feat: add Operator FIPS Compliance checks as required tasks

CVP-4373. This commit adds fbc-fips-check as a required task to the FBC pipeline and fips-operator-bundle-check as a required task in the container pipeline. The commit also adds their repective TA versions. Signed-off-by: Yashvardhan Nanavati <[email protected]>
release-engineering · Dec 22, 2024 · 1b329ec · 1b329ec
1 parent a10d90c
commit 1b329ec
Showing 1 changed file with 71 additions and 0 deletions.
diff --git a/data/required_tasks.yml b/data/required_tasks.yml
@@ -2,6 +2,14 @@
 # https://enterprisecontract.dev/docs/ec-policies/release_policy.html#tasks_package
 pipeline-required-tasks:
   fbc:
+    - effective_on: "2025-03-01T00:00:00Z"
+      tasks:
+        - [buildah, buildah-10gb, buildah-6gb, buildah-8gb, buildah-remote, buildah-oci-ta, buildah-remote-oci-ta]
+        - deprecated-image-check
+        - [fbc-fips-check, fbc-fips-check-oci-ta]
+        - [fbc-related-image-check, validate-fbc]
+        - [git-clone, git-clone-oci-ta]
+        - init
     - effective_on: "2024-11-01T00:00:00Z"
       tasks:
         - [buildah, buildah-10gb, buildah-6gb, buildah-8gb, buildah-remote, buildah-oci-ta, buildah-remote-oci-ta]
@@ -29,6 +37,19 @@ pipeline-required-tasks:
         - inspect-image
         - summary
   docker:
+    - effective_on: "2025-03-01T00:00:00Z"
+      tasks:
+        - [buildah, buildah-10gb, buildah-6gb, buildah-8gb, buildah-remote, buildah-oci-ta, buildah-remote-oci-ta]
+        - clair-scan
+        - clamav-scan
+        - deprecated-image-check
+        - [fips-operator-bundle-check, fips-operator-bundle-check-oci-ta]
+        - [git-clone, git-clone-oci-ta]
+        - init
+        - [prefetch-dependencies, prefetch-dependencies-oci-ta]
+        - rpms-signature-scan
+        - [sast-snyk-check, sast-snyk-check-oci-ta]
+        - [source-build, source-build-oci-ta]
     - effective_on: "2024-11-01T00:00:00Z"
       tasks:
         - [buildah, buildah-10gb, buildah-6gb, buildah-8gb, buildah-remote, buildah-oci-ta, buildah-remote-oci-ta]
@@ -65,6 +86,19 @@ pipeline-required-tasks:
         - source-build
         - summary
   generic:
+    - effective_on: "2025-03-01T00:00:00Z"
+      tasks:
+        - [buildah, buildah-10gb, buildah-6gb, buildah-8gb, buildah-remote, buildah-oci-ta, buildah-remote-oci-ta]
+        - clair-scan
+        - clamav-scan
+        - deprecated-image-check
+        - [fips-operator-bundle-check, fips-operator-bundle-check-oci-ta]
+        - [git-clone, git-clone-oci-ta]
+        - init
+        - [prefetch-dependencies, prefetch-dependencies-oci-ta]
+        - rpms-signature-scan
+        - [sast-snyk-check, sast-snyk-check-oci-ta]
+        - [source-build, source-build-oci-ta]
     - effective_on: "2024-11-01T00:00:00Z"
       tasks:
         - [buildah, buildah-10gb, buildah-6gb, buildah-8gb, buildah-remote, buildah-oci-ta, buildah-remote-oci-ta]
@@ -101,6 +135,19 @@ pipeline-required-tasks:
         - source-build
         - summary
   java:
+    - effective_on: "2025-03-01T00:00:00Z"
+      tasks:
+        - clair-scan
+        - clamav-scan
+        - deprecated-image-check
+        - [fips-operator-bundle-check, fips-operator-bundle-check-oci-ta]
+        - [git-clone, git-clone-oci-ta]
+        - init
+        - [prefetch-dependencies, prefetch-dependencies-oci-ta]
+        - rpms-signature-scan
+        - s2i-java
+        - [sast-snyk-check, sast-snyk-check-oci-ta]
+        - [source-build, source-build-oci-ta]
     - effective_on: "2024-11-01T00:00:00Z"
       tasks:
         - clair-scan
@@ -137,6 +184,19 @@ pipeline-required-tasks:
         - source-build
         - summary
   nodejs:
+    - effective_on: "2025-03-01T00:00:00Z"
+      tasks:
+        - clair-scan
+        - clamav-scan
+        - deprecated-image-check
+        - [fips-operator-bundle-check, fips-operator-bundle-check-oci-ta]
+        - [git-clone, git-clone-oci-ta]
+        - init
+        - [prefetch-dependencies, prefetch-dependencies-oci-ta]
+        - rpms-signature-scan
+        - s2i-nodejs
+        - [sast-snyk-check, sast-snyk-check-oci-ta]
+        - [source-build, source-build-oci-ta]
     - effective_on: "2024-11-01T00:00:00Z"
       tasks:
         - clair-scan
@@ -175,6 +235,17 @@ pipeline-required-tasks:
 
 # https://enterprisecontract.dev/docs/ec-policies/release_policy.html#tasks_package
 required-tasks:
+  - effective_on: "2025-03-01T00:00:00Z"
+    tasks:
+      - clair-scan
+      - clamav-scan
+      - [fips-operator-bundle-check, fips-operator-bundle-check-oci-ta]
+      - [git-clone, git-clone-oci-ta]
+      - init
+      - [prefetch-dependencies, prefetch-dependencies-oci-ta]
+      - rpms-signature-scan
+      - [sast-snyk-check, sast-snyk-check-oci-ta]
+      - [source-build, source-build-oci-ta]
   - effective_on: "2024-11-01T00:00:00Z"
     tasks:
       - clair-scan