Merge pull request #40 from lcarva/HACBS-2657

Add redhat-no-hermetic config

README.md

@@ -36,6 +36,17 @@ Includes the full set of rules and policies required internally by Red Hat when
   * Github URL: `https://github.com/redhat-appstudio/build-definitions`
   * Path in repository: [`pipelines/enterprise-contract-redhat.yaml`](https://github.com/redhat-appstudio/build-definitions/blob/main/pipelines/enterprise-contract-redhat.yaml)
 
+### Red Hat No Hermetic
+
+Includes most of the rules and policies required internally by Red Hat when building Red Hat products. It excludes the requirement of hermetic builds.
+
+* URL for Enterprise Contract: `github.com/enterprise-contract/config//redhat-no-hermetic`
+* Source: [redhat-no-hermetic/policy.yaml](https://github.com/enterprise-contract/config/blob/main/redhat-no-hermetic/policy.yaml)
+* Collections: [@redhat](https://enterprisecontract.dev/docs/ec-policies/release_policy.html#redhat)
+* RHTAP Integration Test pipeline definition:
+  * Github URL: `https://github.com/redhat-appstudio/build-definitions`
+  * Path in repository: [`pipelines/enterprise-contract-redhat-no-hermetic.yaml`](https://github.com/redhat-appstudio/build-definitions/blob/main/pipelines/enterprise-contract-redhat-no-hermetic.yaml)
+
 ### SLSA3
 
 Rules specifically related to levels 1, 2 & 3 of SLSA v0.1, plus a set of basic checks that are expected to pass for all RHTAP builds.

redhat-no-hermetic/policy.yaml

@@ -0,0 +1,44 @@
+#
+# To use this policy with the ec command line:
+#   ec validate image \
+#     --image $IMAGE \
+#     --public-key key.pub \
+#     --policy github.com/enterprise-contract/config//redhat-no-hermetic
+#
+# To use with an RHTAP Enterprise Contract Integration Test CR:
+#   ...
+#   spec:
+#     params:
+#     - name: POLICY_CONFIGURATION
+#       value: github.com/enterprise-contract/config//redhat-no-hermetic
+#     ...
+#
+description: >-
+  Includes most of the rules and policies required internally by Red Hat when building Red Hat products. It excludes the requirement of hermetic builds.
+  Available collections are defined in
+  https://redhat-appstudio.github.io/docs.stonesoup.io/ec-policies/release_policy.html#_available_rule_collections.
+  If a different policy configuration is desired, this resource can serve as a starting point.
+  See the docs on how to include and exclude rules
+  https://redhat-appstudio.github.io/docs.stonesoup.io/ec-policies/policy_configuration.html#_including_and_excluding_rules.
+
+publicKey: "k8s://openshift-pipelines/public-key"
+
+sources:
+  - name: Default
+    policy:
+      - github.com/enterprise-contract/ec-policies//policy/lib
+      - github.com/enterprise-contract/ec-policies//policy/release
+    data:
+      - oci::quay.io/redhat-appstudio-tekton-catalog/data-acceptable-bundles:latest
+      - github.com/release-engineering/rhtap-ec-policy//data
+
+configuration:
+  include:
+    - '@redhat'
+
+  exclude:
+    # Exclude step_image_registries for now since it can cause false
+    # positives due to https://issues.redhat.com/browse/OCPBUGS-8428
+    - hermetic_build_task
+    - tasks.required_tasks_found:prefetch-dependencies
+    - step_image_registries

src/data.json

@@ -21,6 +21,13 @@
     "include": ["@redhat"],
     "exclude": []
   },
+  {
+    "name": "redhat-no-hermetic",
+    "description": "Includes most of the rules and policies required internally by Red Hat when building Red Hat products. It excludes the requirement of hermetic builds.",
+    "environment": "rhtap",
+    "include": ["@redhat"],
+    "exclude": ["hermetic_build_task", "tasks.required_tasks_found:prefetch-dependencies"]
+  },
   {
     "name": "slsa1",
     "description": "Rules specifically related to levels 1 of SLSA v0.1, plus a set of basic checks that are expected to pass for all RHTAP builds.",