Merge pull request #1274 from simonbaird/conforma-rename

First Conforma rename

.github/workflows/docs.yaml

@@ -33,6 +33,8 @@ jobs:
         include:
           - APP_INSTALL_ID: 29980719
             REPOSITORY: enterprise-contract/enterprise-contract.github.io
+          - APP_INSTALL_ID: 59973090
+            REPOSITORY: conforma/conforma.github.io
     steps:
       - name: Trigger website update
         env:

antora/docs/modules/ROOT/nav.adoc

@@ -1,4 +1,4 @@
-* xref:index.adoc[About Enterprise Contract]
+* xref:index.adoc[About Conforma]
 include::partial$release_policy_nav.adoc[]
 include::partial$pipeline_policy_nav.adoc[]
 include::partial$build_task_policy_nav.adoc[]

antora/docs/modules/ROOT/pages/index.adoc

@@ -1,20 +1,20 @@
-= Enterprise Contract Policies
+= Conforma Policies
 
 :numbered:
 
-The Enterprise Contract is a tool for verifing the provenance of container
-images built in Konflux CI, and validating them against a
-clearly defined Enterprise Contract policy.
+Conforma (formerly known as Enterprise Contract) is a tool for verifing the
+provenance of container images built in a CI system such as Konflux, and
+validating them against a clearly defined policy.
 
-The Enterprise Contract policy is defined using the
+Conforma policies are defined using the
 https://www.openpolicyagent.org/docs/latest/policy-language/[rego policy
-language] and is described here in xref:release_policy.adoc[Release Policy] and
+language] and are described here in xref:release_policy.adoc[Release Policy] and
 xref:pipeline_policy.adoc[Pipeline Policy].
 
 == Additional Documentation
 
 * https://konflux-ci.dev/docs/[Konflux Documentation]
-* xref:ec-cli::index.adoc[EC CLI Documentation]
+* xref:ec-cli::index.adoc[Conforma CLI Documentation]
 
 == Code
 

antora/docs/modules/ROOT/pages/pipeline_policy.adoc

@@ -7,7 +7,7 @@ These rules are applied to Tekton pipeline definitions.
 [#task_bundle_package]
 == link:#task_bundle_package[Pipeline definition Task bundle policies]
 
-To be able to reproduce and audit builds accurately it's important to know exactly what happens during the build. To do this Enterprise Contract requires that all tasks are defined in a set of known and trusted task bundles. This package includes rules to confirm that the tasks in a Pipeline definition are defined in task bundles, and that the task bundles are from the list of known and trusted bundles.
+To be able to reproduce and audit builds accurately it's important to know exactly what happens during the build. To do this Conforma requires that all tasks are defined in a set of known and trusted task bundles. This package includes rules to confirm that the tasks in a Pipeline definition are defined in task bundles, and that the task bundles are from the list of known and trusted bundles.
 
 * Package name: `task_bundle`
 

antora/docs/modules/ROOT/pages/release_policy.adoc

@@ -250,9 +250,9 @@ Sanity checks related to the format of the image build's attestation.
 [#attestation_type__deprecated_policy_attestation_format]
 === link:#attestation_type__deprecated_policy_attestation_format[Deprecated policy attestation format]
 
-The Enterprise Contract CLI now places the attestation data in a different location. This check fails if the expected new format is not found.
+The Conforma CLI now places the attestation data in a different location. This check fails if the expected new format is not found.
 
-*Solution*: Use a newer version of the Enterprise Contract CLI.
+*Solution*: Use a newer version of the Conforma CLI.
 
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `Deprecated policy attestation format found`
@@ -1603,7 +1603,7 @@ Verify the source container image is signed.
 [#attestation_task_bundle_package]
 == link:#attestation_task_bundle_package[Task bundle checks]
 
-To be able to reproduce and audit builds accurately it's important to know exactly what happened during the build. To do this Enterprise Contract requires that all tasks are defined in a set of known and trusted task bundles. This package includes rules to confirm that the tasks that built the image were defined in task bundles, and that the task bundles used are from the list of known and trusted bundles.
+To be able to reproduce and audit builds accurately it's important to know exactly what happened during the build. To do this Conforma requires that all tasks are defined in a set of known and trusted task bundles. This package includes rules to confirm that the tasks that built the image were defined in task bundles, and that the task bundles used are from the list of known and trusted bundles.
 
 * Package name: `attestation_task_bundle`
 
@@ -1680,7 +1680,7 @@ Check for the existence of a task bundle. This rule will fail if the task is not
 [#tasks_package]
 == link:#tasks_package[Tasks]
 
-Enterprise Contract expects that a set of tasks were included in the pipeline build for each image to be released. This package includes a set of rules to verify that the expected tasks ran in the pipeline when the image was built. Required tasks for a pipeline are specified in a data source provided at runtime. This data source features two primary rule data keys: pipeline-required-tasks and required-tasks. The pipeline-required-tasks key lists all required tasks broken down by pipeline name, while required-tasks details a default or baseline set of tasks. If your pipeline corresponds to an entry under pipeline-required-tasks, those tasks will be prioritized; otherwise, the system will default to the tasks listed under required-tasks. Required tasks are listed by the names given to them within the task definition. Optionally invocation parameter of a Task can be also mandated by including the name and the value in square brackets following the name of the task. For example: name[PARAM=val]. Only single parameter is supported, to assert multiple parameters repeat the required task definition for each parameter seperately.
+Conforma expects that a set of tasks were included in the pipeline build for each image to be released. This package includes a set of rules to verify that the expected tasks ran in the pipeline when the image was built. Required tasks for a pipeline are specified in a data source provided at runtime. This data source features two primary rule data keys: pipeline-required-tasks and required-tasks. The pipeline-required-tasks key lists all required tasks broken down by pipeline name, while required-tasks details a default or baseline set of tasks. If your pipeline corresponds to an entry under pipeline-required-tasks, those tasks will be prioritized; otherwise, the system will default to the tasks listed under required-tasks. Required tasks are listed by the names given to them within the task definition. Optionally invocation parameter of a Task can be also mandated by including the name and the value in square brackets following the name of the task. For example: name[PARAM=val]. Only single parameter is supported, to assert multiple parameters repeat the required task definition for each parameter seperately.
 
