Add EC checks for StepActions

Ref: https://issues.redhat.com/browse/EC-1010 Signed-off-by: Luiz Carvalho <[email protected]>
konflux-ci · Nov 22, 2024 · fab55c6 · fab55c6
1 parent aaf5f93
commit fab55c6
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 8 deletions.
diff --git a/.tekton/tasks/ec-checks.yaml b/.tekton/tasks/ec-checks.yaml
@@ -49,5 +49,26 @@ spec:
       policy='./policies/build-tasks.yaml'
 
       ec validate input --policy "${policy}" --output yaml --strict=true ${args[*]}
+  - name: validate-step-actions
+    workingDir: "$(workspaces.source.path)/source"
+    image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:46fae4d356d678383a926de8a68f79177d7e685d5497675acf41c9d3425aaacc
+    script: |
+      #!/bin/bash
+      set -euo pipefail
+
+      # Generate list of file parameters, e.g. --file foo.yaml --file bar.yaml
+      files=()
+      while IFS= read -r -d '' f; do
+          found="$(yq eval '.kind == "StepAction"' "${f}")"
+          if [[ ${found} == "true" ]]; then
+              files+=( "${f}" )
+          fi
+      done < <(find stepactions -name '*.yaml' -print0)
+      args=${files[*]/#/--file }
+      echo "[DEBUG] Files parameter: ${args[@]}"
+
+      policy='./policies/build-tasks.yaml'
+      ec validate input --policy "${policy}" --output yaml --strict=true "${args[@]}"
+
   workspaces:
     - name: source
diff --git a/README.md b/README.md
@@ -135,11 +135,13 @@ Specify the Quay repository using the `QUAY_NAMESPACE` environment variable in t
 ### Compliance
 
 Task definitions must comply with the [Enterprise Contract](https://enterprisecontract.dev/) policies.
-Currently, there are two policy configurations.
-- The [all-tasks](./policies/all-tasks.yaml) policy
-configuration applies to all Task definitions
-- The [build-tasks](./policies/build-tasks.yaml)
-policy configuration applies only to build Task definitions.
-
-A build Task, i.e., one that produces a
-container image, must abide by both policy configurations.
+Currently, there are three policy configurations.
+
+- The [all-tasks](./policies/all-tasks.yaml) policy configuration applies to all Task definitions.
+- The [build-tasks](./policies/build-tasks.yaml) policy configuration applies only to build Task
+  definitions.
+- The [step-actions](./policies/step-actions.yaml) policy configuration applies to all StepAction
+  definitions.
+
+A build Task, e.g. one that produces a container image, must abide by both `all-tasks` and
+`build-tasks` policy configurations.
diff --git a/policies/step-actions.yaml b/policies/step-actions.yaml
@@ -0,0 +1,17 @@
+---
+# These policies are meant to be applied to all of the Tasks in this repo.
+sources:
+  - policy:
+      # - oci::quay.io/enterprise-contract/ec-task-policy:latest
+      - /home/lucarval/src/enterprise-contract/ec-policies/policy/lib
+      - /home/lucarval/src/enterprise-contract/ec-policies/policy/stepaction
+    data:
+      - oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest
+      - github.com/release-engineering/rhtap-ec-policy//data
+    config:
+      include:
+        - stepaction.images
+        - stepaction.kind
+        # Support legacy matchers for now
+        - images
+        - kind