enterprise-contract · joejstuart · Jan 28, 2025 · Jan 22, 2025 · Jan 22, 2025 · Jan 23, 2025
diff --git a/antora/docs/modules/ROOT/pages/release_policy.adoc b/antora/docs/modules/ROOT/pages/release_policy.adoc
@@ -206,6 +206,13 @@ Rules included:
 * xref:release_policy.adoc#rpm_ostree_task__builder_image_param[rpm-ostree Task: Builder image parameter]
 * xref:release_policy.adoc#rpm_ostree_task__rule_data[rpm-ostree Task: Rule data]
 
+| [#redhat_rpms]`redhat_rpms`
+a| Include the set of policy rules required for building Red Hat RPMs.
+
+Rules included:
+
+* xref:release_policy.adoc#rpm_pipeline__invalid_pipeline[RPM Pipeline: Task version invalid_pipeline]
+
 | [#rhtap-multi-ci]`rhtap-multi-ci`
 a| A set of policy rules to validate artifacts built using RHTAP Multi-CI pipelines.
 
@@ -990,6 +997,23 @@ Verify an attestation created by the RHTAP Multi-CI build pipeline is present.
 * Code: `rhtap_multi_ci.attestation_found`
 * https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/rhtap_multi_ci/rhtap_multi_ci.rego#L16[Source, window="_blank"]
 
+[#rpm_pipeline_package]
+== link:#rpm_pipeline_package[RPM Pipeline]
+
+This package provides rules for verifying the RPMs are built in an approved pipeline
+
+* Package name: `rpm_pipeline`
+
+[#rpm_pipeline__invalid_pipeline]
+=== link:#rpm_pipeline__invalid_pipeline[Task version invalid_pipeline]
+
+The Tekton Task used specifies an invalid pipeline. The Task is annotated with `build.appstudio.redhat.com/pipeline` annotation, which must be in the set of `allowed_rpm_build_pipelines` in the rule data.
+
+* Rule type: [rule-type-indicator failure]#FAILURE#
+* FAILURE message: `Task %q uses invalid pipleline %s, which is not in the list of valid pipelines: %s`
+* Code: `rpm_pipeline.invalid_pipeline`
+* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/rpm_pipeline/rpm_pipeline.rego#L18[Source, window="_blank"]
+
 [#rpm_repos_package]
 == link:#rpm_repos_package[RPM Repos]
 

diff --git a/antora/docs/modules/ROOT/partials/release_policy_nav.adoc b/antora/docs/modules/ROOT/partials/release_policy_nav.adoc
@@ -4,6 +4,7 @@
 *** xref:release_policy.adoc#minimal[minimal]
 *** xref:release_policy.adoc#policy_data[policy_data]
 *** xref:release_policy.adoc#redhat[redhat]
+*** xref:release_policy.adoc#redhat_rpms[redhat_rpms]
 *** xref:release_policy.adoc#rhtap-multi-ci[rhtap-multi-ci]
 *** xref:release_policy.adoc#slsa3[slsa3]
 ** Release Rules
@@ -74,6 +75,8 @@
 *** xref:release_policy.adoc#rhtap_multi_ci_package[RHTAP Multi-CI]
 **** xref:release_policy.adoc#rhtap_multi_ci__attestation_format[SLSA Provenance Attestation Format]
 **** xref:release_policy.adoc#rhtap_multi_ci__attestation_found[SLSA Provenance Attestation Found]
+*** xref:release_policy.adoc#rpm_pipeline_package[RPM Pipeline]
+**** xref:release_policy.adoc#rpm_pipeline__invalid_pipeline[Task version invalid_pipeline]
 *** xref:release_policy.adoc#rpm_repos_package[RPM Repos]
 **** xref:release_policy.adoc#rpm_repos__ids_known[All rpms have known repo ids]
 **** xref:release_policy.adoc#rpm_repos__rule_data_provided[Known repo id list provided]

