Merge pull request #1545 from jorris/ROK-923

Change git branch check from source to target

Author: simonbaird

antora/docs/modules/ROOT/pages/packages/release_git_branch.adoc

@@ -1,6 +1,6 @@
 = Git branch checks Package
 
-Check that the build was done from an expected git branch. The specific branches permitted are specified as a list of regexes in the `allowed_branch_patterns` rule data.
+Check that the build has an expected target git branch. The specific branches permitted are specified as a list of regexes in the `allowed_target_branch_patterns` rule data.
 
 == Package Name
 
@@ -9,12 +9,12 @@ Check that the build was done from an expected git branch. The specific branches
 == Rules Included
 
 [#git_branch__git_branch]
-=== link:#git_branch__git_branch[Only allow builds from a trusted branch]
+=== link:#git_branch__git_branch[Builds have a trusted target branch]
 
-Build must originate from a configured branch pattern (e.g., 'refs/heads/main')
+Build must target a configured branch pattern (e.g., 'c10s')
 
 * Rule type: [rule-type-indicator failure]#FAILURE#
-* FAILURE message: `Build is from a branch %s which is not a trusted branch`
+* FAILURE message: `Build target is %s which is not a trusted target branch`
 * Code: `git_branch.git_branch`
 * Effective from: `2025-07-01T00:00:00Z`
 * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/git_branch/git_branch.rego#L14[Source, window="_blank"]

antora/docs/modules/ROOT/pages/release_policy.adoc

@@ -227,7 +227,7 @@ Rules included:
 * xref:packages/release_cve.adoc#cve__unpatched_cve_blockers[CVE checks: Blocking unpatched CVE check]        
 * xref:packages/release_cve.adoc#cve__cve_warnings[CVE checks: Non-blocking CVE check]        
 * xref:packages/release_cve.adoc#cve__rule_data_provided[CVE checks: Rule data provided]        
-* xref:packages/release_git_branch.adoc#git_branch__git_branch[Git branch checks: Only allow builds from a trusted branch]        
+* xref:packages/release_git_branch.adoc#git_branch__git_branch[Git branch checks: Builds have a trusted target branch]        
 * xref:packages/release_provenance_materials.adoc#provenance_materials__git_clone_source_matches_provenance[Provenance Materials: Git clone source matches materials provenance]        
 * xref:packages/release_provenance_materials.adoc#provenance_materials__git_clone_task_found[Provenance Materials: Git clone task found]        
 * xref:packages/release_rpm_pipeline.adoc#rpm_pipeline__invalid_pipeline[RPM Pipeline: Task version invalid_pipeline]        
@@ -364,7 +364,7 @@ cve_leeway:
 a| Verify the attribute .predicate.buildDefinition.externalParameters of a SLSA Provenance v1.0 matches the expectation.
 
 | xref:packages/release_git_branch.adoc[git_branch]
-a| Check that the build was done from an expected git branch. The specific branches permitted are specified as a list of regexes in the `allowed_branch_patterns` rule data.
+a| Check that the build has an expected target git branch. The specific branches permitted are specified as a list of regexes in the `allowed_target_branch_patterns` rule data.
 
 | xref:packages/release_github_certificate.adoc[github_certificate]
 a| Verify attributes on the certificate involved in the image signature when using slsa-github-generator on GitHub Actions with Sigstore Fulcio

antora/docs/modules/ROOT/partials/release_policy_nav.adoc

@@ -35,7 +35,7 @@
 **** xref:packages/release_external_parameters.adoc#external_parameters__pipeline_run_params_provided[PipelineRun params provided]
 **** xref:packages/release_external_parameters.adoc#external_parameters__restrict_shared_volumes[Restrict shared volumes]
 *** xref:packages/release_git_branch.adoc[Git branch checks]
-**** xref:packages/release_git_branch.adoc#git_branch__git_branch[Only allow builds from a trusted branch]
+**** xref:packages/release_git_branch.adoc#git_branch__git_branch[Builds have a trusted target branch]
 *** xref:packages/release_github_certificate.adoc[GitHub Certificate Checks]
 **** xref:packages/release_github_certificate.adoc#github_certificate__gh_workflow_extensions[GitHub Workflow Certificate Extensions]
 **** xref:packages/release_github_certificate.adoc#github_certificate__gh_workflow_name[GitHub Workflow Name]

example/data/rule_data.yml

@@ -17,7 +17,7 @@
 
 rule_data:
   # Usage: https://conforma.dev/docs/policy/packages/release_git_branch.html#git_branch__git_branch
-  allowed_branch_patterns:
+  allowed_target_branch_patterns:
   - ^refs/heads/main$
   - ^refs/heads/release-v[\d\.]+$
 

