Skip to content

Fix step_images.step_images_accessible check #1237

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
lcarva merged 1 commit into from
Dec 2, 2024
Merged

Fix step_images.step_images_accessible check #1237

lcarva merged 1 commit into from
Dec 2, 2024

Conversation

@lcarva
Copy link
Contributor

@lcarva lcarva commented Nov 27, 2024

Although the implementation of ec.oci.image_manifest does return nil if the Image Manifest is not found, rego converts that to no value at all. Thus, asserting that the returned value is nil will never be true causing this policy rule to always pass.

This commit changes the rule evaluation to check for the lack of a value instead.

@lcarva
Copy link
Contributor Author

lcarva commented Nov 27, 2024

This fix is correct, but if we merge it, we will break the CI of the build-definitions repo. We need to figure out how to proceed there.

@lcarva lcarva mentioned this pull request Nov 27, 2024
Merged
@zregvart
Copy link
Contributor

zregvart commented Nov 28, 2024

Can we add effective on to the rule? Say give a leeway of 30 days?

@lcarva
Fix step_images.step_images_accessible check
ff82142 
Although the implementation of ec.oci.image_manifest does return nil if
the Image Manifest is not found, rego converts that to no value at all.
Thus, asserting that the returned value is nil will never be true
causing this policy rule to always pass.

This commit changes the rule evaluation to check for the lack of a value
instead.

Signed-off-by: Luiz Carvalho <[email protected]>
@lcarva lcarva force-pushed the fix-step-image-check branch from e8075c2 to ff82142 Compare December 2, 2024 18:28
@lcarva lcarva marked this pull request as ready for review December 2, 2024 18:28
@lcarva
Copy link
Contributor Author

lcarva commented Dec 2, 2024

The issue on build-definitions was resolved by making sure the registry auth was provided to EC. Moving it out of draft.

Added an effective_on to the policy rule for 2025-01-10. 30 days plus enough time past holidays. I'll keep an eye in the logs for build-definitions CI since a warning won't show up in the PRs.

@lcarva lcarva enabled auto-merge December 2, 2024 18:30
@lcarva lcarva merged commit 567c9f5 into conforma:main Dec 2, 2024
3 checks passed
@lcarva lcarva deleted the fix-step-image-check branch December 2, 2024 18:33
@lcarva
Copy link
Contributor Author

lcarva commented Dec 3, 2024

Good call on setting the effective_on annotation. Found two issues: EC-1038 and EC-1039.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@zregvart zregvart zregvart approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lcarva @zregvart