Add GitHub config

https://issues.redhat.com/browse/HACBS-2581

Signed-off-by: Luiz Carvalho <[email protected]>

Makefile

@@ -5,22 +5,30 @@ _default: all
 DATA_JSON=src/data.json
 
 POLICY_TEMPLATE=src/policy.yaml.tmpl
+POLICY_RHTAP_TEMPLATE='src/policy-rhtap.yaml.tmpl'
+POLICY_GITHUB_TEMPLATE='src/policy-github.yaml.tmpl'
 
 ifndef GOMPLATE
 	GOMPLATE=gomplate
 endif
 
 %/policy.yaml: $(POLICY_TEMPLATE) $(DATA_JSON) Makefile
 	@mkdir -p $(*)
-	@env NAME=$(*) $(GOMPLATE) -d data=$(DATA_JSON) --file $< > $@
+	@env NAME=$(*) $(GOMPLATE) -d data=$(DATA_JSON) --file $< \
+		-t rhtap=$(POLICY_RHTAP_TEMPLATE) -t github=$(POLICY_GITHUB_TEMPLATE) \
+		> $@
 
 POLICY_FILES=$(shell jq -r '"\(.[].name)/policy.yaml"' src/data.json)
 
 README_TEMPLATE=src/README.md.tmpl
+README_RHTAP_TEMPLATE=src/README-rhtap.md.tmpl
+README_GITHUB_TEMPLATE=src/README-github.md.tmpl
 README_FILE=README.md
 
 $(README_FILE): $(README_TEMPLATE) $(DATA_JSON) Makefile
-	@$(GOMPLATE) -d data=$(DATA_JSON) --file $< > $@
+	@$(GOMPLATE) -d data=$(DATA_JSON) --file $< \
+		-t rhtap=$(README_RHTAP_TEMPLATE) -t github=$(README_GITHUB_TEMPLATE) \
+		> $@
 
 all: $(POLICY_FILES) $(README_FILE)
 

README.md

@@ -1,11 +1,15 @@
 # Enterprise Contract Configuration Files
 
-This repo contains a set of `policy.yaml` files which can be used with
-Enterprise Contract and the Red Hat Trusted Application Pipeline.
+This repo contains a set of `policy.yaml` files which can be used by the [Enterprise Contract
+Command Line Interface](https://github.com/enterprise-contract/ec-cli) with a variety of
+environments.
 
-There is a predefined RHTAP Integration Test pipeline definition for each of
-these configs which can be used when creating an Integration Test in RHTAP as
-per the [documentation
+## Red Hat Trusted Application Pipeline
+
+When using the [Red Hat Trusted Application
+Pipeline](https://developers.redhat.com/products/trusted-software-supply-chain/overview)
+environment, there is a predefined Integration Test pipeline definition for each of the configs in
+this section. They can be used when creating an Integration Test in RHTAP as per the [documentation
 here](https://redhat-appstudio.github.io/docs.appstudio.io/Documentation/main/how-to-guides/proc_managing-compliance-with-the-enterprise-contract/).
 
 The policy configuration files are:
@@ -18,8 +22,8 @@ Includes rules for levels 1, 2 & 3 of SLSA v0.1. This is the default config used
 * Source: [default/policy.yaml](https://github.com/enterprise-contract/config/blob/main/default/policy.yaml)
 * Collections: [@slsa1](https://enterprisecontract.dev/docs/ec-policies/release_policy.html#slsa1), [@slsa2](https://enterprisecontract.dev/docs/ec-policies/release_policy.html#slsa2), [@slsa3](https://enterprisecontract.dev/docs/ec-policies/release_policy.html#slsa3)
 * RHTAP Integration Test pipeline definition:
-    * Github URL: `https://github.com/redhat-appstudio/build-definitions`
-    * Path in repository: [`pipelines/enterprise-contract.yaml`](https://github.com/redhat-appstudio/build-definitions/blob/main/pipelines/enterprise-contract.yaml)
+  * Github URL: `https://github.com/redhat-appstudio/build-definitions`
+  * Path in repository: [`pipelines/enterprise-contract.yaml`](https://github.com/redhat-appstudio/build-definitions/blob/main/pipelines/enterprise-contract.yaml)
 
