diff --git a/.tekton/pull-request.yaml b/.tekton/pull-request.yaml index 9a02608ce5..05b9c2648d 100644 --- a/.tekton/pull-request.yaml +++ b/.tekton/pull-request.yaml @@ -201,15 +201,14 @@ spec: workspaces: - name: source workspace: workspace - # This will be re-enabled as part of https://issues.redhat.com/browse/EC-332 - # - name: ec-task-checks - # runAfter: - # - fetch-repository - # taskRef: - # name: ec-checks - # workspaces: - # - name: source - # workspace: workspace + - name: ec-task-checks + runAfter: + - fetch-repository + taskRef: + name: ec-checks + workspaces: + - name: source + workspace: workspace - name: check-task-migration-md runAfter: - fetch-repository diff --git a/.tekton/push.yaml b/.tekton/push.yaml index 3142d5e264..6f7c5fcc13 100644 --- a/.tekton/push.yaml +++ b/.tekton/push.yaml @@ -36,6 +36,14 @@ spec: workspaces: - name: output workspace: workspace + - name: ec-task-checks + runAfter: + - clone-repository + taskRef: + name: ec-checks + workspaces: + - name: source + workspace: workspace - name: build-container params: - name: IMAGE diff --git a/.tekton/tasks/ec-checks.yaml b/.tekton/tasks/ec-checks.yaml index 0d76854ea3..53f4d1ef67 100644 --- a/.tekton/tasks/ec-checks.yaml +++ b/.tekton/tasks/ec-checks.yaml @@ -25,34 +25,30 @@ spec: - name: validate-all-tasks workingDir: "$(workspaces.source.path)/source" image: quay.io/enterprise-contract/ec-cli:snapshot - command: [ec] - args: - - validate - - definition - - "--file" - - "./all_tasks-ec" - - "--policy" - - "git::https://github.com/enterprise-contract/ec-policies//policy/task" - - "--policy" - - "git::https://github.com/enterprise-contract/ec-policies//policy/lib" - - "--data" - - "git::https://github.com/release-engineering/rhtap-ec-policy//data" - - "--strict" + script: | + set -euo pipefail + + # Generate list of file parameters, e.g. --file foo.yaml --file bar.yaml + files=(all_tasks-ec/*.yaml) + args=${files[*]/#/--file } + echo "[DEBUG] Files parameter: ${args[*]}" + + policy='enterprise-contract-service/redhat-trusted-tasks' + + ec validate input --policy "${policy}" --output yaml --strict=true ${args[*]} - name: validate-build-tasks workingDir: "$(workspaces.source.path)/source" image: quay.io/enterprise-contract/ec-cli:snapshot - command: [ec] - args: - - validate - - definition - - "--file" - - "./build_tasks-ec" - - "--policy" - - "git::https://github.com/enterprise-contract/ec-policies//policy/build_task" - - "--policy" - - "git::https://github.com/enterprise-contract/ec-policies//policy/lib" - - "--data" - - "git::https://github.com/release-engineering/rhtap-ec-policy//data" - - "--strict" + script: | + set -euo pipefail + + # Generate list of file parameters, e.g. --file foo.yaml --file bar.yaml + files=(build_tasks-ec/*.yaml) + args=${files[*]/#/--file } + echo "[DEBUG] Files parameter: ${args[*]}" + + policy='./policies/build-tasks.yaml' + + ec validate input --policy "${policy}" --output yaml --strict=true ${args[*]} workspaces: - name: source diff --git a/policies/build-tasks.yaml b/policies/build-tasks.yaml new file mode 100644 index 0000000000..62db8d5489 --- /dev/null +++ b/policies/build-tasks.yaml @@ -0,0 +1,9 @@ +--- +# These policies are meant to be applied to the build Tasks in this repo. These are policy rules +# that are very specific to the use cases in this repo. Thus, they are defined here instead of in a +# more generic location, e.g. infra-deployments repository. +sources: + - policy: + - quay.io/enterprise-contract/ec-build_task-policy:latest + data: + - git::https://github.com/release-engineering/rhtap-ec-policy//data