Skip to content

Add trusted task rule data to allow konflux-ci tekton-catalog#195

Draft
Acepresso wants to merge 1 commit into
release-engineering:mainfrom
Acepresso:trusted-task-rules-EC-1539
Draft

Add trusted task rule data to allow konflux-ci tekton-catalog#195
Acepresso wants to merge 1 commit into
release-engineering:mainfrom
Acepresso:trusted-task-rules-EC-1539

Conversation

@Acepresso

@Acepresso Acepresso commented Dec 10, 2025

Copy link
Copy Markdown
Contributor

Add a new trusted_task_rules section to rule_data.yml with an allow rule that trusts all tasks from oci://quay.io/konflux-ci/tekton-catalog/

Do not merge!

Due to the global scope of the change in this PR, we have decided to defer the merge until after the end-of-year break (mid-January). This ensures we have full team capacity to provide support and avoids catching the users by surprise.

Ref: https://issues.redhat.com/browse/EC-1539
Assisted-by: Cursor (using claude-4.5-sonnet)

@Acepresso Acepresso marked this pull request as ready for review December 10, 2025 14:05
@Acepresso Acepresso force-pushed the trusted-task-rules-EC-1539 branch from a823a81 to becf4cf Compare December 10, 2025 14:12
@Acepresso Acepresso marked this pull request as draft December 17, 2025 14:24
@Acepresso

Copy link
Copy Markdown
Contributor Author

Due to the global scope of the change in this PR, we have decided to defer the merge until after the end-of-year break (mid-January). This ensures we have full team capacity to provide support and avoids catching the users by surprise.

@joejstuart

Copy link
Copy Markdown
Contributor

Hi @Acepresso. I think we want this data in its own file e.g: data/trusted_task_rules.yaml with the top-level key being trusted_task_rules. Something like this

 trusted_task_rules:
    allow:
      - name: Implicitly trust all tasks from konflux-ci/tekton-catalog
        pattern: oci://quay.io/konflux-ci/tekton-catalog/*

@Acepresso

Copy link
Copy Markdown
Contributor Author

trusted_task_rules

Done.

Add a new rule data file `data/trusted_task_rules.yaml` with an allow
rule that trusts all tasks from oci://quay.io/konflux-ci/tekton-catalog/

Ref: https://issues.redhat.com/browse/EC-1539
Assisted-by: Cursor (using claude-4.5-sonnet)
@Acepresso Acepresso force-pushed the trusted-task-rules-EC-1539 branch from cc56edb to c460cca Compare February 2, 2026 11:34
Comment on lines +1 to +4
trusted_task_rules:
allow:
- name: Implicitly trust all tasks from konflux-ci/tekton-catalog
pattern: oci://quay.io/konflux-ci/tekton-catalog/*

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we do it like this then we are more consistent with the other rule data handling, wdyt.

Suggested change
trusted_task_rules:
allow:
- name: Implicitly trust all tasks from konflux-ci/tekton-catalog
pattern: oci://quay.io/konflux-ci/tekton-catalog/*
rule_data:
trusted_task_rules:
allow:
- name: Implicitly trust all tasks from konflux-ci/tekton-catalog
pattern: oci://quay.io/konflux-ci/tekton-catalog/*

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah I agree

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

though the policy lib expects it to be trusted_task_rules, should I change it there?

st3penta added a commit to st3penta/rhtap-ec-policy that referenced this pull request Mar 26, 2026
Add a new trusted_task_rules section to rule_data.yml with an allow
rule that trusts all tasks from
oci://quay.io/konflux-ci/tekton-catalog/.

Ref: https://issues.redhat.com/browse/EC-1539 (original story)
Ref: release-engineering#195
(original PR)
Ref: https://issues.redhat.com/browse/EC-1540
st3penta added a commit to st3penta/rhtap-ec-policy that referenced this pull request Mar 26, 2026
Add a new trusted_task_rules section to rule_data.yml with an allow
rule that trusts all tasks from
oci://quay.io/konflux-ci/tekton-catalog/.

Ref: https://issues.redhat.com/browse/EC-1539 (original story)
Ref: release-engineering#195
(original PR)
Ref: https://issues.redhat.com/browse/EC-1540
st3penta added a commit to st3penta/rhtap-ec-policy that referenced this pull request Mar 30, 2026
Add a new trusted_task_rules section to rule_data.yml with an allow
rule that trusts all tasks from
oci://quay.io/konflux-ci/tekton-catalog/.

Ref: https://issues.redhat.com/browse/EC-1539 (original story)
Ref: release-engineering#195
(original PR)
Ref: https://issues.redhat.com/browse/EC-1540
@simonbaird

Copy link
Copy Markdown
Contributor

Replaced by #218 .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants