Add a check for the RPM build pipleline #1273
Conversation
Ensure that all tasks building the RPM come from an approved pipeline.
|
@jorris I'm trying to learn more about how this will be used. Will it be assumed that each task in a pipeline will have the |
| some p in allowed_pipelines | ||
| p != pipeline |
There was a problem hiding this comment.
If I understand correctly, I think you want something like this.
| some p in allowed_pipelines | |
| p != pipeline | |
| not (pipeline in allowed_pipelines) |
There was a problem hiding this comment.
Thanks, I was indeed trying to do that, but having problems with 'not' syntax.
| "buildConfig": {"tasks": [_valid_pipeline_task, _valid_pipeline_task_2]}, | ||
| }}}] | ||
|
|
||
| lib.assert_empty(rpm_pipeline.deny) with data.rule_data.allowed_rpm_build_pipelines as [["foobar", "baz"]] with input.attestations as attestations |
There was a problem hiding this comment.
I think you want a list of strings.
| lib.assert_empty(rpm_pipeline.deny) with data.rule_data.allowed_rpm_build_pipelines as [["foobar", "baz"]] with input.attestations as attestations | |
| lib.assert_empty(rpm_pipeline.deny) with data.rule_data.allowed_rpm_build_pipelines as ["foobar", "baz"] with input.attestations as attestations |
There was a problem hiding this comment.
Thanks. It's concerning that the tests passed despite my mistake.
| "name": "get-rpm-sources", | ||
| "status": "Succeeded", | ||
| "ref": {"name": "init", "kind": "Task", "bundle": "quay.io/konflux-ci/tekton-catalog/task-init"}, | ||
| "invocation": {"environment": {"annotations": {"build.appstudio.redhat.com/pipeline": "biff"}}}, |
There was a problem hiding this comment.
According to the test, do you want this to be "baz"?
| "invocation": {"environment": {"annotations": {"build.appstudio.redhat.com/pipeline": "biff"}}}, | |
| "invocation": {"environment": {"annotations": {"build.appstudio.redhat.com/pipeline": "baz"}}}, |
There was a problem hiding this comment.
Thanks. It's concerning that the tests passed despite my mistake.
Yes. The rpmbuild pipeline as it stands will consistently have this value set. This is for an MVP to meet product security requirements that only an approved pipeline may be used. |
Thanks, that sounds good. We have a rule that enforces a build ran with certain required tasks. https://github.com/enterprise-contract/ec-policies/blob/main/policy/release/tasks/tasks.rego#L182 The task list is stored in https://github.com/release-engineering/rhtap-ec-policy/blob/main/data/required_tasks.yml and the keys Not sure if that's exactly what you're looking for, but just wanted to let you know. |
|
Also see #1272 where I had some conversation with Simon. Abandoned that MR since I accidentally pushed unsigned changes. |
Ensure that all tasks building the RPM come from an approved pipeline.