diff --git a/policy/release/collection/redhat_rpms/redhat_rpms.rego b/policy/release/collection/redhat_rpms/redhat_rpms.rego
@@ -0,0 +1,8 @@
+#
+# METADATA
+# title: redhat_rpms
+# description: >-
+#   Include the set of policy rules required for building Red Hat RPMs.
+package collection.redhat_rpms
+
+import rego.v1
diff --git a/policy/release/rpm_pipeline/rpm_pipeline.rego b/policy/release/rpm_pipeline/rpm_pipeline.rego
@@ -0,0 +1,47 @@
+#
+# METADATA
+# title: RPM Pipeline
+# description: >-
+#   This package provides rules for verifying the RPMs are built in an approved pipeline
+#
+package rpm_pipeline
+
+import rego.v1
+
+import data.lib
+import data.lib.tekton
+
+_pipeline_key := "build.appstudio.redhat.com/pipeline"
+
+_rule_data_key := "allowed_rpm_build_pipelines"
+
+# METADATA
+# title: Task version invalid_pipeline
+# description: >-
+#   The Tekton Task used specifies an invalid pipeline. The Task is annotated with
+#   `build.appstudio.redhat.com/pipeline` annotation, which must be in the set of
+#   `allowed_rpm_build_pipelines` in the rule data.
+# custom:
+#   short_name: invalid_pipeline
+#   failure_msg: >-
+#     Task %q uses invalid pipleline %s, which is not in the list of valid pipelines: %s
+#   collections:
+#   - redhat_rpms
+#   depends_on:
+#   - tasks.pipeline_has_tasks
+#
+deny contains result if {
+	some att in lib.pipelinerun_attestations
+	some task in tekton.tasks(att)
+
+	annotations := tekton.task_annotations(task)
+	pipeline := annotations[_pipeline_key]
+	allowed_pipelines := lib.rule_data(_rule_data_key)
+
+	not pipeline in allowed_pipelines
+
+	result := lib.result_helper(
+		rego.metadata.chain(),
+		[tekton.pipeline_task_name(task), pipeline, concat(",", allowed_pipelines)],
+	)
+}
diff --git a/policy/release/rpm_pipeline/rpm_pipeline_test.rego b/policy/release/rpm_pipeline/rpm_pipeline_test.rego
@@ -0,0 +1,51 @@
+package rpm_pipeline_test
+
+import rego.v1
+
+import data.lib
+import data.rpm_pipeline
+
+test_invalid_pipeline if {
+	attestations := [{"statement": {"predicate": {
+		"buildType": lib.tekton_pipeline_run,
+		"buildConfig": {"tasks": [_valid_pipeline_task, _invalid_pipeline_task]},
+	}}}]
+
+	expected := {{
+		"code": "rpm_pipeline.invalid_pipeline",
+		"msg": "Task \"build\" uses invalid pipleline not_allowed, which is not in the list of valid pipelines: foobar",
+	}}
+	lib.assert_equal_results(expected, rpm_pipeline.deny) with data.rule_data.allowed_rpm_build_pipelines as ["foobar"]
+		with input.attestations as attestations
+}
+
+test_valid_pipelines_met if {
+	attestations := [{"statement": {"predicate": {
+		"buildType": lib.tekton_pipeline_run,
+		"buildConfig": {"tasks": [_valid_pipeline_task, _valid_pipeline_task_2]},
+	}}}]
+
+	lib.assert_empty(rpm_pipeline.deny) with data.rule_data.allowed_rpm_build_pipelines as ["foobar", "baz"]
+		with input.attestations as attestations
+}
+
+_invalid_pipeline_task := {
+	"name": "build",
+	"status": "Succeeded",
+	"ref": {"name": "init", "kind": "Task", "bundle": "quay.io/konflux-ci/tekton-catalog/task-init"},
+	"invocation": {"environment": {"annotations": {"build.appstudio.redhat.com/pipeline": "not_allowed"}}},
+}
+
+_valid_pipeline_task := {
+	"name": "init",
+	"status": "Succeeded",
+	"ref": {"name": "init", "kind": "Task", "bundle": "quay.io/konflux-ci/tekton-catalog/task-init"},
+	"invocation": {"environment": {"annotations": {"build.appstudio.redhat.com/pipeline": "foobar"}}},
+}
+
+_valid_pipeline_task_2 := {
+	"name": "get-rpm-sources",
+	"status": "Succeeded",
+	"ref": {"name": "init", "kind": "Task", "bundle": "quay.io/konflux-ci/tekton-catalog/task-init"},
+	"invocation": {"environment": {"annotations": {"build.appstudio.redhat.com/pipeline": "baz"}}},
+}