 ### Red Hat
 
@@ -29,8 +33,8 @@ Includes the full set of rules and policies required internally by Red Hat when
 * Source: [redhat/policy.yaml](https://github.com/enterprise-contract/config/blob/main/redhat/policy.yaml)
 * Collections: [@redhat](https://enterprisecontract.dev/docs/ec-policies/release_policy.html#redhat)
 * RHTAP Integration Test pipeline definition:
-    * Github URL: `https://github.com/redhat-appstudio/build-definitions`
-    * Path in repository: [`pipelines/enterprise-contract-redhat.yaml`](https://github.com/redhat-appstudio/build-definitions/blob/main/pipelines/enterprise-contract-redhat.yaml)
+  * Github URL: `https://github.com/redhat-appstudio/build-definitions`
+  * Path in repository: [`pipelines/enterprise-contract-redhat.yaml`](https://github.com/redhat-appstudio/build-definitions/blob/main/pipelines/enterprise-contract-redhat.yaml)
 
 ### SLSA3
 
@@ -40,8 +44,8 @@ Rules specifically related to levels 1, 2 & 3 of SLSA v0.1, plus a set of basic
 * Source: [slsa3/policy.yaml](https://github.com/enterprise-contract/config/blob/main/slsa3/policy.yaml)
 * Collections: [@minimal](https://enterprisecontract.dev/docs/ec-policies/release_policy.html#minimal), [@slsa1](https://enterprisecontract.dev/docs/ec-policies/release_policy.html#slsa1), [@slsa2](https://enterprisecontract.dev/docs/ec-policies/release_policy.html#slsa2), [@slsa3](https://enterprisecontract.dev/docs/ec-policies/release_policy.html#slsa3)
 * RHTAP Integration Test pipeline definition:
-    * Github URL: `https://github.com/redhat-appstudio/build-definitions`
-    * Path in repository: [`pipelines/enterprise-contract-slsa3.yaml`](https://github.com/redhat-appstudio/build-definitions/blob/main/pipelines/enterprise-contract-slsa3.yaml)
+  * Github URL: `https://github.com/redhat-appstudio/build-definitions`
+  * Path in repository: [`pipelines/enterprise-contract-slsa3.yaml`](https://github.com/redhat-appstudio/build-definitions/blob/main/pipelines/enterprise-contract-slsa3.yaml)
 
 ### Everything
 
@@ -51,8 +55,21 @@ Include every rule in the default policy source. For experiments only. This is n
 * Source: [everything/policy.yaml](https://github.com/enterprise-contract/config/blob/main/everything/policy.yaml)
 * Collections:
 * RHTAP Integration Test pipeline definition:
-    * Github URL: `https://github.com/redhat-appstudio/build-definitions`
-    * Path in repository: [`pipelines/enterprise-contract-everything.yaml`](https://github.com/redhat-appstudio/build-definitions/blob/main/pipelines/enterprise-contract-everything.yaml)
+  * Github URL: `https://github.com/redhat-appstudio/build-definitions`
+  * Path in repository: [`pipelines/enterprise-contract-everything.yaml`](https://github.com/redhat-appstudio/build-definitions/blob/main/pipelines/enterprise-contract-everything.yaml)
+
+## GitHub
+
+Container images built via [GitHub Actions](https://docs.github.com/actions) can be verified with
+the following policy configurations.
+
+### GitHub Default
+
+Rules for container images built via GitHub Workflows.
+
+* URL for Enterprise Contract: `github.com/enterprise-contract/config//github-default`
+* Source: [github-default/policy.yaml](https://github.com/enterprise-contract/config/blob/main/github-default/policy.yaml)
+* Collections: [@github](https://enterprisecontract.dev/docs/ec-policies/release_policy.html#github)
 
 ## See also
 

github-default/policy.yaml

@@ -0,0 +1,24 @@
+#
+# To use this policy with the ec command line:
+#   ec validate image \
+#     --image $IMAGE \
+#     --public-key key.pub \
+#     --policy github.com/enterprise-contract/config//github-default
+#
+description: >-
+  Rules for container images built via GitHub Workflows.
+
+sources:
+  - name: Default
+    policy:
+      - github.com/enterprise-contract/ec-policies//policy/lib
+      - github.com/enterprise-contract/ec-policies//policy/release
+    data:
+      - github.com/enterprise-contract/ec-policies//data
+
+configuration:
+  include:
+    - '@github'
+
+  exclude:
+    []

src/README-github.md.tmpl

@@ -0,0 +1,12 @@
+### {{ .name | strings.Title | regexp.Replace "Github" "GitHub" | regexp.Replace "-" " "}}
+
+{{ .description }}
+
+* URL for Enterprise Contract: `github.com/enterprise-contract/config//{{ .name }}`
+* Source: [{{ .name }}/policy.yaml](https://github.com/enterprise-contract/config/blob/main/{{ .name }}/policy.yaml)
+* Collections:{{ $comma := false }}{{ range .include -}}
+  {{- if strings.HasPrefix "@" . -}}
+    {{- if not $comma }}{{ $comma = true }} {{ else }}, {{ end -}}
+    [{{ . }}](https://enterprisecontract.dev/docs/ec-policies/release_policy.html#{{ strings.TrimPrefix "@" . }})
+  {{- end -}}
+{{- end }}

