conforma · dheerajodha · Jul 25, 2025 · Jul 14, 2025
diff --git a/cmd/track/track_bundle.go b/cmd/track/track_bundle.go
@@ -62,14 +62,14 @@ func trackBundleCmd(track trackBundleFn, pullImage pullImageFn, pushImage pushIm
 			or a digest is required.
 
 			The output is meant to assist enforcement of policies that ensure the
-			most recent Tekton Bundle is used. As such, each entry contains an
-			"effective_on" date which is set to 30 days from today. This indicates
-			the Tekton Bundle usage should be updated within that period.
-
-			If --prune is set, on by default, non-acceptable entries are removed.
-			Any entry with an effective_on date in the future, and the entry with
-			the most recent effective_on date *not* in the future are considered
-			acceptable.
+			most recent Tekton Bundle is used. Each entry contains an "expires_on"
+			date which indicates when that specific bundle version should no longer
+			be used. When a new entry is introduced, an expiration date is added to
+			the previous newest entry.
+
+			If --prune is set, on by default, expired entries are removed.
+			Any entry with an expires_on date in the future (or no expires_on date)
+			is considered current and will not be pruned.
 		`),
 
 		Example: hd.Doc(`
@@ -181,7 +181,7 @@ func trackBundleCmd(track trackBundleFn, pullImage pullImageFn, pushImage pushIm
 
 	cmd.Flags().BoolVar(&params.freshen, "freshen", params.freshen, "resolve image tags to catch updates and use the latest image for the tag")
 
-	cmd.Flags().IntVar(&params.inEffectDays, "in-effect-days", params.inEffectDays, "number of days representing when the added reference becomes effective")
+	cmd.Flags().IntVar(&params.inEffectDays, "in-effect-days", params.inEffectDays, "number of days after which older bundle entries expire when a new bundle entry is added (most recent entry stays valid until replaced)")
 
 	cmd.MarkFlagsOneRequired("bundle", "git", "input")
 

diff --git a/cmd/track/track_bundle_test.go b/cmd/track/track_bundle_test.go
@@ -25,6 +25,7 @@ import (
 	"testing"
 
 	"github.com/spf13/afero"
+	"github.com/spf13/pflag"
 	"github.com/stretchr/testify/assert"
 
 	"github.com/conforma/cli/cmd/root"
@@ -269,6 +270,33 @@ func Test_TrackBundleCommand(t *testing.T) {
 	}
 }
 
+// TestBundleCommandHelp tests that the command help reflects the new expires_on behavior
+func TestBundleCommandHelp(t *testing.T) {
+	trackBundleCmd := trackBundleCmd(nil, nil, nil)
+
+	// Verify the long description mentions expires_on
+	assert.Contains(t, trackBundleCmd.Long, "expires_on",
+		"Command help should mention expires_on")
+
+	// Verify it explains the new behavior
+	assert.Contains(t, trackBundleCmd.Long, "expiration date is added",
+		"Command help should explain that expiration dates are added")
+
+	// Verify pruning explanation is updated
+	assert.Contains(t, trackBundleCmd.Long, "expired entries are removed",
+		"Command help should explain pruning removes expired entries")
+
+	// Verify the in-effect-days flag is documented
+	foundFlag := false
+	trackBundleCmd.Flags().VisitAll(func(flag *pflag.Flag) {
+		if flag.Name == "in-effect-days" {
+			foundFlag = true
+			assert.Equal(t, "30", flag.DefValue, "Default value should be 30")
+		}
+	})
+	assert.True(t, foundFlag, "in-effect-days flag should exist")
+}
+
 func TestPreRunE(t *testing.T) {
 	cases := []struct {
 		name string

diff --git a/docs/modules/ROOT/pages/ec_track_bundle.adoc b/docs/modules/ROOT/pages/ec_track_bundle.adoc
@@ -12,14 +12,14 @@ command will query the registry to determine its value. Either a tag
 or a digest is required.
 
 The output is meant to assist enforcement of policies that ensure the
-most recent Tekton Bundle is used. As such, each entry contains an
-"effective_on" date which is set to 30 days from today. This indicates
-the Tekton Bundle usage should be updated within that period.
+most recent Tekton Bundle is used. Each entry contains an "expires_on"
+date which indicates when that specific bundle version should no longer
+be used. When a new entry is introduced, an expiration date is added to
+the previous newest entry.
 
-If --prune is set, on by default, non-acceptable entries are removed.
-Any entry with an effective_on date in the future, and the entry with
-the most recent effective_on date *not* in the future are considered
-acceptable.
+If --prune is set, on by default, expired entries are removed.
+Any entry with an expires_on date in the future (or no expires_on date)
+is considered current and will not be pruned.
 
