feat(EC-1797): support version constraints for git resolver task references#1741
Conversation
Code Review by Qodo
Context used✅ Compliance rules (platform):
12 rules 1.
|
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (2)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughThis PR extends trusted task version evaluation to extract task versions from git repository paths when manifest annotations are unavailable. New helpers parse Tekton catalog-style paths and integrate fallback version selection into existing semver constraint evaluation, with comprehensive test coverage for allow/deny/fail-closed scenarios. ChangesGit path version extraction and constraint integration
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Codecov Report✅ All modified and coverable lines are covered by tests.
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@policy/lib/tekton/trusted.rego`:
- Around line 591-598: The helper _get_git_path_version currently only checks
the third segment for a version; update it to validate the full catalog path
shape (type/name/version/filename) before returning a version: ensure
ref.pathInRepo is non-empty, split(path, "/") yields at least 4 parts, parts[0]
(type) and parts[1] (name) are non-empty, and parts[2] matches the version
regex; only then set and return version from parts[2] in _get_git_path_version.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Enterprise
Run ID: 3000ff49-69b0-4a40-b3bd-1740542bf22c
📒 Files selected for processing (2)
policy/lib/tekton/trusted.regopolicy/lib/tekton/trusted_test.rego
ReviewFindingsLow
Info
Previous runReviewFindingsLow
Info
Previous run (2)ReviewFindingsMedium
Low
Info
Previous run (3)ReviewFindingsLow
Info
|
|
🤖 Finished Review · ✅ Success · Started 5:48 PM UTC · Completed 5:58 PM UTC |
d329d64 to
8009edb
Compare
|
🤖 Finished Review · ✅ Success · Started 6:15 PM UTC · Completed 6:25 PM UTC |
…rences Extract version from git resolver pathInRepo using the Tekton catalog convention (type/name/version/filename). This enables trusted_task_rules version constraints to work with git resolver tasks, not just OCI bundles. A unified _get_task_version function chains OCI manifest annotation lookup with git path extraction, preserving fail-closed behavior when no version can be determined. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Require >= 4 path segments (type/name/version/filename) instead of 3 - Tighten version regex to max 3 numeric components (rejects 1.2.3.4) - Add bundle_manifests comment to _get_task_version for consistency - Add tests for missing filename and 4-component version edge cases Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
🤖 Finished Review · ✅ Success · Started 1:27 PM UTC · Completed 1:38 PM UTC |
|
🤖 Finished Retro · ✅ Success · Started 2:49 AM UTC · Completed 2:54 AM UTC |
Retro: PR #1741 —
|
Summary
pathInRepousing the Tekton catalog convention (type/name/version/filename)trusted_task_rulesversion constraints to work with git resolver tasks, not just OCI bundles_get_task_versionfunction that chains OCI manifest annotation lookup with git path extractionTest plan
🤖 Generated with Claude Code