src/README-rhtap.md.tmpl

@@ -0,0 +1,15 @@
+### {{ .name | strings.Title | regexp.Replace "Slsa" "SLSA" | regexp.Replace "Redhat" "Red Hat" | regexp.Replace "Github" "GitHub" | regexp.Replace "-" " "}}
+
+{{ .description }}
+
+* URL for Enterprise Contract: `github.com/enterprise-contract/config//{{ .name }}`
+* Source: [{{ .name }}/policy.yaml](https://github.com/enterprise-contract/config/blob/main/{{ .name }}/policy.yaml)
+* Collections:{{ $comma := false }}{{ range .include -}}
+  {{- if strings.HasPrefix "@" . -}}
+    {{- if not $comma }}{{ $comma = true }} {{ else }}, {{ end -}}
+    [{{ . }}](https://enterprisecontract.dev/docs/ec-policies/release_policy.html#{{ strings.TrimPrefix "@" . }})
+  {{- end -}}
+{{- end }}
+* RHTAP Integration Test pipeline definition:
+  * Github URL: `https://github.com/redhat-appstudio/build-definitions`
+  * Path in repository: [`pipelines/enterprise-contract{{ if ne .name "default" }}-{{ .name }}{{ end }}.yaml`](https://github.com/redhat-appstudio/build-definitions/blob/main/pipelines/enterprise-contract{{ if ne .name "default" }}-{{ .name }}{{ end }}.yaml)

src/README.md.tmpl

@@ -1,35 +1,36 @@
 # Enterprise Contract Configuration Files
 
-This repo contains a set of `policy.yaml` files which can be used with
-Enterprise Contract and the Red Hat Trusted Application Pipeline.
+This repo contains a set of `policy.yaml` files which can be used by the [Enterprise Contract
+Command Line Interface](https://github.com/enterprise-contract/ec-cli) with a variety of
+environments.
 
-There is a predefined RHTAP Integration Test pipeline definition for each of
-these configs which can be used when creating an Integration Test in RHTAP as
-per the [documentation
+## Red Hat Trusted Application Pipeline
+
+When using the [Red Hat Trusted Application
+Pipeline](https://developers.redhat.com/products/trusted-software-supply-chain/overview)
+environment, there is a predefined Integration Test pipeline definition for each of the configs in
+this section. They can be used when creating an Integration Test in RHTAP as per the [documentation
 here](https://redhat-appstudio.github.io/docs.appstudio.io/Documentation/main/how-to-guides/proc_managing-compliance-with-the-enterprise-contract/).
 
 The policy configuration files are:
-{{- range ds "data" }}
+{{ range ds "data" }}
 {{- if not (index . "deprecated") }}
+{{- if eq .environment "rhtap" }}
+{{ template "rhtap" . }}
+{{- end -}}
+{{- end -}}
+{{- end }}
+## GitHub
 
-### {{ .name | strings.Title | regexp.Replace "Slsa" "SLSA" | regexp.Replace "Redhat" "Red Hat" }}
-
-{{ .description }}
-
-* URL for Enterprise Contract: `github.com/enterprise-contract/config//{{ .name }}`
-* Source: [{{ .name }}/policy.yaml](https://github.com/enterprise-contract/config/blob/main/{{ .name }}/policy.yaml)
-* Collections:{{ $comma := false }}{{ range .include -}}
-  {{- if strings.HasPrefix "@" . -}}
-    {{- if not $comma }}{{ $comma = true }} {{ else }}, {{ end -}}
-    [{{ . }}](https://enterprisecontract.dev/docs/ec-policies/release_policy.html#{{ strings.TrimPrefix "@" . }})
-  {{- end -}}
+Container images built via [GitHub Actions](https://docs.github.com/actions) can be verified with
+the following policy configurations.
+{{ range ds "data" }}
+{{- if not (index . "deprecated") }}
+{{- if eq .environment "github" }}
+{{ template "github" . }}
 {{- end }}
-* RHTAP Integration Test pipeline definition:
-    * Github URL: `https://github.com/redhat-appstudio/build-definitions`
-    * Path in repository: [`pipelines/enterprise-contract{{ if ne .name "default" }}-{{ .name }}{{ end }}.yaml`](https://github.com/redhat-appstudio/build-definitions/blob/main/pipelines/enterprise-contract{{ if ne .name "default" }}-{{ .name }}{{ end }}.yaml)
 {{- end -}}
 {{- end }}
-
 ## See also
 