 [source,shell]
 ----
@@ -65,7 +65,7 @@ Update existing acceptable bundles:
 --freshen:: resolve image tags to catch updates and use the latest image for the tag (Default: false)
 -g, --git:: git references to track - may be used multiple times (Default: [])
 -h, --help:: help for bundle (Default: false)
---in-effect-days:: number of days representing when the added reference becomes effective (Default: 30)
+--in-effect-days:: number of days after which older bundle entries expire when a new bundle entry is added (most recent entry stays valid until replaced) (Default: 30)
 -i, --input:: existing tracking file
 -o, --output:: write modified tracking file to a file. Use empty string for stdout, default behavior
 -p, --prune:: remove entries that are no longer acceptable, i.e. a newer entry already effective exists (Default: true)

diff --git a/features/__snapshots__/track_bundle.snap b/features/__snapshots__/track_bundle.snap
@@ -3,8 +3,7 @@
 /-/-/-/
 trusted_tasks:
   oci://${REGISTRY}/acceptance/bundle:tag:
-    - effective_on: "${TIMESTAMP}"
-      ref: sha256:${REGISTRY_acceptance/bundle:tag_DIGEST}
+    - ref: sha256:${REGISTRY_acceptance/bundle:tag_DIGEST}
 
 ---
 
@@ -16,10 +15,8 @@ trusted_tasks:
 /-/-/-/
 trusted_tasks:
   oci://${REGISTRY}/acceptance/bundle:tag:
-    - effective_on: "${TIMESTAMP}"
-      ref: sha256:${REGISTRY_acceptance/bundle:tag_DIGEST}
-    - effective_on: "2006-01-02T15:04:05Z"
-      expires_on: "${TIMESTAMP}"
+    - ref: sha256:${REGISTRY_acceptance/bundle:tag_DIGEST}
+    - expires_on: "${TIMESTAMP}"
       ref: sha256:0af8c4f92f4b252b3ef0cbd712e7352196bc33a96c58b6e1d891b26e171deae8
 
 ---
@@ -32,8 +29,7 @@ trusted_tasks:
 /-/-/-/
 trusted_tasks:
   oci://${REGISTRY}/acceptance/bundle:tag:
-    - effective_on: "${TIMESTAMP}"
-      ref: sha256:${REGISTRY_acceptance/bundle:tag_DIGEST}
+    - ref: sha256:${REGISTRY_acceptance/bundle:tag_DIGEST}
 
 ---
 
@@ -55,8 +51,7 @@ trusted_tasks:
 /-/-/-/
 trusted_tasks:
   git+https://github.com/konflux-ci/build-definitions.git//task/buildah/0.1/buildah.yaml:
-    - effective_on: "${TIMESTAMP}"
-      ref: 3672a457e3e89c0591369f609eba727b8e84108f
+    - ref: 3672a457e3e89c0591369f609eba727b8e84108f
 
 ---
 
@@ -68,11 +63,9 @@ trusted_tasks:
 /-/-/-/
 trusted_tasks:
   git+https://github.com/konflux-ci/build-definitions.git//task/buildah/0.1/buildah.yaml:
-    - effective_on: "${TIMESTAMP}"
-      ref: 3672a457e3e89c0591369f609eba727b8e84108f
+    - ref: 3672a457e3e89c0591369f609eba727b8e84108f
   oci://${REGISTRY}/acceptance/bundle:tag:
-    - effective_on: "${TIMESTAMP}"
-      ref: sha256:${REGISTRY_acceptance/bundle:tag_DIGEST}
+    - ref: sha256:${REGISTRY_acceptance/bundle:tag_DIGEST}
 
 ---
 
@@ -84,8 +77,7 @@ trusted_tasks:
 /-/-/-/
 trusted_tasks:
   git+https://forge.io/organization/repository.git//task/0.1/task.yaml:
-    - effective_on: "${TIMESTAMP}"
-      ref: f0cacc1af00d
+    - ref: f0cacc1af00d
 
 ---
 
@@ -97,11 +89,9 @@ trusted_tasks:
 /-/-/-/
 trusted_tasks:
   git+https://github.com/konflux-ci/build-definitions.git//task/buildah/0.1/buildah.yaml:
-    - effective_on: "${TIMESTAMP}"
-      ref: 3672a457e3e89c0591369f609eba727b8e84108f
+    - ref: 3672a457e3e89c0591369f609eba727b8e84108f
   oci://${REGISTRY}/acceptance/bundle:tag:
-    - effective_on: "${TIMESTAMP}"
-      ref: sha256:${REGISTRY_acceptance/bundle:tag_DIGEST}
+    - ref: sha256:${REGISTRY_acceptance/bundle:tag_DIGEST}
 
 ---
 
@@ -113,10 +103,8 @@ trusted_tasks:
 /-/-/-/
 trusted_tasks:
   git+https://forge.io/organization/repository.git//task/0.1/task.yaml:
-    - effective_on: "${TIMESTAMP}"
-      ref: f0cacc1af00d
-    - effective_on: "2006-01-02T15:04:05Z"
-      expires_on: "${TIMESTAMP}"
+    - ref: f0cacc1af00d
+    - expires_on: "${TIMESTAMP}"
       ref: f0cacc1a
 
