Add EC checks for StepActions

Ref: https://issues.redhat.com/browse/EC-1010

Signed-off-by: Luiz Carvalho <[email protected]>

Author: lcarva

.tekton/tasks/ec-checks.yaml

@@ -18,9 +18,14 @@ spec:
     # the cluster will set imagePullPolicy to IfNotPresent
     workingDir: $(workspaces.source.path)/source
     script: |
+      #!/bin/bash
+      set -euo pipefail
+
       source hack/ec-checks.sh
-      $(build_tasks_dir build_tasks-ec)
-      $(all_tasks_dir all_tasks-ec)
+
+      build_tasks_dir build_tasks-ec
+      all_tasks_dir all_tasks-ec
+      stepactions_dir stepactions-ec
   - name: validate-all-tasks
     workingDir: "$(workspaces.source.path)/source"
     image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:46fae4d356d678383a926de8a68f79177d7e685d5497675acf41c9d3425aaacc
@@ -49,5 +54,19 @@ spec:
       policy='./policies/build-tasks.yaml'
 
       ec validate input --policy "${policy}" --output yaml --strict=true ${args[*]}
+  - name: validate-step-actions
+    workingDir: "$(workspaces.source.path)/source"
+    image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:46fae4d356d678383a926de8a68f79177d7e685d5497675acf41c9d3425aaacc
+    script: |
+      #!/bin/bash
+      set -euo pipefail
+
+      # Generate array of file parameters, e.g. --file=foo.yaml --file=bar.yaml
+      readarray -d '' args < <(find stepactions -name '*.yaml' -printf '--file=%p\0')
+      echo "[DEBUG] Files parameter: ${args[*]}"
+
+      policy='./policies/step-actions.yaml'
+      ec validate input --show-successes --policy "${policy}" --output yaml --strict=true "${args[@]}"
+
   workspaces:
     - name: source

README.md

@@ -135,11 +135,13 @@ Specify the Quay repository using the `QUAY_NAMESPACE` environment variable in t
 ### Compliance
 
 Task definitions must comply with the [Enterprise Contract](https://enterprisecontract.dev/) policies.
-Currently, there are two policy configurations.
-- The [all-tasks](./policies/all-tasks.yaml) policy
-configuration applies to all Task definitions
-- The [build-tasks](./policies/build-tasks.yaml)
-policy configuration applies only to build Task definitions.
-
-A build Task, i.e., one that produces a
-container image, must abide by both policy configurations.
+Currently, there are three policy configurations.
+
+- The [all-tasks](./policies/all-tasks.yaml) policy configuration applies to all Task definitions.
+- The [build-tasks](./policies/build-tasks.yaml) policy configuration applies only to build Task
+  definitions.
+- The [step-actions](./policies/step-actions.yaml) policy configuration applies to all StepAction
+  definitions.
+
+A build Task, e.g. one that produces a container image, must abide by both `all-tasks` and
+`build-tasks` policy configurations.

hack/ec-checks.sh

@@ -58,3 +58,20 @@ function all_tasks_dir {
     copy_all_task_versions "${task/*\//}" $tasks_dir
  done
 }
+
+function stepactions_dir {
+  if [[ ! -d $1 ]]; then
+    mkdir $1
+  fi
+  local d=$1
+
+  while IFS= read -r -d '' f; do
+      found="$(yq eval '.kind == "StepAction"' "${f}")"
+      [[ ${found} != "true" ]] && continue
+      # Include version in the filename:
+      # stepactions/spam/0.1/spam.yaml -> 0.1-spam.yaml
+      dest="${d}/$(printf "${f}" | cut -d/ -f3- | sed 's_/_-_g')"
+      echo "[DEBUG] Copying ${f} to ${dest}"
+      cp "${f}" "${dest}"
+  done < <(find stepactions -name '*.yaml' -print0)
+}

policies/step-actions.yaml

@@ -0,0 +1,16 @@
+---
+# These policies are meant to be applied to all of the Tasks in this repo.
+sources:
+  - policy:
+      - github.com/enterprise-contract/ec-policies//policy/lib
+      - github.com/enterprise-contract/ec-policies//policy/stepaction
+    data:
+      - oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest
+      - github.com/release-engineering/rhtap-ec-policy//data
+    config:
+      include:
+        - stepaction.image
+        - stepaction.kind
+        # Support legacy matchers for now
+        - image
+        - kind