Pin the policy bundle by modifying the ECP in tekton tasks

[simonbaird]

Ref: https://redhat.atlassian.net/browse/EC-1790

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: fe68d63d-8862-4ddd-a223-7f07a1f0a8ee

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds support for pinning OCI policy bundle digests to Tekton tasks that validate enterprise contracts and Konflux workflows. Introduces a new helper script to resolve policy configurations and replace floating policy bundle tags with digest-pinned references.

Changes

Policy Bundle Digest Pinning

Layer / File(s)	Summary
Core Script hack/pin-konflux-policy-bundle.sh	New bash script resolves policy configuration (JSON, file, or Kubernetes resource) and replaces oci::quay.io/conforma/release-policy:konflux with a digest-pinned reference; outputs modified policy to ${HOME}/policy-with-pinned-bundle.yaml.
Digest Management Utility hack/update-policy-digest-in-tasks.sh	Updated to compute current image manifest digest, extract existing digest defaults from tasks, compare old vs. new values, and perform in-place substitution across task YAMLs, docs, and test fixtures with strict error handling.
Task Parameter & Steps tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml, tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml	Both tasks add POLICY_BUNDLE_DIGEST parameter with default digest; insert pin-policy-bundle step before validation; update validate step to use pinned policy file when present.
Container Images Dockerfile, Dockerfile.dist, acceptance/kubernetes/kind/acceptance.Dockerfile	Runtime stages copy hack/pin-konflux-policy-bundle.sh to /usr/local/bin/ alongside existing binaries and helper scripts.
Documentation docs/modules/ROOT/pages/verify-conforma-konflux-ta.adoc, docs/modules/ROOT/pages/verify-enterprise-contract.adoc	Added POLICY_BUNDLE_DIGEST parameter documentation describing digest-pin behavior, format, and default value.
Tests / Features features/task_validate_image.feature	Extended "Golden container image" scenario with snapshot assertions for new pin-policy-bundle step, report, task results, and show-config step; added snapshot checks to "Pin policy bundle digest" scenario.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding functionality to pin the policy bundle digest in Tekton tasks to ensure reproducible policy evaluation.
Description check	✅ Passed	The description references a Jira ticket (EC-1790) that provides context for pinning the policy bundle in Tekton tasks, directly relating to the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag	Coverage Δ
acceptance	55.59% <ø> (ø)
generative	17.82% <ø> (ø)
integration	26.56% <ø> (ø)
unit	69.03% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[simonbaird]

/retest

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@hack/pin-konflux-policy-bundle.sh`:
- Around line 27-34: The check for an empty digest fails under set -o nounset
because expanding ${POLICY_BUNDLE_DIGEST} errors if the variable is unset;
update the test that reads [[ -z "${POLICY_BUNDLE_DIGEST}" ]] to use parameter
expansion with a default (e.g. ${POLICY_BUNDLE_DIGEST:-}) so the -z check can
run safely even when POLICY_BUNDLE_DIGEST is unset, leaving the rest of the
no-op exit logic unchanged.
- Around line 53-65: The parsing treats any string with "/" as a k8s
namespace/name; change the detection around POLICY_CONFIGURATION (the if [[
"${POLICY_CONFIGURATION}" == *"/"* ]] branch that sets NAMESPACE and NAME and
calls kubectl get enterprisecontractpolicy) so it only treats true k8s ECP refs
as namespace/name—e.g. require exactly one slash and reject inputs that look
like URLs (contain "://" or "//" or domain dots) or otherwise match git-style
paths; if the check fails, skip the kubectl path and continue with the non-k8s
handling that avoids pinning into WORKING_POLICY. Ensure references to
POLICY_CONFIGURATION, NAMESPACE, NAME, and WORKING_POLICY remain but tighten the
conditional logic around the kubectl get calls.

In `@tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml`:
- Around line 345-352: The pin-policy-bundle step currently hard-fails if
pin-konflux-policy-bundle.sh exits non‑zero; update the pin-policy-bundle step
(the container using image quay.io/conforma/cli:latest with envs
POLICY_CONFIGURATION and POLICY_BUNDLE_DIGEST) so the command does not abort the
Task on failure (e.g. run the script under a shell that swallows non‑zero exit
like "sh -c 'pin-konflux-policy-bundle.sh || true'" or modify the script to exit
0 on handled errors) so the later validate/fallback logic can execute and select
the original policy configuration when pinning fails.

In `@tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml`:
- Around line 291-305: The pin step (name: pin-policy-bundle, command:
pin-konflux-policy-bundle.sh) must not stop the Task on failures so the fallback
validate step can run; update that step to be non-blocking by adding Tekton's
continueOnError: true to the step spec (or, if your runtime doesn't support
continueOnError, make the command tolerant to failure e.g. wrap/chain the script
with "|| true") so failures in pin-konflux-policy-bundle.sh do not abort the
Task and the subsequent validate logic still executes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: ed675d0a-c8ea-41db-a0c3-57e0088a8f89

📥 Commits

Reviewing files that changed from the base of the PR and between f678eda and ecd2dde.

⛔ Files ignored due to path filters (1)

• features/__snapshots__/task_validate_image.snap is excluded by !**/*.snap

📒 Files selected for processing (10)

• Dockerfile
• Dockerfile.dist
• acceptance/kubernetes/kind/acceptance.Dockerfile
• docs/modules/ROOT/pages/verify-conforma-konflux-ta.adoc
• docs/modules/ROOT/pages/verify-enterprise-contract.adoc
• features/task_validate_image.feature
• hack/pin-konflux-policy-bundle.sh
• hack/update-policy-digest-in-tasks.sh
• tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml
• tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml

[simonbaird]

I'll do some coderabbit fixes.