Handle matrix tasks result digest lists correctly

simonbaird · simonbaird · commit edf7fdf965e6 · 2025-08-07T10:07:08.000-04:00
There's a check that requires that all test tasks verify that they did test the image being validated. To do this the tasks produce a task result that must contain the digest of the image. Some tests tasks are now moving to run as a Tekton matrix task, so they split up and run as separate tasks for each arch being tested. This means we end up with more than one task visible in the attestation, and hence one particular task result might not include the digest of specific image being tested, because it was actually tested in one of the other similar matrix tasks. Work around the problem by doing some massaging of the task result list to combine the digest lists in the task results from similar matrix tasks into one combined digest list, and then referencing that in the policy check instead of the raw list. Claude created the test coverage. Ref: https://issues.redhat.com/browse/KONFLUX-9576 Co-authored-by: Claude 4 Sonnet
diff --git a/policy/release/lib/attestations.rego b/policy/release/lib/attestations.rego
@@ -35,8 +35,6 @@ taskrun_att_build_types := {
 # with test_ is treated as though it was a test.)
 task_test_result_name := "TEST_OUTPUT"
 
-task_test_image_result_name := "IMAGES_PROCESSED"
-
 slsa_provenance_attestations := [att |
 	some att in input.attestations
 	att.statement.predicateType in {slsa_provenance_predicate_type_v1, slsa_provenance_predicate_type_v02}
@@ -122,8 +120,6 @@ unmarshal(raw) := value if {
 # First find results using the new task result name
 results_from_tests := results_named(task_test_result_name)
 
-images_processed_results_from_tests := results_named(task_test_image_result_name)
-
 # Check for a task by name. Return the task if found
 task_in_pipelinerun(name) := task if {
 	some task in tasks_from_pipelinerun
diff --git a/policy/release/test/test.rego b/policy/release/test/test.rego
@@ -257,7 +257,8 @@ deny contains result if {
 	img := image.parse(input.image.ref)
 	img_digest := img.digest
 
-	some task in lib.images_processed_results_from_tests
+	some task in _grouped_processed_results_from_tests
+
 	not img_digest in object.get(task.value, ["image", "digests"], [])
 	result := lib.result_helper_with_term(
 		rego.metadata.chain(),
@@ -266,6 +267,36 @@ deny contains result if {
 	)
 }
 
+# For a multi-arch matrix task we get records of multiple tasks with
+# the same name and bundle. Combine digest lists from each them into
+# one single list otherwise we get violations for matrix test tasks.
+#
+# We're making the assumption that there's no reason, other than matrix
+# tasks, we would see the same task with the same name more than once
+# in the pipelinerun.
+#
+_grouped_processed_results_from_tests contains result if {
+	images_processed_results := lib.results_named(_task_test_image_result_name)
+
+	some r1 in images_processed_results
+
+	combined_digest_list := [digest |
+		some r2 in images_processed_results
+		r2.name == r1.name
+		r2.bundle == r2.bundle
+		some digest in r2.value.image.digests
+	]
+
+	# There is also a "pullspec" attribute alongside the "digests"
+	# attribute in the original task result. I think it's identical
+	# for each of the matrix tasks, so we could put it back in, but
+	# we don't need it for the policy check so let's leave it out.
+
+	result := object.union(r1, {"value": {"image": {"digests": combined_digest_list}}})
+}
+
+_task_test_image_result_name := "IMAGES_PROCESSED"
+
 _did_result(test, results, _) if {
 	test.result in results
 }
diff --git a/policy/release/test/test_test.rego b/policy/release/test/test_test.rego
@@ -448,7 +448,7 @@ test_wrong_attestation_type if {
 test_all_image_processed if {
 	# regal ignore:line-length
 	digests_processed := {"image": {"digests": ["sha256:4e388ab32b10dc8dbc7e28144f552830adc74787c1e2c0824032078a79f227fb"]}}
-	pipeline_run := lib_test.att_mock_helper_ref(lib.task_test_image_result_name, digests_processed, "success_23", _bundle)
+	pipeline_run := lib_test.att_mock_helper_ref("IMAGES_PROCESSED", digests_processed, "success_23", _bundle)
 	attestations := [
 		pipeline_run,
 		lib_test.att_mock_helper_ref(lib.task_test_result_name, {"result": "SUCCESS"}, "errored_1", _bundle),
@@ -460,7 +460,7 @@ test_all_image_processed if {
 
 test_all_images_not_processed if {
 	digests_processed := {"image": {"digests": ["sha256:wrongDigest"]}}
-	pipeline_run := lib_test.att_mock_helper_ref(lib.task_test_image_result_name, digests_processed, "success_23", _bundle)
+	pipeline_run := lib_test.att_mock_helper_ref("IMAGES_PROCESSED", digests_processed, "success_23", _bundle)
 
 	attestations := [
 		pipeline_run,
@@ -476,6 +476,25 @@ test_all_images_not_processed if {
 		with input.image.ref as _bundle
 }
 
+test_all_images_matrix_tasks if {
+	# Matrix task scenario: same task name and bundle but different digests processed by each instance
+	digests_task1 := {"image": {"digests": ["sha256:4e388ab32b10dc8dbc7e28144f552830adc74787c1e2c0824032078a79f227fb"]}}
+	digests_task2 := {"image": {"digests": ["sha256:otherDigest"]}}
+
+	matrix_task1 := lib_test.att_mock_helper_ref("IMAGES_PROCESSED", digests_task1, "matrix-test", _bundle)
+	matrix_task2 := lib_test.att_mock_helper_ref("IMAGES_PROCESSED", digests_task2, "matrix-test", _bundle)
+
+	attestations := [
+		matrix_task1,
+		matrix_task2,
+		lib_test.att_mock_helper_ref(lib.task_test_result_name, {"result": "SUCCESS"}, "matrix-test", _bundle),
+	]
+
+	# Should pass because the grouped results combine digests from both matrix task instances
+	lib.assert_empty(test.deny) with input.attestations as attestations
+		with input.image.ref as _bundle
+}
+
 test_rule_data_provided if {
 	d := {
 		"supported_tests_results": [
