Pin the policy bundle by modifying the ECP in tekton tasks#3268
Open
simonbaird wants to merge 3 commits into
Open
Pin the policy bundle by modifying the ECP in tekton tasks#3268simonbaird wants to merge 3 commits into
simonbaird wants to merge 3 commits into
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Enterprise Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (10)
✅ Files skipped from review due to trivial changes (3)
🚧 Files skipped from review as they are similar to previous changes (7)
📝 WalkthroughWalkthroughAdds optional POLICY_BUNDLE_DIGEST support to tasks that validate Enterprise Contract/Konflux policies, a helper script to pin OCI release-policy tags to digests, updates task steps to run the pinning script and prefer the generated pinned policy file, updates CI/runtime images to include the helper, and documents the new parameter. ChangesPolicy Bundle Digest Pinning
sequenceDiagram
autonumber
participant Tekton as Tekton Task
participant Image as Container (runtime)
participant PinScript as pin-konflux-policy-bundle.sh
participant K8s as Kubernetes (kubectl)
participant Validator as validate step
Tekton->>Image: start task (includes pin-policy-bundle step)
Image->>PinScript: execute with POLICY_CONFIGURATION & POLICY_BUNDLE_DIGEST
PinScript->>K8s: (optional) kubectl get enterprisecontractpolicy -> .spec
PinScript->>PinScript: sed replace :konflux -> `@sha256`:<...>
PinScript->>Image: write ${HOME}/policy-with-pinned-bundle.yaml
Image->>Validator: run validate step
Validator->>Image: prefer pinned file if exists, else original POLICY_CONFIGURATION
Validator->>Tekton: emit results & logs
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Tip 💬 Introducing Slack Agent: The best way for teams to turn conversations into code.Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.
Built for teams:
One agent for your entire SDLC. Right inside Slack. Comment |
Codecov Report✅ All modified and coverable lines are covered by tests.
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
joejstuart
reviewed
May 1, 2026
simonbaird
added a commit
to simonbaird/konflux-build-definitions
that referenced
this pull request
May 1, 2026
It's a long story, but we want to reduce the number of moving parts related to updating Conforma in Red Hat Konflux. Being able to pin the policy bundle when building the Conforma tasks means we can reduce breakages related to old incompatible versions of the cli being used with the latest policy bundle. See also the related PR at conforma/cli#3268 Ref: https://redhat.atlassian.net/browse/EC-1790
simonbaird
added a commit
to simonbaird/konflux-build-definitions
that referenced
this pull request
May 1, 2026
It's a long story, but we want to reduce the number of moving parts related to updating Conforma in Red Hat Konflux. Being able to pin the policy bundle when building the Conforma tasks means we can reduce breakages related to old incompatible versions of the cli being used with the latest policy bundle. See also the related PR at conforma/cli#3268 Ref: https://redhat.atlassian.net/browse/EC-1790
simonbaird
added a commit
to simonbaird/konflux-build-definitions
that referenced
this pull request
May 1, 2026
It's a long story, but we want to reduce the number of moving parts related to updating Conforma in Red Hat Konflux. Being able to pin the policy bundle when building the Conforma tasks means we can reduce breakages related to old incompatible versions of the cli being used with the latest policy bundle. See also the related PR at conforma/cli#3268 Ref: https://redhat.atlassian.net/browse/EC-1790
simonbaird
added a commit
to simonbaird/konflux-build-definitions
that referenced
this pull request
May 1, 2026
It's a long story, but we want to reduce the number of moving parts related to updating Conforma in Red Hat Konflux. Being able to pin the policy bundle when building the Conforma tasks means we can reduce breakages related to old incompatible versions of the cli being used with the latest policy bundle. See also the related PR at conforma/cli#3268 Ref: https://redhat.atlassian.net/browse/EC-1790
simonbaird
commented
May 1, 2026
simonbaird
added a commit
to simonbaird/konflux-build-definitions
that referenced
this pull request
May 6, 2026
It's a long story, but we want to reduce the number of moving parts related to updating Conforma in Red Hat Konflux. Being able to pin the policy bundle when building the Conforma tasks means we can reduce breakages related to old incompatible versions of the cli being used with the latest policy bundle. See also the related PR at conforma/cli#3268 Ref: https://redhat.atlassian.net/browse/EC-1790 Co-authored-by: Claude Code <noreply@anthropic.com>
simonbaird
force-pushed
the
policy-with-bundle-pin
branch
from
d1cbab1 to
e75a8c6
Compare
Member
Author
|
/retest |
simonbaird
force-pushed
the
policy-with-bundle-pin
branch
from
e75a8c6 to
ecd2dde
Compare
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@hack/pin-konflux-policy-bundle.sh`:
- Around line 27-34: The check for an empty digest fails under set -o nounset
because expanding ${POLICY_BUNDLE_DIGEST} errors if the variable is unset;
update the test that reads [[ -z "${POLICY_BUNDLE_DIGEST}" ]] to use parameter
expansion with a default (e.g. ${POLICY_BUNDLE_DIGEST:-}) so the -z check can
run safely even when POLICY_BUNDLE_DIGEST is unset, leaving the rest of the
no-op exit logic unchanged.
