Implement support for version-based trusted_task_rules

[st3penta]

Add semver version constraint checking for Tekton task rules, enabling allow/deny decisions based on task version ranges. Tasks can now be restricted to specific versions using constraints like

=2, <3, >3.1.0, <=v4.2.

The implementation includes a complete semver parser supporting major.minor.patch formats (with or without 'v' prefix) and comparison operators (>=, >, <=, <). Version constraints apply only to OCI bundle references with tagged versions.

Co-authored-by: Claude Code [email protected]

Ref: https://issues.redhat.com/browse/EC-1541

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Files with missing lines	Coverage Δ
policy/lib/tekton/trusted.rego	100.00% <100.00%> (ø)
policy/lib/tekton/trusted_test.rego	100.00% <100.00%> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[st3penta]

These are currently standalone functions, actual integration depends on: #1595

[simonbaird]

I'm trying to understand this comment. Should it say "must match every constraint", since we have an every on the next line?

Or do we mean there must be at least one rule.versions, in which case should we do count(rule.versions) > 0 to make that explicit? Or does every behave that way implicitly, and the comment is to make that more clear?

[st3penta]

Good catch, it should say "must match every constraint"

[simonbaird]

Assuming we don't have a good reason to re-implement semver compare. Would be interesting to see if the same tests pass.

[simonbaird]

Hold up, I think rego has a builtin for this! https://www.openpolicyagent.org/docs/policy-reference/builtins/semver#builtin-semver-semvercompare

[st3penta]

Oh...I looked for that and didn't find anything 🤦‍♂️

[st3penta]

this needs to be refactored. See: #1595 (review)

[joejstuart]

The schema has additionalProperties: true which is allowing the versions key, but maybe we should add it to the schema. It could help with validation.

[joejstuart]

Also, when I test it I get some errors. Cursor says it's from the oci:// prefix. Might need to strip that.

ERRO[0017] unable to resolve digest: Get "https://oci/v2/": dial tcp: lookup oci: no such host  action=resolveIfNeeded function=ec.oci.image_manifest input_ref="oci://quay.io/konflux-ci/tekton-catalog/task-buildah-remote:0.4"
ERRO[0017] unable to resolve digest: Get "https://oci/v2/": dial tcp: lookup oci: no such host  action=resolveIfNeeded function=ec.oci.image_manifest input_ref="oci://quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1"
ERRO[0017] unable to resolve digest: Get "https://oci/v2/": dial tcp: lookup oci: no such host  action=resolveIfNeeded function=ec.oci.image_manifest input_ref="oci://quay.io/konflux-ci/tekton-catalog/task-buildah:0.4"

[st3penta]

Also, when I test it I get some errors. Cursor says it's from the oci:// prefix. Might need to strip that.

I can't reproduce the error (i even added an acceptance test for that, see my last commit), can you clarify which tests are you running?

[joejstuart]

Also, when I test it I get some errors. Cursor says it's from the oci:// prefix. Might need to strip that.

I can't reproduce the error (i even added an acceptance test for that, see my last commit), can you clarify which tests are you running?

I'm just running the cli

ec validate image \
  --image quay.io/redhat-user-workloads/rhtap-contract-tenant/golden-container/golden-container@sha256:185f6c39e5544479863024565bb7e63c6f2f0547c3ab4ddf99ac9b5755075cc9 \
  --policy ./policy.yaml \
  -k pub.key \
  --ignore-rekor \
  --output text \
  --strict=false 

[joejstuart]

This works great. The only issue is the performance. A normal Conforma run takes around 20 seconds for one image. With this it takes 60. I think we can merge this, but I'll create a story to handle the performance issue.