 * Package name: `tasks`
 
@@ -1805,7 +1805,7 @@ The Tekton Task used is or will be unsupported. The Task is annotated with `buil
 [#test_package]
 == link:#test_package[Test]
 
-Enterprise Contract requires that each build was subjected to a set of tests and that those tests all passed. This package includes a set of rules to verify that.
+Conforma requires that each build was subjected to a set of tests and that those tests all passed. This package includes a set of rules to verify that.
 
 * Package name: `test`
 
@@ -1910,7 +1910,7 @@ Confirm the expected rule data keys have been provided in the expected format. T
 [#test__test_data_found]
 === link:#test__test_data_found[Test data found in task results]
 
-Ensure that at least one of the tasks in the pipeline includes a TEST_OUTPUT task result, which is where Enterprise Contract expects to find test result data.
+Ensure that at least one of the tasks in the pipeline includes a TEST_OUTPUT task result, which is where Conforma expects to find test result data.
 
 *Solution*: Confirm at least one task in the build pipeline contains a result named TEST_OUTPUT.
 

antora/docs/modules/ROOT/pages/trusted_tasks.adoc

@@ -4,7 +4,7 @@
 
 == Task Provenance using trusted Task list
 
-The Enterprise Contract requires that all Konflux pipelines
+Conforma requires that all Konflux pipelines
 use only tasks with the recorded provenance in the trusted Task list. See also
 the "Trusted Task" xref:release_policy#trusted_task_package[release] and
 xref:pipeline_policy#untrusted_task_bundle[policy] rules where this list is

antora/docs/modules/ROOT/pages/trusting_tasks.adoc

@@ -157,7 +157,7 @@ https://github.com/simonbaird/securesign-ec-config/blob/main/policy.yaml#L24[thi
 
 [,bash]
 ----
-name: Secure Sign Custom Enterprise Contract Policy
+name: Secure Sign Custom Conforma Policy
 
 description: >-
   Based on the standard Red Hat (non hermetic) policy

policy/pipeline/task_bundle/task_bundle.rego

@@ -4,7 +4,7 @@
 # description: >-
 #   To be able to reproduce and audit builds accurately it's important
 #   to know exactly what happens during the build. To do this
-#   Enterprise Contract requires that all tasks are defined in a set of
+#   Conforma requires that all tasks are defined in a set of
 #   known and trusted task bundles. This package includes rules to
 #   confirm that the tasks in a Pipeline definition are defined in task
 #   bundles, and that the task bundles are from the list of known

policy/release/attestation_task_bundle/attestation_task_bundle.rego

@@ -4,7 +4,7 @@
 # description: >-
 #   To be able to reproduce and audit builds accurately it's important
 #   to know exactly what happened during the build. To do this
-#   Enterprise Contract requires that all tasks are defined in a set of
+#   Conforma requires that all tasks are defined in a set of
 #   known and trusted task bundles. This package includes rules to
 #   confirm that the tasks that built the image were defined in task
 #   bundles, and that the task bundles used are from the list of known

policy/release/attestation_type/attestation_type.rego

@@ -75,12 +75,12 @@ deny contains result if {
 # METADATA
 # title: Deprecated policy attestation format
 # description: >-
-#   The Enterprise Contract CLI now places the attestation data in a different location.
+#   The Conforma CLI now places the attestation data in a different location.
 #   This check fails if the expected new format is not found.
 # custom:
 #   short_name: deprecated_policy_attestation_format
 #   failure_msg: Deprecated policy attestation format found
-#   solution: Use a newer version of the Enterprise Contract CLI.
+#   solution: Use a newer version of the Conforma CLI.
 #   collections:
 #   - minimal
 #   - redhat

policy/release/tasks/tasks.rego

@@ -2,7 +2,7 @@
 # METADATA
 # title: Tasks
 # description: >-
-#   Enterprise Contract expects that a set of tasks were
+#   Conforma expects that a set of tasks were
 #   included in the pipeline build for each image to be
 #   released. This package includes a set of rules to verify
 #   that the expected tasks ran in the pipeline when the image

policy/release/test/test.rego

@@ -2,7 +2,7 @@
 # METADATA
 # title: Test
 # description: >-
-#   Enterprise Contract requires that each build was subjected
+#   Conforma requires that each build was subjected
 #   to a set of tests and that those tests all passed. This package
 #   includes a set of rules to verify that.
 #
@@ -65,7 +65,7 @@ warn contains result if {
 # title: Test data found in task results
 # description: >-
 #   Ensure that at least one of the tasks in the pipeline includes a
-#   TEST_OUTPUT task result, which is where Enterprise Contract expects
+#   TEST_OUTPUT task result, which is where Conforma expects
 #   to find test result data.
 # custom:
 #   short_name: test_data_found