- Around line 53-65: The parsing treats any string with "/" as a k8s
namespace/name; change the detection around POLICY_CONFIGURATION (the if [[
"${POLICY_CONFIGURATION}" == *"/"* ]] branch that sets NAMESPACE and NAME and
calls kubectl get enterprisecontractpolicy) so it only treats true k8s ECP refs
as namespace/name—e.g. require exactly one slash and reject inputs that look
like URLs (contain "://" or "//" or domain dots) or otherwise match git-style
paths; if the check fails, skip the kubectl path and continue with the non-k8s
handling that avoids pinning into WORKING_POLICY. Ensure references to
POLICY_CONFIGURATION, NAMESPACE, NAME, and WORKING_POLICY remain but tighten the
conditional logic around the kubectl get calls.
In `@tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml`:
- Around line 345-352: The pin-policy-bundle step currently hard-fails if
pin-konflux-policy-bundle.sh exits non‑zero; update the pin-policy-bundle step
(the container using image quay.io/conforma/cli:latest with envs
POLICY_CONFIGURATION and POLICY_BUNDLE_DIGEST) so the command does not abort the
Task on failure (e.g. run the script under a shell that swallows non‑zero exit
like "sh -c 'pin-konflux-policy-bundle.sh || true'" or modify the script to exit
0 on handled errors) so the later validate/fallback logic can execute and select
the original policy configuration when pinning fails.
In `@tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml`:
- Around line 291-305: The pin step (name: pin-policy-bundle, command:
pin-konflux-policy-bundle.sh) must not stop the Task on failures so the fallback
validate step can run; update that step to be non-blocking by adding Tekton's
continueOnError: true to the step spec (or, if your runtime doesn't support
continueOnError, make the command tolerant to failure e.g. wrap/chain the script
with "|| true") so failures in pin-konflux-policy-bundle.sh do not abort the
Task and the subsequent validate logic still executes.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Enterprise
Run ID: ed675d0a-c8ea-41db-a0c3-57e0088a8f89
⛔ Files ignored due to path filters (1)
features/__snapshots__/task_validate_image.snapis excluded by!**/*.snap
📒 Files selected for processing (10)
DockerfileDockerfile.distacceptance/kubernetes/kind/acceptance.Dockerfiledocs/modules/ROOT/pages/verify-conforma-konflux-ta.adocdocs/modules/ROOT/pages/verify-enterprise-contract.adocfeatures/task_validate_image.featurehack/pin-konflux-policy-bundle.shhack/update-policy-digest-in-tasks.shtasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yamltasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml
Member
Author
|
I'll do some coderabbit fixes. |
Add optional POLICY_BUNDLE_DIGEST parameter to both conforma Tekton tasks. When provided, the policy configuration is resolved and the oci::quay.io/conforma/release-policy:konflux tag reference is replaced with a digest-pinned reference for reproducible policy evaluation. The reason we want to do this is the same tekton task uses the same policy always, to avoid unexpected cli/policy incompatibilities. As mentioned elsewhere, this is quite Red Hat Konflux-specific, and quite an unpleasant hack, but we're choosing an uncoupled, easy-to-delete hack over alternative options. Ref: https://redhat.atlassian.net/browse/EC-1790 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
simonbaird
force-pushed
the
policy-with-bundle-pin
branch
from
ecd2dde to
c6c7fb1
Compare
I'm imagining running this manually to begin with, but we might want to automate it have it triggered on a policy bundle push. Ref: https://redhat.atlassian.net/browse/EC-1790 Co-authored-by: Claude Code <noreply@anthropic.com>
simonbaird
force-pushed
the
policy-with-bundle-pin
branch
from
c6c7fb1 to
48069b1
Compare
joejstuart
approved these changes
May 11, 2026
Contributor
|
LGTM. Depending on how we deploy, I could possibly see the |
st3penta
approved these changes
May 12, 2026
Contributor
st3penta
left a comment
st3penta
left a comment
There was a problem hiding this comment.
LGTM, imho this is a promising approach
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Ref: https://redhat.atlassian.net/browse/EC-1790