Skip to content

Fix conventions-check and add collection dependency validation#1677

Merged
st3penta merged 3 commits intoconforma:mainfrom
st3penta:EC-1671
Mar 18, 2026
Merged

Fix conventions-check and add collection dependency validation#1677
st3penta merged 3 commits intoconforma:mainfrom
st3penta:EC-1671

Conversation

@st3penta
Copy link
Copy Markdown
Contributor

@st3penta st3penta commented Feb 25, 2026

⚠️ This pr contains potentially breaking changes

In order to fix collection dependency violations, missing collections were added to four rules:

  • attestation_type.known_attestation_type
    • slsa3
  • attestation_type.pipelinerun_attestation_found
    • slsa3
  • cve.cve_results_found
    • redhat_rpms
  • test.test_data_found
    • redhat_rpms

Fix conventions-check validation

Fixes the conventions-check target in the Makefile, which has been silently failing since #1198, when package names were flattened.

Add collection dependency validation

Introduces a new validation check to ensure that when a policy rule depends on another rule, the dependency is present in all the same collections as the dependent rule. This prevents runtime cases where a rule executes but its dependencies are not evaluated, misleading the user.

Example: if rule A is in [minimal, redhat, slsa3] and depends on rule B, then rule B must be in all three collections

Fix existing collection dependency violations

Adds missing collection annotations discovered by the new validation

Co-Authored-By: Claude Sonnet 4.5 noreply@anthropic.com

Ref: https://issues.redhat.com/browse/EC-1671

@st3penta
Add collection dependency validation for policy
05e1330 
Introduces a new validation check to ensure that when a policy rule
depends on another rule, the dependency is present in all the same
collections as the dependent rule. This prevents runtime cases where
a rule executes but its dependencies are not evaluated. misleading the
user

The check validates that dependency collections are a superset of
dependent rule collections. For example, if rule A is in collections
[minimal, redhat, slsa3] and depends on rule B, then rule B must also
be in all three collections.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Ref: https://issues.redhat.com/browse/EC-1671
@codecov
Copy link
Copy Markdown

codecov bot commented Feb 25, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.

Files with missing lines Coverage Δ
checks/annotations.rego 100.00% <100.00%> (ø)
checks/annotations_test.rego 100.00% <100.00%> (ø)
...icy/release/attestation_type/attestation_type.rego 100.00% <ø> (ø)
policy/release/cve/cve.rego 100.00% <ø> (ø)
policy/release/test/test.rego 100.00% <ø> (ø)

... and 4 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

simonbaird
simonbaird reviewed Mar 5, 2026
View reviewed changes
simonbaird
simonbaird reviewed Mar 5, 2026
View reviewed changes
simonbaird
simonbaird previously approved these changes Mar 5, 2026
View reviewed changes
st3penta added 2 commits March 6, 2026 11:55
@st3penta
Fix conventions-check package names
bdf238b 
The conventions-check validation has been broken since PR 1198
when package names were flattened from policy.release.* to their
current flat structure. The validation was filtering for namespaces
starting with "data.policy" which no longer exist.

This updates the policy_rule_files function to filter by file path
instead of namespace prefix, and removes hardcoded "data.policy.release"
assumptions throughout the validation rules.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Ref: conforma#1198
Ref: https://issues.redhat.com/browse/EC-1671
@st3penta
Fix collection dependency violations
1fe056d 
Adds missing collection annotations to policy rules to satisfy the
dependency collection validation introduced in the previous commit.

These changes ensure that when dependent rules run in these collections,
their dependencies are also evaluated.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Ref: https://issues.redhat.com/browse/EC-1671
@st3penta st3penta enabled auto-merge March 6, 2026 11:05
@st3penta st3penta disabled auto-merge March 6, 2026 11:06
@st3penta st3penta requested a review from simonbaird March 6, 2026 11:06
simonbaird
simonbaird approved these changes Mar 18, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@simonbaird simonbaird left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lgtm.

@simonbaird
Copy link
Copy Markdown
Member

simonbaird commented Mar 18, 2026

Sorry for the wait.

@st3penta st3penta merged commit b1f08f1 into conforma:main Mar 18, 2026
7 checks passed
@st3penta st3penta deleted the EC-1671 branch March 18, 2026 09:33
simonbaird added a commit to simonbaird/conforma-policy that referenced this pull request Mar 19, 2026
@simonbaird
Remove cve & test checks from redhat_rpms
c4e8ea6 
IIUC there are no test tasks in build pipeline for Konflux rpm
builds, and similarly no CVE scan tasks.

These rules have been harmlessly doing nothing, but when the
`test.test_data_found` and `cve.cve_results_found` checks were added
in PR conforma#1677 violations started being produced.

This change removes those two, but also removes the other related
checks.

Ref: https://redhat.atlassian.net/browse/EC-1708
@simonbaird simonbaird mentioned this pull request Mar 19, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@simonbaird simonbaird simonbaird approved these changes

Assignees

No one assigned

Labels

size: XL

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@st3penta @simonbaird