 ---
@@ -129,8 +117,7 @@ trusted_tasks:
 /-/-/-/
 trusted_tasks:
   git+https://forge.io/organization/repository.git//task/0.1/task.yaml:
-    - effective_on: "2006-01-02T15:04:05Z"
-      ref: f0cacc1a
+    - ref: f0cacc1a
 
 ---
 
@@ -150,8 +137,7 @@ Error: expected "git+https://${GITHOST}/git/tasks.git//task.yaml" to contain the
 /-/-/-/
 trusted_tasks:
   git+https://${GITHOST}/git/tasks.git//task.yaml:
-    - effective_on: "${TIMESTAMP}"
-      ref: ${LATEST_COMMIT}
+    - ref: ${LATEST_COMMIT}
 
 ---
 

diff --git a/features/track_bundle.feature b/features/track_bundle.feature
@@ -22,8 +22,7 @@ Feature: track bundles
     ---
     trusted_tasks:
       oci://${REGISTRY}/acceptance/bundle:tag:
-        - effective_on: "${TODAY_PLUS_30_DAYS}"
-          ref: sha256:0af8c4f92f4b252b3ef0cbd712e7352196bc33a96c58b6e1d891b26e171deae8
+        - ref: sha256:0af8c4f92f4b252b3ef0cbd712e7352196bc33a96c58b6e1d891b26e171deae8
 
     """
 
@@ -40,11 +39,9 @@ Feature: track bundles
     ---
     trusted_tasks:
       oci://${REGISTRY}/acceptance/bundle:1.0:
-        - effective_on: "${TODAY_PLUS_30_DAYS}"
-          ref: sha256:0af8c4f92f4b252b3ef0cbd712e7352196bc33a96c58b6e1d891b26e171deae8
+        - ref: sha256:0af8c4f92f4b252b3ef0cbd712e7352196bc33a96c58b6e1d891b26e171deae8
       oci://${REGISTRY}/acceptance/bundle:1.1:
-        - effective_on: "${TODAY_PLUS_30_DAYS}"
-          ref: sha256:7af058b8a7adb24b74875411d625afbf90af6b4ed41b740606032edf1c4a0d1d
+        - ref: sha256:7af058b8a7adb24b74875411d625afbf90af6b4ed41b740606032edf1c4a0d1d
 
     """
 
@@ -57,8 +54,7 @@ Feature: track bundles
     ---
     trusted_tasks:
       oci://${REGISTRY}/acceptance/bundle:tag:
-        - effective_on: "${TODAY_PLUS_30_DAYS}"
-          ref: sha256:0af8c4f92f4b252b3ef0cbd712e7352196bc33a96c58b6e1d891b26e171deae8
+        - ref: sha256:0af8c4f92f4b252b3ef0cbd712e7352196bc33a96c58b6e1d891b26e171deae8
 
     """
 
@@ -70,8 +66,7 @@ Feature: track bundles
     ---
     trusted_tasks:
       oci://${REGISTRY}/acceptance/bundle:tag:
-        - effective_on: 2006-01-02T15:04:05Z
-          ref: sha256:${REGISTRY_acceptance/bundle:tag_DIGEST}
+        - ref: sha256:${REGISTRY_acceptance/bundle:tag_DIGEST}
     """
       And a tekton bundle image named "acceptance/bundle:tag" containing
       | Task     | task1-updated     |
@@ -112,8 +107,7 @@ Feature: track bundles
     ---
     trusted_tasks:
       git+https://forge.io/organization/repository.git//task/0.1/task.yaml:
-        - effective_on: 2006-01-02T15:04:05Z
-          ref: f0cacc1a
+        - ref: f0cacc1a
     """
     When ec command is run with "track tekton-task --input ${TMPDIR}/bundles.yaml --git git+https://forge.io/organization/repository.git//task/0.1/task.yaml@f0cacc1af00d"
     Then the exit status should be 0
@@ -125,8 +119,7 @@ Feature: track bundles
     ---
     trusted_tasks:
       git+https://forge.io/organization/repository.git//task/0.1/task.yaml:
-        - effective_on: 2006-01-02T15:04:05Z
-          ref: f0cacc1a
+        - ref: f0cacc1a
     """
     When ec command is run with "track tekton-task --prune --input ${TMPDIR}/bundles.yaml --git git+https://forge.io/organization/repository.git//task/0.1/task.yaml@f0cacc1a"
     Then the exit status should be 0
@@ -145,8 +138,7 @@ Feature: track bundles
     ---
     trusted_tasks:
       git+https://${GITHOST}/git/tasks.git//task.yaml:
-        - effective_on: 2006-01-02T15:04:05Z
-          ref: f0cacc1a
+        - ref: f0cacc1a
     """
     Given a git repository named "tasks" with
       | task.yaml | examples/task.yaml |