Merge pull request #1462 from st3penta/revert-pr-1461

st3penta · web-flow · commit 13bf7a482d17 · 2025-08-08T11:31:57.000+02:00
Revert "Merge pull request #1461 from simonbaird/matrix-task-result-g…
diff --git a/policy/release/lib/attestations.rego b/policy/release/lib/attestations.rego
@@ -35,6 +35,8 @@ taskrun_att_build_types := {
 # with test_ is treated as though it was a test.)
 task_test_result_name := "TEST_OUTPUT"
 
+task_test_image_result_name := "IMAGES_PROCESSED"
+
 slsa_provenance_attestations := [att |
 	some att in input.attestations
 	att.statement.predicateType in {slsa_provenance_predicate_type_v1, slsa_provenance_predicate_type_v02}
@@ -120,6 +122,8 @@ unmarshal(raw) := value if {
 # First find results using the new task result name
 results_from_tests := results_named(task_test_result_name)
 
+images_processed_results_from_tests := results_named(task_test_image_result_name)
+
 # Check for a task by name. Return the task if found
 task_in_pipelinerun(name) := task if {
 	some task in tasks_from_pipelinerun
diff --git a/policy/release/test/test.rego b/policy/release/test/test.rego
@@ -257,8 +257,7 @@ deny contains result if {
 	img := image.parse(input.image.ref)
 	img_digest := img.digest
 
-	some task in _grouped_processed_results_from_tests
-
+	some task in lib.images_processed_results_from_tests
 	not img_digest in object.get(task.value, ["image", "digests"], [])
 	result := lib.result_helper_with_term(
 		rego.metadata.chain(),
@@ -267,36 +266,6 @@ deny contains result if {
 	)
 }
 
-# For a multi-arch matrix task we get records of multiple tasks with
-# the same name and bundle. Combine digest lists from each them into
-# one single list otherwise we get violations for matrix test tasks.
-#
-# We're making the assumption that there's no reason, other than matrix
-# tasks, we would see the same task with the same name more than once
-# in the pipelinerun.
-#
-_grouped_processed_results_from_tests contains result if {
-	images_processed_results := lib.results_named(_task_test_image_result_name)
-
-	some r1 in images_processed_results
-
-	combined_digest_list := [digest |
-		some r2 in images_processed_results
-		r2.name == r1.name
-		r2.bundle == r2.bundle
-		some digest in r2.value.image.digests
-	]
-
-	# There is also a "pullspec" attribute alongside the "digests"
-	# attribute in the original task result. I think it's identical
-	# for each of the matrix tasks, so we could put it back in, but
-	# we don't need it for the policy check so let's leave it out.
-
-	result := object.union(r1, {"value": {"image": {"digests": combined_digest_list}}})
-}
-
-_task_test_image_result_name := "IMAGES_PROCESSED"
-
 _did_result(test, results, _) if {
 	test.result in results
 }
diff --git a/policy/release/test/test_test.rego b/policy/release/test/test_test.rego
@@ -448,7 +448,7 @@ test_wrong_attestation_type if {
 test_all_image_processed if {
 	# regal ignore:line-length
 	digests_processed := {"image": {"digests": ["sha256:4e388ab32b10dc8dbc7e28144f552830adc74787c1e2c0824032078a79f227fb"]}}
-	pipeline_run := lib_test.att_mock_helper_ref("IMAGES_PROCESSED", digests_processed, "success_23", _bundle)
+	pipeline_run := lib_test.att_mock_helper_ref(lib.task_test_image_result_name, digests_processed, "success_23", _bundle)
 	attestations := [
 		pipeline_run,
 		lib_test.att_mock_helper_ref(lib.task_test_result_name, {"result": "SUCCESS"}, "errored_1", _bundle),
@@ -460,7 +460,7 @@ test_all_image_processed if {
 
 test_all_images_not_processed if {
 	digests_processed := {"image": {"digests": ["sha256:wrongDigest"]}}
-	pipeline_run := lib_test.att_mock_helper_ref("IMAGES_PROCESSED", digests_processed, "success_23", _bundle)
+	pipeline_run := lib_test.att_mock_helper_ref(lib.task_test_image_result_name, digests_processed, "success_23", _bundle)
 
 	attestations := [
 		pipeline_run,
@@ -476,25 +476,6 @@ test_all_images_not_processed if {
 		with input.image.ref as _bundle
 }
 
-test_all_images_matrix_tasks if {
-	# Matrix task scenario: same task name and bundle but different digests processed by each instance
-	digests_task1 := {"image": {"digests": ["sha256:4e388ab32b10dc8dbc7e28144f552830adc74787c1e2c0824032078a79f227fb"]}}
-	digests_task2 := {"image": {"digests": ["sha256:otherDigest"]}}
-
-	matrix_task1 := lib_test.att_mock_helper_ref("IMAGES_PROCESSED", digests_task1, "matrix-test", _bundle)
-	matrix_task2 := lib_test.att_mock_helper_ref("IMAGES_PROCESSED", digests_task2, "matrix-test", _bundle)
-
-	attestations := [
-		matrix_task1,
-		matrix_task2,
-		lib_test.att_mock_helper_ref(lib.task_test_result_name, {"result": "SUCCESS"}, "matrix-test", _bundle),
-	]
-
-	# Should pass because the grouped results combine digests from both matrix task instances
-	lib.assert_empty(test.deny) with input.attestations as attestations
-		with input.image.ref as _bundle
-}
-
 test_rule_data_provided if {
 	d := {
 		"supported_tests_results": [
