all-tasks.yaml

---
# These policies are meant to be applied to all of the Tasks in this repo.
sources:
  - policy:
      - oci::quay.io/enterprise-contract/ec-task-policy:latest
    data:
      - oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest
      - github.com/release-engineering/rhtap-ec-policy//data
    ruleData:
      allowed_trusted_artifacts_workspaces:
        - git-basic-auth
        - basic-auth
        - ssh-directory
        - netrc
        - gitops-auth
      required_task_results:
        # Certain EC rules rely on the presence of these results when validating an image.
        - task: clair-scan
          result: CLAIR_SCAN_RESULT
          version: "0.1"
        - task: clair-scan
          result: SCAN_OUTPUT
        - task: rpms-signature-scan
          result: RPMS_DATA
    config:
      include:
        - kind
        - results
        - step_image_registries
        - step_images
        - trusted_artifacts
      exclude:
        # https://issues.redhat.com/browse/EC-1038
        - step_images.step_images_accessible:quay.io/redhat-services-prod/sast/coverity:202412.2
        - step_images.step_images_accessible:registry.access.redhat.com/ubi8/python-$(params.python-version):latest
        - step_images.step_images_accessible:registry.access.redhat.com/ubi8/go-toolset:$(params.go-version)
        - step_images.step_images_accessible:quay.io/redhat-services-prod/sast/coverity@sha256:0d1b96fb08a901b2d0e340599c7fee7e1de25e2d6ba58f3d95db4983f32b5a3c