Add EC checks for StepActions

lcarva · lcarva · commit e94943683bc1 · 2024-11-26T11:19:09.000-05:00
Ref: https://issues.redhat.com/browse/EC-1010 Signed-off-by: Luiz Carvalho <lucarval@redhat.com>
diff --git a/.tekton/tasks/ec-checks.yaml b/.tekton/tasks/ec-checks.yaml
@@ -49,5 +49,19 @@ spec:
       policy='./policies/build-tasks.yaml'
 
       ec validate input --policy "${policy}" --output yaml --strict=true ${args[*]}
+  - name: validate-step-actions
+    workingDir: "$(workspaces.source.path)/source"
+    image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:46fae4d356d678383a926de8a68f79177d7e685d5497675acf41c9d3425aaacc
+    script: |
+      #!/bin/bash
+      set -euo pipefail
+
+      shopt -s globstar
+      readarray -t args < <(yq -r 'select(.kind == "StepAction") | "--file=" + filename' stepactions/**/*.yaml)
+      echo "[DEBUG] Files parameter: ${args[*]}"
+
+      policy='./policies/step-actions.yaml'
+      ec validate input --show-successes --policy "${policy}" --output yaml --strict=true "${args[@]}"
+
   workspaces:
     - name: source
diff --git a/README.md b/README.md
@@ -135,11 +135,13 @@ Specify the Quay repository using the `QUAY_NAMESPACE` environment variable in t
 ### Compliance
 
 Task definitions must comply with the [Enterprise Contract](https://enterprisecontract.dev/) policies.
-Currently, there are two policy configurations.
-- The [all-tasks](./policies/all-tasks.yaml) policy
-configuration applies to all Task definitions
-- The [build-tasks](./policies/build-tasks.yaml)
-policy configuration applies only to build Task definitions.
-
-A build Task, i.e., one that produces a
-container image, must abide by both policy configurations.
+Currently, there are three policy configurations.
+
+- The [all-tasks](./policies/all-tasks.yaml) policy configuration applies to all Task definitions.
+- The [build-tasks](./policies/build-tasks.yaml) policy configuration applies only to build Task
+  definitions.
+- The [step-actions](./policies/step-actions.yaml) policy configuration applies to all StepAction
+  definitions.
+
+A build Task, e.g. one that produces a container image, must abide by both `all-tasks` and
+`build-tasks` policy configurations.
diff --git a/policies/step-actions.yaml b/policies/step-actions.yaml
@@ -0,0 +1,16 @@
+---
+# These policies are meant to be applied to all of the Tasks in this repo.
+sources:
+  - policy:
+      - github.com/enterprise-contract/ec-policies//policy/lib
+      - github.com/enterprise-contract/ec-policies//policy/stepaction
+    data:
+      - oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest
+      - github.com/release-engineering/rhtap-ec-policy//data
+    config:
+      include:
+        - stepaction.image
+        - stepaction.kind
+        # Support legacy matchers for now
+        - image
+        - kind
