Pin the policy bundle by modifying the ECP in tekton tasks#3268
Pin the policy bundle by modifying the ECP in tekton tasks#3268simonbaird wants to merge 2 commits intoconforma:mainfrom
Conversation
Add optional POLICY_BUNDLE_DIGEST parameter to both conforma Tekton tasks. When provided, the policy configuration is resolved and the oci::quay.io/conforma/release-policy:konflux tag reference is replaced with a digest-pinned reference for reproducible policy evaluation. The reason we want to do this is the same tekton task uses the same policy always, to avoid unexpected cli/policy incompatibilities. As mentioned elsewhere, this is quite Red Hat Konflux-specific, and quite an unpleasant hack, but we're choosing an uncoupled, easy-to-delete hack over alternative options. Ref: https://redhat.atlassian.net/browse/EC-1790 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Enterprise Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Codecov Report✅ All modified and coverable lines are covered by tests.
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
| fi | ||
| fi | ||
|
|
||
| ORIGINAL="oci::quay.io/conforma/release-policy:konflux" |
There was a problem hiding this comment.
Does matching the tag provide any value? Also, we're still pushing to quay.io/enterprise-contract/ec-release-policy. Should that be added as well?
There was a problem hiding this comment.
I wanted to match the tag since I think we should support people for whatever reason that deliberately want to use something other than the konflux tag. E.g. if you explicitly use :latest then let's respect that.
I don't think there's any good reason for anyone to still be using quay.io/enterprise-contract, so I'd rather not carry forward support for old deprecated repos.
It's a long story, but we want to reduce the number of moving parts related to updating Conforma in Red Hat Konflux. Being able to pin the policy bundle when building the Conforma tasks means we can reduce breakages related to old incompatible versions of the cli being used with the latest policy bundle. See also the related PR at conforma/cli#3268 Ref: https://redhat.atlassian.net/browse/EC-1790
It's a long story, but we want to reduce the number of moving parts related to updating Conforma in Red Hat Konflux. Being able to pin the policy bundle when building the Conforma tasks means we can reduce breakages related to old incompatible versions of the cli being used with the latest policy bundle. See also the related PR at conforma/cli#3268 Ref: https://redhat.atlassian.net/browse/EC-1790
It's a long story, but we want to reduce the number of moving parts related to updating Conforma in Red Hat Konflux. Being able to pin the policy bundle when building the Conforma tasks means we can reduce breakages related to old incompatible versions of the cli being used with the latest policy bundle. See also the related PR at conforma/cli#3268 Ref: https://redhat.atlassian.net/browse/EC-1790
It's a long story, but we want to reduce the number of moving parts related to updating Conforma in Red Hat Konflux. Being able to pin the policy bundle when building the Conforma tasks means we can reduce breakages related to old incompatible versions of the cli being used with the latest policy bundle. See also the related PR at conforma/cli#3268 Ref: https://redhat.atlassian.net/browse/EC-1790
| # Instead of needing to bump this in hundreds of separate ECPs, we'll do | ||
| # it here instead. If you don't want this behavior then provide an empty | ||
| # string value for this param. | ||
| default: "sha256:1b296a925b4021f4b4959ea289596925a8735540e554f3ba7754a651731a216f" |
There was a problem hiding this comment.
If konflux-ci/build-definitions#3490 is merged, then we have the possibility of a slightly nicer way to set this at build time, instead of hard coding it. But I don't think that's a blocker, since the end result is the same.
2 participants
Ref: https://redhat.atlassian.net/browse/EC-1790