Merge pull request #1463 from st3penta/restore-pr-1461

st3penta · web-flow · commit 4c73adb9007b · 2025-08-08T17:11:35.000+02:00
Restore PR #1461
diff --git a/policy/release/lib/attestations.rego b/policy/release/lib/attestations.rego
@@ -35,8 +35,6 @@ taskrun_att_build_types := {
 # with test_ is treated as though it was a test.)
 task_test_result_name := "TEST_OUTPUT"
 
-task_test_image_result_name := "IMAGES_PROCESSED"
-
 slsa_provenance_attestations := [att |
 	some att in input.attestations
 	att.statement.predicateType in {slsa_provenance_predicate_type_v1, slsa_provenance_predicate_type_v02}
@@ -122,8 +120,6 @@ unmarshal(raw) := value if {
 # First find results using the new task result name
 results_from_tests := results_named(task_test_result_name)
 
-images_processed_results_from_tests := results_named(task_test_image_result_name)
-
 # Check for a task by name. Return the task if found
 task_in_pipelinerun(name) := task if {
 	some task in tasks_from_pipelinerun
diff --git a/policy/release/test/test.rego b/policy/release/test/test.rego
@@ -257,7 +257,8 @@ deny contains result if {
 	img := image.parse(input.image.ref)
 	img_digest := img.digest
 
-	some task in lib.images_processed_results_from_tests
+	some task in _grouped_processed_results_from_tests
+
 	not img_digest in object.get(task.value, ["image", "digests"], [])
 	result := lib.result_helper_with_term(
 		rego.metadata.chain(),
@@ -266,6 +267,36 @@ deny contains result if {
 	)
 }
 
+# For a multi-arch matrix task we get records of multiple tasks with
+# the same name and bundle. Combine digest lists from each them into
+# one single list otherwise we get violations for matrix test tasks.
+#
+# We're making the assumption that there's no reason, other than matrix
+# tasks, we would see the same task with the same name more than once
+# in the pipelinerun.
+#
+_grouped_processed_results_from_tests contains result if {
+	images_processed_results := lib.results_named(_task_test_image_result_name)
+
+	some r1 in images_processed_results
+
+	combined_digest_list := [digest |
+		some r2 in images_processed_results
+		r2.name == r1.name
+		r2.bundle == r2.bundle
+		some digest in r2.value.image.digests
+	]
+
+	# There is also a "pullspec" attribute alongside the "digests"
+	# attribute in the original task result. I think it's identical
+	# for each of the matrix tasks, so we could put it back in, but
+	# we don't need it for the policy check so let's leave it out.
+
+	result := object.union(r1, {"value": {"image": {"digests": combined_digest_list}}})
+}
+
+_task_test_image_result_name := "IMAGES_PROCESSED"
+
 _did_result(test, results, _) if {
 	test.result in results
 }
diff --git a/policy/release/test/test_test.rego b/policy/release/test/test_test.rego
@@ -448,7 +448,7 @@ test_wrong_attestation_type if {
 test_all_image_processed if {
 	# regal ignore:line-length
 	digests_processed := {"image": {"digests": ["sha256:4e388ab32b10dc8dbc7e28144f552830adc74787c1e2c0824032078a79f227fb"]}}
-	pipeline_run := lib_test.att_mock_helper_ref(lib.task_test_image_result_name, digests_processed, "success_23", _bundle)
+	pipeline_run := lib_test.att_mock_helper_ref("IMAGES_PROCESSED", digests_processed, "success_23", _bundle)
 	attestations := [
 		pipeline_run,
 		lib_test.att_mock_helper_ref(lib.task_test_result_name, {"result": "SUCCESS"}, "errored_1", _bundle),
@@ -460,7 +460,7 @@ test_all_image_processed if {
 
 test_all_images_not_processed if {
 	digests_processed := {"image": {"digests": ["sha256:wrongDigest"]}}
-	pipeline_run := lib_test.att_mock_helper_ref(lib.task_test_image_result_name, digests_processed, "success_23", _bundle)
+	pipeline_run := lib_test.att_mock_helper_ref("IMAGES_PROCESSED", digests_processed, "success_23", _bundle)
 
 	attestations := [
 		pipeline_run,
@@ -476,6 +476,25 @@ test_all_images_not_processed if {
 		with input.image.ref as _bundle
 }
 
+test_all_images_matrix_tasks if {
+	# Matrix task scenario: same task name and bundle but different digests processed by each instance
+	digests_task1 := {"image": {"digests": ["sha256:4e388ab32b10dc8dbc7e28144f552830adc74787c1e2c0824032078a79f227fb"]}}
+	digests_task2 := {"image": {"digests": ["sha256:otherDigest"]}}
+
+	matrix_task1 := lib_test.att_mock_helper_ref("IMAGES_PROCESSED", digests_task1, "matrix-test", _bundle)
+	matrix_task2 := lib_test.att_mock_helper_ref("IMAGES_PROCESSED", digests_task2, "matrix-test", _bundle)
+
+	attestations := [
+		matrix_task1,
+		matrix_task2,
+		lib_test.att_mock_helper_ref(lib.task_test_result_name, {"result": "SUCCESS"}, "matrix-test", _bundle),
+	]
+
+	# Should pass because the grouped results combine digests from both matrix task instances
+	lib.assert_empty(test.deny) with input.attestations as attestations
+		with input.image.ref as _bundle
+}
+
 test_rule_data_provided if {
 	d := {
 		"supported_tests_results": [