policy/release/git_branch/git_branch.rego

@@ -2,21 +2,21 @@
 # METADATA
 # title: Git branch checks
 # description: >-
-#   Check that the build was done from an expected git branch. The
+#   Check that the build has an expected target git branch. The
 #   specific branches permitted are specified as a list of regexes
-#   in the `allowed_branch_patterns` rule data.
+#   in the `allowed_target_branch_patterns` rule data.
 #
 package git_branch
 
 import data.lib
 import rego.v1
 
 # METADATA
-# title: Only allow builds from a trusted branch
-# description: Build must originate from a configured branch pattern (e.g., 'refs/heads/main')
+# title: Builds have a trusted target branch
+# description: Build must target a configured branch pattern (e.g., 'c10s')
 # custom:
 #   short_name: git_branch
-#   failure_msg: Build is from a branch %s which is not a trusted branch
+#   failure_msg: Build target is %s which is not a trusted target branch
 #   collections:
 #   - redhat_rpms
 #   effective_on: 2025-07-01
@@ -25,12 +25,12 @@ deny contains result if {
 
 	# Note that we're assuming that the annotation exists.
 	# This will not produce a violation if the annotation is missing
-	branch := task.invocation.environment.annotations["pipelinesascode.tekton.dev/source-branch"]
+	branch := task.invocation.environment.annotations["build.appstudio.redhat.com/target_branch"]
 	not matches_any(branch)
 	result := lib.result_helper(rego.metadata.chain(), [branch])
 }
 
 matches_any(branch) if {
-	some pattern in lib.rule_data("allowed_branch_patterns")
+	some pattern in lib.rule_data("allowed_target_branch_patterns")
 	regex.match(pattern, branch)
 }

policy/release/git_branch/git_branch_test.rego

@@ -6,9 +6,9 @@ import rego.v1
 
 single_test_case(branch, expected_results) if {
 	# regal ignore:line-length
-	mock_input := {"attestations": [{"statement": {"predicate": {"buildConfig": {"tasks": [{"invocation": {"environment": {"annotations": {"pipelinesascode.tekton.dev/source-branch": branch}}}}]}}}}]}
+	mock_input := {"attestations": [{"statement": {"predicate": {"buildConfig": {"tasks": [{"invocation": {"environment": {"annotations": {"build.appstudio.redhat.com/target_branch": branch}}}}]}}}}]}
 
-	mock_rule_data := ["^refs/heads/main$", "^refs/heads/release-[23]$"]
+	mock_rule_data := ["^c10s$", "^rhel-10.[0-9]+$", "^rhel-[0-9]+-main$", "branch[0-9]+-rhel-[0-9]+.[0-9]+.[0-9]+$"]
 
 	mock_tasks := mock_input.attestations[0].statement.predicate.buildConfig.tasks
 
@@ -19,25 +19,36 @@ single_test_case(branch, expected_results) if {
 }
 
 test_allow_with_main_branch if {
-	single_test_case("refs/heads/main", [])
+	single_test_case("rhel-9-main", [])
 }
 
 test_allow_with_release_branch if {
-	single_test_case("refs/heads/release-2", [])
+	single_test_case("rhel-10.1", [])
+}
+
+test_allow_with_c10s_branch if {
+	single_test_case("c10s", [])
+}
+
+test_allow_with_hotfixbranch if {
+	single_test_case("kernel-5.14.0-570.42.1.el9_6-branch1-rhel-9.6.0", [])
+	single_test_case("kernel-5.14.0-570.42.1.el9_6-branch1-rhel-9.6.0", [])
+	single_test_case("kernel-5.14.0-570.42.1.el10_3-branch1-rhel-10.3.1", [])
+	single_test_case("kernel-5.14.0-570.42.1.el11_2-branch13-rhel-11.2.9", [])
 }
 
 test_deny_with_disallowed_branch if {
 	expected := {{
 		"code": "git_branch.git_branch",
-		"msg": "Build is from a branch refs/heads/feature-branch which is not a trusted branch",
+		"msg": "Build target is feature-branch which is not a trusted target branch",
 	}}
-	single_test_case("refs/heads/feature-branch", expected)
+	single_test_case("feature-branch", expected)
 }
 
 test_deny_with_unmatched_branch if {
 	expected := {{
 		"code": "git_branch.git_branch",
-		"msg": "Build is from a branch refs/heads/release-1 which is not a trusted branch",
+		"msg": "Build target is release-1 which is not a trusted target branch",
 	}}
-	single_test_case("refs/heads/release-1", expected)
+	single_test_case("release-1", expected)
 }