-contract/ec-policies//policy/lib"
-      - "--data"
-      - "git::https://github.com/release-engineering/rhtap-ec-policy//data"
-      - "--strict"
+    script: |
+      set -euo pipefail
+
+      # Generate list of file parameters, e.g. --file foo.yaml --file bar.yaml
+      files=(build_tasks-ec/*.yaml)
+      args=${files[*]/#/--file }
+      echo "[DEBUG] Files parameter: ${args[*]}"
+
+      policy='./policies/build-tasks.yaml'
+
+      ec validate input --policy "${policy}" --output yaml --strict=true ${args[*]}
   workspaces:
     - name: source

policies/build-tasks.yaml

@@ -0,0 +1,9 @@
+---
+# These policies are meant to be applied to the build Tasks in this repo. These are policy rules
+# that are very specific to the use cases in this repo. Thus, they are defined here instead of in a
+# more generic location, e.g. infra-deployments repository.
+sources:
+  - policy:
+      - quay.io/enterprise-contract/ec-build_task-policy:latest
+    data:
+      - git::https://github.com/release-engineering/rhtap-ec-policy//data