feat(EC-1950): bring test_attestation to feature parity with test package#1765
feat(EC-1950): bring test_attestation to feature parity with test package#1765robnester-rh wants to merge 6 commits into
Conversation
…kage Add configurable result values, ERROR/SKIPPED handling, informative test support, subject digest validation, and rule data schema validation to the test_attestation package, matching the capabilities of the test package for OCI-referrer-based test result attestations. - AC-1: Replace hardcoded result checks with rule_data.get lookups using predicate spec vocabulary (PASSED/FAILED/WARNED/ERROR/SKIPPED) - AC-2: Add no_erred_test_attestations deny rule - AC-3: Add no_skipped_test_attestations deny rule - AC-4: Add informative_test_attestations support (warn not deny) - AC-5: Add subject_mismatch deny rule with ANY-match semantics - AC-6: Add rule_data_provided schema validation for all 6 keys - AC-7: 9 new tests covering all acceptance criteria Moves subject_digest from private in trust.rego to public in intoto.rego to avoid reimplementing digest format conversion. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The attest-test-result step action produces integer count fields (failures, warnings, successes) not string arrays (failedTests, warnedTests, passedTests). Update the policy rules to match: - Replace _test_list (string array extraction) with _count_detail (integer count formatting) and _has_result (dual check: result string match OR count > 0, following test.rego's _did_result) - Update all mock test data to use the step action's predicate structure - Quote failure_msg values containing colons for YAML compatibility Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Enterprise Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Codecov Report✅ All modified and coverable lines are covered by tests.
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
|
🤖 Review · |
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
🤖 Review · |
OPA strict mode requires unused arguments to use _ (wildcard). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
🤖 Review · |
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
🤖 Finished Review · ✅ Success · Started 2:32 PM UTC · Completed 2:51 PM UTC |
ReviewFindingsMedium
Low
Previous runReviewFindingsMedium
Low
Labels: PR adds new policy rules and configurable features (enhancement) with corresponding Antora documentation updates (documentation). |
- Add doc comment on intoto.subject_digest - Add test for missing subject field triggering subject_mismatch Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Fullsend review findings — responsesMedium
Low — addressed in d414a97
Low — acknowledged, no change
|
|
🤖 Finished Review · ✅ Success · Started 4:35 PM UTC · Completed 4:46 PM UTC |
Summary
Brings the
test_attestationpackage to feature parity with thetestpackage so teams adopting OCI-referrer test result attestations get the same policy rigor as those using embeddedTEST_OUTPUTtask results.no_erred_test_attestationsdeny rule for ERROR resultsno_skipped_test_attestationsdeny rule for SKIPPED resultsPredicate alignment
Updated to match the actual
attest-test-resultstep action output which uses integer count fields (failures,warnings,successes) rather than string arrays (failedTests,warnedTests). The_has_resulthelper checks bothpredicate.result(string match) and count fields (predicate[key] > 0), followingtest.rego's_did_resultpattern.Test plan
make quiet-test)make conventions-check(needs CI)🤖 Generated with Claude Code