Skip to content

Seed new trusted task data#218

Draft
simonbaird wants to merge 1 commit into
release-engineering:mainfrom
simonbaird:seed-new-trusted-task-data
Draft

Seed new trusted task data#218
simonbaird wants to merge 1 commit into
release-engineering:mainfrom
simonbaird:seed-new-trusted-task-data

Conversation

@simonbaird

@simonbaird simonbaird commented May 8, 2026

Copy link
Copy Markdown
Contributor

Note that merging this will immediately cause the new trusted task mechanism to go live for everyone. There will be an announcement email sent to let people know about the change. At this stage the plan is to merge it on June 30 July 7, but we'll coordinate with @joejstuart for the final go ahead.

Update: Actually once conforma/policy#1758 reaches RH Konflux production, this can be merged more safely, but it will take some time for that change to be merged and promoted all the way to production via konflux-ci/release-service-catalog#2313 , hence this remains in draft for a while longer.

To test this right now, do something like this in your ECP:

 sources:
   - data:
-     - github.com/conforma/rhtap-ec-policy//data
+     - github.com/simonbaird/rhtap-ec-policy//data?ref=seed-new-trusted-task-data

Ref: https://redhat.atlassian.net/browse/EC-1542

@simonbaird

Copy link
Copy Markdown
Contributor Author

Based on, and likely superseding #195 and #209 .

@simonbaird simonbaird force-pushed the seed-new-trusted-task-data branch from f134666 to a48b908 Compare June 4, 2026 19:34
@simonbaird simonbaird changed the title WIP DNM: Seed new trusted task data Seed new trusted task data Jun 4, 2026
@simonbaird simonbaird force-pushed the seed-new-trusted-task-data branch from a48b908 to e8a2cd0 Compare June 4, 2026 20:00
@simonbaird simonbaird force-pushed the seed-new-trusted-task-data branch from e8a2cd0 to 5376ed4 Compare June 4, 2026 20:32
Comment thread data/trusted_task_rules.yaml Outdated
Comment on lines +14 to +16
# Konflux task catalogs for tasks not maintained in build-definitions
- pattern: oci://quay.io/konflux-ci/integration-service-catalog/task-*
- pattern: oci://quay.io/konflux-ci/konflux-vanguard/*

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we should allow these, the intent is for all Konflux tasks to be in konflux-ci/tekton-catalog

I believe the integration and vanguard teams have corrected their release configuration.

@chmeliik chmeliik Jun 5, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe the integration and vanguard teams have corrected their release configuration.

@dirgim @yftacherzog could you confirm?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay cool, if everything is in one place, I think it's a good thing.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Leaving this in draft until we can confirm all the tasks are now in the one tekton catalog.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Vanguard external task is under quay.io/konflux-ci/tekton-catalog.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like the integration-service-catalog tasks are also consolidated into tekton-catalog also. I'll go ahead and simplify so we have just one tekton-catalog.

(This might impact users who are still using the other catalogs, so we should give some extra time for people to prepare.)

Comment thread data/trusted_task_rules.yaml Outdated
# Found in quay.io/konflux-ci/ose-osc-tenant/data-acceptable-bundles
# (Probably should be moved out of here and placed in the appropriate
# ECP since I assume it's for one specific team.)
- oci://quay.io/konflux-ci/ose-osc-tenant/build-dm-verity-image-task

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(Probably should be moved out of here and placed in the appropriate ECP since I assume it's for one specific team.)

+1

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool, I'll take this out in next revision.

Comment thread data/trusted_task_rules.yaml
@joejstuart

joejstuart commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Found a bug in the policy code for matching git resolvers - conforma/policy#1743

@simonbaird simonbaird force-pushed the seed-new-trusted-task-data branch from 5376ed4 to 899299c Compare June 11, 2026 16:11
simonbaird added a commit to conforma/rhtap-ec-policy that referenced this pull request Jun 11, 2026
We're still in the conforma/trusted-task-bundle branch for testing
purposes only. This commit should not be in main branch ever. Should
be thrown away eventually.
@simonbaird simonbaird force-pushed the seed-new-trusted-task-data branch 5 times, most recently from 017ac44 to 8c8a028 Compare June 18, 2026 19:49
@simonbaird simonbaird force-pushed the seed-new-trusted-task-data branch from 8c8a028 to b0c33a5 Compare June 18, 2026 19:56
@simonbaird

simonbaird commented Jun 18, 2026

Copy link
Copy Markdown
Contributor Author

If #232 is merged, then this can be rebased. Currently it includes all the changes from #232 .

Update: Done.

@simonbaird

Copy link
Copy Markdown
Contributor Author

See also this announcement.

@simonbaird

Copy link
Copy Markdown
Contributor Author

After some discussion today: We'd prefer it if this could be merged without it immediately cutting over to the new trusted task mechanism. Also this would make it easier to prepare the custom trusted task data needed for the teams who already have their own custom trusted tasks. conforma/policy#1758 is designed to enable that.

Once that policy change is merged and deployed to production, it is safe to merge this PR ahead of the announced changeover schedule.

Add two new rule data files `data/trusted_task_rules.yaml` with an allow
rule that trusts all tasks from the known Konflux task catalogs.

Also add a `data/trusted_task_rules_deprecated.yaml` for some
additional deprecated tasks that we want to allow for a little while
longer.

The bash script was used to generate the deny rule data. It's not
useful from here on, bu I'm checking it so we can see how this data
was generated. Also it might be adapted later into a script that can
handle the ongoing maintenance of this file.

Ref: https://issues.redhat.com/browse/EC-1539
Assisted-by: Claude Code <noreply@anthropic.com>
@simonbaird simonbaird force-pushed the seed-new-trusted-task-data branch from b0c33a5 to d41a33a Compare June 23, 2026 19:28
@joejstuart

Copy link
Copy Markdown
Contributor

We can merge this after 7/6

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants