Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
172 changes: 172 additions & 0 deletions pipelines/enterprise-contract/enterprise-contract.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,172 @@
# Copyright The Conforma Contributors

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] file-header-format

All other Tekton YAML files in the repository (tasks and release/cli.yaml) begin with the YAML document start marker '---'. The new file starts directly with the license comment, breaking this convention.

Suggested fix: Add '---' as the first line of the file.

#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# SPDX-License-Identifier: Apache-2.0

# The purpose of this pipeline is to execute the verify-enterprise-contract-v2 task for container

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] style/conventions

Missing Apache 2.0 license header. All three task YAML files in tasks/ include the standard copyright header (Copyright The Conforma Contributors, Apache-2.0, SPDX-License-Identifier). This new pipeline file omits it.

Suggested fix: Add the standard license header block (lines 1-16 matching the pattern in tasks/collect-keyless-params/0.1/collect-keyless-params.yaml) to the top of the file.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] documentation-accuracy

Comment references 'verify-enterprise-contract-v2 task' but the actual taskRef resolves 'verify-enterprise-contract' (no -v2 suffix). No task named verify-enterprise-contract-v2 exists in the repository.

Suggested fix: Change the comment from 'verify-enterprise-contract-v2' to 'verify-enterprise-contract'.

# images that are built but not automatically released in order to provide early feedback to users.
# When auto release is enabled, the task is executed by the release pipeline immediately after the
# container images are built, thus it is not necessary to execute the task via this pipeline.
Comment thread
coderabbitai[bot] marked this conversation as resolved.
apiVersion: tekton.dev/v1
kind: Pipeline
metadata:
name: enterprise-contract
labels:
build.appstudio.redhat.com/pipeline: "enterprise-contract"
spec:
params:
- name: SNAPSHOT
type: string
description: |
Spec section of an ApplicationSnapshot resource. Not all fields of the
resource are required. A minimal example:
{
"components": [
{
"containerImage": "quay.io/example/repo:latest"
}
]
}
Each "containerImage" in the "components" array is validated.
- name: POLICY_CONFIGURATION
type: string
description: |
Name of the policy configuration (EnterpriseContractConfiguration
object) to use. `namespace/name` or `name` syntax supported. If
namespace is omitted the namespace where the task runs is used.
default: enterprise-contract-service/default
- name: SSL_CERT_DIR
type: string
description: |
Path to a directory containing SSL certs to be used when communicating
with external services. This is useful when using the integrated registry
and a local instance of Rekor on a development cluster which may use
certificates issued by a not-commonly trusted root CA. In such cases,
"/var/run/secrets/kubernetes.io/serviceaccount" is a good value. Multiple
paths can be provided by using the ":" separator.
default: ""
- name: PUBLIC_KEY
type: string
default: "k8s://openshift-pipelines/public-key"
description: |
Public key used to verify signatures. Must be a valid k8s cosign
reference, e.g. k8s://my-space/my-secret where my-secret contains
the expected cosign.pub attribute.
- name: WORKERS
type: string
description: Number of parallel workers to use for policy evaluation.
default: "1"
- name: CA_TRUST_CONFIGMAP_NAME
type: string
description: The name of the ConfigMap to read CA bundle data from.
default: "trusted-ca"
- name: CA_TRUST_CONFIG_MAP_KEY
type: string
description: The name of the key in the ConfigMap that contains the CA bundle data.
default: "ca-bundle.crt"
- name: EXTRA_RULE_DATA
type: string
description: Merge additional Rego variables into the policy data. Use syntax "key=value,key2=value2..."
default: ""
- name: SINGLE_COMPONENT
type: string
description: Reduce the Snapshot to only the component whose build caused the Snapshot to be created
default: "false"
- name: SINGLE_COMPONENT_CUSTOM_RESOURCE
type: string
description: PipelineRun ID
default: "pr/$(context.pipelineRun.name)"
- name: STRICT
type: string
description: |
A boolean flag that determines whether the result of the test will mark the TaskRun as passing or not.
Swap to false to make the IntegrationTestScenario informative.

Setting to false is useful on specific conditions but will always mark the integration test as successful and
humans will tend to ignore the test results if they failed. Use with caution.
default: "true"
- name: EFFECTIVE_TIME
type: string
description: Run policy checks with the provided time. Expects a
RFC3339 formatted value, e.g. "2026-06-24T00:00:00Z"
default: "now"
results:
- name: TEST_OUTPUT
value: "$(tasks.verify.results.TEST_OUTPUT)"
tasks:
- name: collect-keyless-params
taskRef:
resolver: bundles
params:
- name: bundle
value: quay.io/conforma/tekton-task:konflux

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[medium] supply-chain

Both taskRef bundle references use the mutable tag quay.io/conforma/tekton-task:konflux. Tag mutation (accidental or malicious) would silently substitute a different task definition running with the pipeline's service-account privileges. This is a pre-existing pattern in the repo (release/cli.yaml uses :latest) but remains a supply-chain integrity concern.

Suggested fix: Consider pinning to an immutable digest (quay.io/conforma/tekton-task@sha256:) or documenting the acceptance of floating tags for this use case.

- name: name
value: collect-keyless-params
- name: kind
value: task
- name: verify
runAfter:
- collect-keyless-params
params:
- name: POLICY_CONFIGURATION
value: "$(params.POLICY_CONFIGURATION)"
- name: IMAGES
value: "$(params.SNAPSHOT)"
- name: SSL_CERT_DIR
value: "$(params.SSL_CERT_DIR)"
- name: STRICT
value: "$(params.STRICT)"

- name: PUBLIC_KEY
# PUBLIC_KEY will be ignored if any of the CERTIFICATE_* params are present
value: "$(params.PUBLIC_KEY)"
- name: IGNORE_REKOR
# Set this true because Chains in default Konflux does not create Rekor entries
# when signing things. It will be ignored if any of the CERTIFICATE_* params
# because keyless verification does require Rekor.
value: "true"

- name: CERTIFICATE_OIDC_ISSUER
value: "$(tasks.collect-keyless-params.results.defaultOIDCIssuer)"
- name: CERTIFICATE_IDENTITY
value: "$(tasks.collect-keyless-params.results.tektonChainsIdentity)"
- name: TUF_MIRROR
value: "$(tasks.collect-keyless-params.results.tufUrl)"
- name: REKOR_HOST
value: "$(tasks.collect-keyless-params.results.rekorUrl)"
Comment on lines +140 to +147

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟑 Minor | ⚑ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
rg -n 'CERTIFICATE_IDENTITY|FULCIO|REGEXP|keylessSigningEnabled' tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml

Repository: conforma/cli

Length of output: 1695


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== enterprise-contract pipeline =="
sed -n '1,220p' pipelines/enterprise-contract/enterprise-contract.yaml

echo
echo "== collect-keyless-params task =="
sed -n '1,220p' tasks/collect-keyless-params.yaml

echo
echo "== verify-enterprise-contract task =="
sed -n '1,240p' tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml

echo
echo "== search for collect-keyless-params results usage =="
rg -n 'defaultOIDCIssuer|tektonChainsIdentity|tufUrl|rekorUrl|keylessSigningEnabled|buildIdentityRegexp|fulcioUrl' pipelines tasks -g '!**/vendor/**'

Repository: conforma/cli

Length of output: 6570


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== files of interest =="
git ls-files | rg 'enterprise-contract|collect-keyless-params|verify-enterprise-contract'

echo
echo "== search for keyless param outputs and regexp params =="
rg -n 'defaultOIDCIssuer|tektonChainsIdentity|tufUrl|rekorUrl|keylessSigningEnabled|buildIdentityRegexp|fulcioUrl|CERTIFICATE_IDENTITY_REGEXP|CERTIFICATE_OIDC_ISSUER_REGEXP' .

echo
echo "== pipeline consumers =="
rg -n 'tasks\.collect-keyless-params\.results\.(defaultOIDCIssuer|tektonChainsIdentity|tufUrl|rekorUrl|keylessSigningEnabled|buildIdentityRegexp|fulcioUrl)' pipelines tasks

Repository: conforma/cli

Length of output: 30586


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== collect-keyless-params task =="
sed -n '1,240p' tasks/collect-keyless-params/0.1/collect-keyless-params.yaml

echo
echo "== verify-enterprise-contract task params/results =="
sed -n '1,160p' tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml

echo
echo "== docs for collect-keyless-params =="
sed -n '1,120p' docs/modules/ROOT/pages/collect-keyless-params.adoc

echo
echo "== docs for verify-enterprise-contract =="
sed -n '1,120p' docs/modules/ROOT/pages/verify-enterprise-contract.adoc

echo
echo "== other uses of buildIdentityRegexp / fulcioUrl =="
rg -n 'buildIdentityRegexp|fulcioUrl|CERTIFICATE_IDENTITY_REGEXP|CERTIFICATE_OIDC_ISSUER_REGEXP' docs tasks pipelines features internal

Repository: conforma/cli

Length of output: 31092


Pass buildIdentityRegexp through to verify-enterprise-contract. The task already accepts CERTIFICATE_IDENTITY_REGEXP, so this pipeline is dropping one of the collected keyless results today. fulcioUrl has no matching param here and can stay omitted.

πŸ€– Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pipelines/enterprise-contract/enterprise-contract.yaml` around lines 124 -
131, Update the environment-variable list for the verify-enterprise-contract
task to pass the collected buildIdentityRegexp result as
CERTIFICATE_IDENTITY_REGEXP, alongside CERTIFICATE_IDENTITY. Leave fulcioUrl
omitted and preserve the existing mappings.


- name: WORKERS
value: "$(params.WORKERS)"
- name: CA_TRUST_CONFIGMAP_NAME
value: "$(params.CA_TRUST_CONFIGMAP_NAME)"
- name: CA_TRUST_CONFIG_MAP_KEY
value: "$(params.CA_TRUST_CONFIG_MAP_KEY)"
- name: EXTRA_RULE_DATA
value: "$(params.EXTRA_RULE_DATA)"
- name: SINGLE_COMPONENT
value: "$(params.SINGLE_COMPONENT)"
- name: SINGLE_COMPONENT_CUSTOM_RESOURCE
value: "$(params.SINGLE_COMPONENT_CUSTOM_RESOURCE)"
- name: EFFECTIVE_TIME
value: "$(params.EFFECTIVE_TIME)"
taskRef:
resolver: bundles
params:
- name: bundle
value: quay.io/conforma/tekton-task:konflux
- name: name
value: verify-enterprise-contract
- name: kind
value: task
timeout: 4h
Loading