Skip to content

Create POC for running existing task policies against a task bundle image#3223

Draft
dheerajodha wants to merge 3 commits intoconforma:mainfrom
dheerajodha:EC-1683
Draft

Create POC for running existing task policies against a task bundle image#3223
dheerajodha wants to merge 3 commits intoconforma:mainfrom
dheerajodha:EC-1683

Conversation

@dheerajodha
Copy link
Copy Markdown
Contributor

@dheerajodha dheerajodha commented Apr 9, 2026

resolves: EC-1683

dheerajodha and others added 3 commits April 9, 2026 01:02
@dheerajodha
Add POC for Tekton task bundle validation
cba9414 
- Create Rego-based task bundle detection using ec.oci.image_manifest()
- Add task extraction from bundle layers using ec.oci.blob_files()
- Implement basic task validation (kind, apiVersion, steps, etc.)
- Add ECP configuration for testing
- Pure Rego approach - no Go code changes needed

This POC demonstrates running task policies against task bundles at
component-level during 'ec validate image'. Detection, extraction, and
validation are all handled in Rego using existing OCI built-ins.

Related to: EC-1683
@dheerajodha @claude
Fix task bundle validation: merge into single package, fix extraction
f2a4a80 
- Merge detector/extractor/validator into single task_bundle package
  to avoid "unsupported value" error from EC's rule inspector on
  exported boolean helper rules
- Fix blob extraction: Tekton bundles store tasks as tar entries
  named after the task with no file extension (not task.yaml)
- Use ec.oci.blob_files() with exact task name as path
- Remove package-level METADATA annotation that was incorrectly
  associated with helper rules
- Verified working end-to-end against quay.io/conforma/tekton-task:latest:
  - Detection: found 3 tasks
  - Extraction: all 3 tasks extracted
  - Validation: found real violation (StepAction without image)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@dheerajodha @claude
Fix StepAction false positive and update README for task bundle POC
7f01cc8 
Skip step_image check for steps using a StepAction ref instead of an
inline image. Rewrite README to reflect the final single-file architecture.

resolves: EC-1683

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@coderabbitai
Copy link
Copy Markdown

coderabbitai bot commented Apr 9, 2026

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 68883d5f-4573-4357-856f-e94c7530cbb8

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@codecov
Copy link
Copy Markdown

codecov bot commented Apr 9, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag Coverage Δ
acceptance 55.18% <ø> (+<0.01%) ⬆️
generative 17.90% <ø> (ø)
integration 26.65% <ø> (ø)
unit 69.01% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

size: XL

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dheerajodha