 * [Policy Rule Documentation](https://enterprisecontract.dev/docs/ec-policies/release_policy.html)

src/data.json

@@ -2,46 +2,60 @@
   {
     "name": "default",
     "description": "Includes rules for levels 1, 2 & 3 of SLSA v0.1. This is the default config used for new RHTAP applications.",
+    "environment": "rhtap",
     "include": ["@slsa1", "@slsa2", "@slsa3"],
     "exclude": []
   },
   {
     "name": "minimal",
     "description": "Includes a set of basic checks that are expected to pass for all RHTAP builds.",
+    "environment": "rhtap",
     "include": ["@minimal"],
     "exclude": [],
     "deprecated": true
   },
   {
     "name": "redhat",
     "description": "Includes the full set of rules and policies required internally by Red Hat when building Red Hat products.",
+    "environment": "rhtap",
     "include": ["@redhat"],
     "exclude": []
   },
   {
     "name": "slsa1",
     "description": "Rules specifically related to levels 1 of SLSA v0.1, plus a set of basic checks that are expected to pass for all RHTAP builds.",
+    "environment": "rhtap",
     "include": ["@minimal", "@slsa1"],
     "exclude": [],
     "deprecated": true
   },
   {
     "name": "slsa2",
     "description": "Rules specifically related to levels 1 & 2 of SLSA v0.1, plus a set of basic checks that are expected to pass for all RHTAP builds.",
+    "environment": "rhtap",
     "include": ["@minimal", "@slsa1", "@slsa2"],
     "exclude": [],
     "deprecated": true
   },
   {
     "name": "slsa3",
     "description": "Rules specifically related to levels 1, 2 & 3 of SLSA v0.1, plus a set of basic checks that are expected to pass for all RHTAP builds.",
+    "environment": "rhtap",
     "include": ["@minimal", "@slsa1", "@slsa2", "@slsa3"],
     "exclude": []
   },
   {
     "name": "everything",
     "description": "Include every rule in the default policy source. For experiments only. This is not expected to pass for RHTAP builds without excluding some rules.",
+    "environment": "rhtap",
     "include": ["*"],
     "exclude": []
+  },
+  {
+    "name": "github-default",
+    "description": "Rules for container images built via GitHub Workflows.",
+    "environment": "github",
+    "include": ["@github"],
+    "exclude": []
   }
 ]

src/policy-github.yaml.tmpl

@@ -0,0 +1,28 @@
+#
+{{ if index . "deprecated" -}}
+# ** DEPRECATED **
+#
+{{ end -}}
+# To use this policy with the ec command line:
+#   ec validate image \
+#     --image $IMAGE \
+#     --public-key key.pub \
+#     --policy github.com/enterprise-contract/config//{{ .name }}
+#
+description: >-
+  {{ .description }}
+
+sources:
+  - name: Default
+    policy:
+      - github.com/enterprise-contract/ec-policies//policy/lib
+      - github.com/enterprise-contract/ec-policies//policy/release
+    data:
+      - github.com/enterprise-contract/ec-policies//data
+
+configuration:
+  include:
+    {{ .include | toYAML | strings.Indent 4 | strings.TrimSpace }}
+
+  exclude:
+    {{ .exclude | toYAML | strings.Indent 4 | strings.TrimSpace }}

src/policy-rhtap.yaml.tmpl

@@ -0,0 +1,40 @@
+#
+{{ if index . "deprecated" -}}
+# ** DEPRECATED **
+#
+{{ end -}}
+# To use this policy with the ec command line:
+#   ec validate image \
+#     --image $IMAGE \
+#     --public-key key.pub \
+#     --policy github.com/enterprise-contract/config//{{ .name }}
+#
+# To use with an RHTAP Enterprise Contract Integration Test CR:
+#   ...
+#   spec:
+#     params:
+#     - name: POLICY_CONFIGURATION
+#       value: github.com/enterprise-contract/config//{{ .name }}
+#     ...
+#
+description: >-
+  {{ .description }}
+
+publicKey: "k8s://openshift-pipelines/public-key"
+
+sources:
+  - name: Default
+    policy:
+      - github.com/enterprise-contract/ec-policies//policy/lib
+      - github.com/enterprise-contract/ec-policies//policy/release
+    data:
+      - github.com/enterprise-contract/ec-policies//data
+
+configuration:
+  include:
+    {{ .include | toYAML | strings.Indent 4 | strings.TrimSpace }}
+
+  exclude:
+    # Exclude step_image_registries for now since it can cause false
+    # positives due to https://issues.redhat.com/browse/OCPBUGS-8428
+    {{ .exclude | coll.Append "step_image_registries" | toYAML | strings.Indent 4 | strings.TrimSpace }}