Add EC checks for StepActions

lcarva · lcarva · commit 86e02fac4443 · 2024-12-02T17:43:58.000Z
Ref: https://issues.redhat.com/browse/EC-1010 Signed-off-by: Luiz Carvalho <lucarval@redhat.com>
diff --git a/.tekton/tasks/ec-checks.yaml b/.tekton/tasks/ec-checks.yaml
@@ -11,19 +11,33 @@ metadata:
 spec:
   description: >-
     This task can be used to run enterprise contract checks
+  stepTemplate:
+    securityContext:
+      # runAsUser is needed because the different images used in this Task run as different users. Ideally,
+      # we'd let OpenShift do its thing and set a random UID with a common group ID for *all* containers
+      # in the namespace, but that is currently disabled so it's wild west.
+      runAsUser: 0
+    env:
+      - name: HOME
+        value: /tekton/home
   steps:
   - name: gather-tasks
     image: quay.io/konflux-ci/appstudio-utils:48c311af02858e2422d6229600e9959e496ddef1@sha256:91ddd999271f65d8ec8487b10f3dd378f81aa894e11b9af4d10639fd52bba7e8
     # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
     # the cluster will set imagePullPolicy to IfNotPresent
     workingDir: $(workspaces.source.path)/source
     script: |
+      #!/bin/bash
+      set -euo pipefail
+
       source hack/ec-checks.sh
-      $(build_tasks_dir build_tasks-ec)
-      $(all_tasks_dir all_tasks-ec)
+
+      build_tasks_dir build_tasks-ec
+      all_tasks_dir all_tasks-ec
+      stepactions_dir stepactions-ec
   - name: validate-all-tasks
     workingDir: "$(workspaces.source.path)/source"
-    image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:ccbf00aee7d4af1f78ba66aa04b0899b7e770dea44f6df0a1aa0a9a12529e9fe
+    image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:46fae4d356d678383a926de8a68f79177d7e685d5497675acf41c9d3425aaacc
     script: |
       set -euo pipefail
 
@@ -37,7 +51,7 @@ spec:
       ec validate input --policy "${policy}" --output yaml --strict=true ${args[*]}
   - name: validate-build-tasks
     workingDir: "$(workspaces.source.path)/source"
-    image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:ccbf00aee7d4af1f78ba66aa04b0899b7e770dea44f6df0a1aa0a9a12529e9fe
+    image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:46fae4d356d678383a926de8a68f79177d7e685d5497675acf41c9d3425aaacc
     script: |
       set -euo pipefail
 
@@ -49,5 +63,20 @@ spec:
       policy='./policies/build-tasks.yaml'
 
       ec validate input --policy "${policy}" --output yaml --strict=true ${args[*]}
+  - name: validate-step-actions
+    workingDir: "$(workspaces.source.path)/source"
+    image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:46fae4d356d678383a926de8a68f79177d7e685d5497675acf41c9d3425aaacc
+    script: |
+      #!/bin/bash
+      set -euo pipefail
+
+      # Generate array of file parameters, e.g. --file=foo.yaml --file=bar.yaml
+      files=( stepactions-ec/*.yaml )
+      readarray -t args < <(printf -- '--file=%s\n' "${files[@]}")
+      echo "[DEBUG] Files parameter: ${args[*]}"
+
+      policy='./policies/step-actions.yaml'
+      ec validate input --show-successes --policy "${policy}" --output yaml --strict=true "${args[@]}"
+
   workspaces:
     - name: source
diff --git a/README.md b/README.md
@@ -135,11 +135,13 @@ Specify the Quay repository using the `QUAY_NAMESPACE` environment variable in t
 ### Compliance
 
 Task definitions must comply with the [Enterprise Contract](https://enterprisecontract.dev/) policies.
-Currently, there are two policy configurations.
-- The [all-tasks](./policies/all-tasks.yaml) policy
-configuration applies to all Task definitions
-- The [build-tasks](./policies/build-tasks.yaml)
-policy configuration applies only to build Task definitions.
-
-A build Task, i.e., one that produces a
-container image, must abide by both policy configurations.
+Currently, there are three policy configurations.
+
+- The [all-tasks](./policies/all-tasks.yaml) policy configuration applies to all Task definitions.
+- The [build-tasks](./policies/build-tasks.yaml) policy configuration applies only to build Task
+  definitions.
+- The [step-actions](./policies/step-actions.yaml) policy configuration applies to all StepAction
+  definitions.
+
+A build Task, e.g. one that produces a container image, must abide by both `all-tasks` and
+`build-tasks` policy configurations.
diff --git a/hack/ec-checks.sh b/hack/ec-checks.sh
@@ -58,3 +58,19 @@ function all_tasks_dir {
     copy_all_task_versions "${task/*\//}" $tasks_dir
  done
 }
+
+function stepactions_dir {
+  if [[ ! -d $1 ]]; then
+    mkdir "$1"
+  fi
+  local d=$1
+
+  shopt -s globstar
+  for f in stepactions/**/*.yaml; do
+      yq eval -e '.kind == "StepAction"' "${f}" || continue
+      dest="${f#*/*/}"
+      dest="${d}/${dest/\//-}"
+      echo "[DEBUG] Copying ${f} to ${dest}"
+      cp "${f}" "${dest}"
+  done
+}
diff --git a/policies/step-actions.yaml b/policies/step-actions.yaml
@@ -0,0 +1,16 @@
+---
+# These policies are meant to be applied to all of the Tasks in this repo.
+sources:
+  - policy:
+      - github.com/enterprise-contract/ec-policies//policy/lib
+      - github.com/enterprise-contract/ec-policies//policy/stepaction
+    data:
+      - oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest
+      - github.com/release-engineering/rhtap-ec-policy//data
+    config:
+      include:
+        - stepaction.image
+        - stepaction.kind
+        # Support legacy matchers for now
+        - image
+        - kind
