Merge pull request #1216 from simonbaird/rhtap-build-type-refactor

Small refactor in preparation for RHTAP multi-ci
enterprise-contract · Nov 7, 2024 · a1a28ad · a1a28ad
2 parents 09e1dd5 + 416dc7c
commit a1a28ad
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 8 deletions.
diff --git a/policy/release/lib/attestations.rego b/policy/release/lib/attestations.rego
@@ -84,17 +84,20 @@ taskrun_attestations := [att |
 	att.statement.predicate.buildType in taskrun_att_build_types
 ]
 
-# For attestations created using an RHTAP Jenkins build pipeline. See also:
+# For attestations created using an RHTAP build pipeline. See also:
 # - https://github.com/redhat-appstudio/tssc-sample-jenkins
 # - https://github.com/redhat-appstudio/tssc-sample-templates/tree/main/skeleton/ci/source-repo/jenkins
 # - https://github.com/redhat-appstudio/tssc-sample-templates/tree/main/skeleton/ci/gitops-template/jenkins
+# - https://github.com/redhat-appstudio/tssc-dev-multi-ci/blob/main/rhtap/att-predicate-jenkins.sh
+# - https://github.com/redhat-appstudio/tssc-dev-multi-ci/blob/main/rhtap/att-predicate-github.sh
+# - https://github.com/redhat-appstudio/tssc-dev-multi-ci/blob/main/rhtap/att-predicate-gitlab.sh
 #
-rhtap_jenkins_build_type := "https://redhat.com/rhtap/slsa-build-types/jenkins-build/v1"
+rhtap_build_type(rhtap_ci_type) := sprintf("https://redhat.com/rhtap/slsa-build-types/%s-build/v1", [rhtap_ci_type])
 
-rhtap_jenkins_attestations := [att |
+rhtap_attestations(rhtap_ci_type) := [att |
 	some att in input.attestations
 	att.statement.predicateType == slsa_provenance_predicate_type_v1
-	att.statement.predicate.buildDefinition.buildType == rhtap_jenkins_build_type
+	att.statement.predicate.buildDefinition.buildType == rhtap_build_type(rhtap_ci_type)
 ]
 
 tasks_from_pipelinerun := [task |

diff --git a/policy/release/lib/attestations_test.rego b/policy/release/lib/attestations_test.rego
@@ -416,3 +416,10 @@ test_result_values if {
 
 	not lib.result_values(123)
 }
+
+test_rhtap_build_type if {
+	lib.assert_equal(
+		"https://redhat.com/rhtap/slsa-build-types/bacon-build/v1",
+		lib.rhtap_build_type("bacon"),
+	)
+}
diff --git a/policy/release/rhtap_jenkins/rhtap_jenkins.rego b/policy/release/rhtap_jenkins/rhtap_jenkins.rego
@@ -29,8 +29,8 @@ import data.lib
 #   - rhtap-jenkins
 #
 deny contains result if {
-	count(lib.rhtap_jenkins_attestations) < 1
-	result := lib.result_helper(rego.metadata.chain(), [lib.rhtap_jenkins_build_type])
+	count(_rhtap_attestations) < 1
+	result := lib.result_helper(rego.metadata.chain(), [_rhtap_build_type])
 }
 
 # METADATA
@@ -51,15 +51,21 @@ deny contains result if {
 #
 deny contains result if {
 	attestations_with_invocation_id := {att |
-		some att in lib.rhtap_jenkins_attestations
+		some att in _rhtap_attestations
 		invocation_id := att.statement.predicate.runDetails.metadata.invocationID
 		trim_space(invocation_id) != ""
 	}
 
 	# We're expecting just one attestation, but if there are multiple let's apply this check
 	# to all of them. Note that we don't produce a violation if lib.rhtap_jenkins_attestations
 	# has zero length. (The 'attestation_found' violation defined above would be produced.)
-	count(attestations_with_invocation_id) != count(lib.rhtap_jenkins_attestations)
+	count(attestations_with_invocation_id) != count(_rhtap_attestations)
 
 	result := lib.result_helper(rego.metadata.chain(), [])
 }
+
+_rhtap_attestations := lib.rhtap_attestations(_rhtap_ci_type)
+
+_rhtap_build_type := lib.rhtap_build_type(_rhtap_ci_type)
+
+_rhtap_ci_type := "jenkins"