Skip to content

test(EC-1824): add acceptance tests for multi-arch volatile exceptions #3333

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
robnester-rh wants to merge 2 commits into
base: main
Choose a base branch
from
Open

test(EC-1824): add acceptance tests for multi-arch volatile exceptions #3333

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7bf6430
feat(EC-1824): add acceptance tests for multi-arch volatile exceptions
robnester-rh Jun 5, 2026
9817ee4
fix(EC-1824): trim verbose comment block per reviewer feedback
robnester-rh Jun 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
225 changes: 225 additions & 0 deletions features/__snapshots__/validate_image.snap
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5916,3 +5916,228 @@ time="${TIMESTAMP}" level=warning msg="Attestation signature check skipped, fetc
time="${TIMESTAMP}" level=warning msg="Both --skip-image-sig-check and --skip-att-sig-check are active, all cryptographic verification is disabled"

---

[TestFeatures/volatile config exclude matches multi-arch expanded component name:stdout - 1]
{
"success": true,
"components": [
{
"name": "multi-arch-test-sha256:a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2-arm64",
"containerImage": "${REGISTRY}/acceptance/multi-arch-volatile@sha256:${REGISTRY_acceptance/multi-arch-volatile:latest_DIGEST}",
"source": {},
"successes": [
{
"msg": "Pass",
"metadata": {
"code": "builtin.attestation.signature_check"
}
},
{
"msg": "Pass",
"metadata": {
"code": "builtin.attestation.syntax_check"
}
},
{
"msg": "Pass",
"metadata": {
"code": "builtin.image.signature_check"
}
},
{
"msg": "Pass",
"metadata": {
"code": "filtering.always_pass"
}
},
{
"msg": "Pass",
"metadata": {
"code": "filtering.always_pass_with_collection"
}
}
],
"success": true,
"signatures": [
{
"keyid": "",
"sig": "${IMAGE_SIGNATURE_acceptance/multi-arch-volatile}"
}
],
"attestations": [
{
"type": "https://in-toto.io/Statement/v0.1",
"predicateType": "https://slsa.dev/provenance/v0.2",
"predicateBuildType": "https://tekton.dev/attestations/chains/pipelinerun@v2",
"signatures": [
{
"keyid": "",
"sig": "${ATTESTATION_SIGNATURE_acceptance/multi-arch-volatile}"
}
]
}
]
}
],
"key": "${known_PUBLIC_KEY_JSON}",
"policy": {
"sources": [
{
"policy": [
"git::${GITHOST}/git/happy-day-policy.git?ref=${LATEST_COMMIT}"
],
"config": {
"include": [
"@stamps",
"filtering.always_pass",
"filtering.always_fail"
]
},
"volatileConfig": {
"exclude": [
{
"value": "filtering.always_fail",
"componentNames": [
"multi-arch-test"
]
},
{
"value": "filtering.always_fail_with_collection",
"componentNames": [
"multi-arch-test"
]
}
]
}
}
],
"publicKey": "${known_PUBLIC_KEY}"
},
"ec-version": "${EC_VERSION}",
"effective-time": "${TIMESTAMP}"
}
---

[TestFeatures/volatile config exclude matches multi-arch expanded component name:stderr - 1]

---

[TestFeatures/volatile config exclude does not match different multi-arch component:stdout - 1]
{
"success": false,
"components": [
{
"name": "other-component-sha256:a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2-amd64",
"containerImage": "${REGISTRY}/acceptance/multi-arch-volatile-neg@sha256:${REGISTRY_acceptance/multi-arch-volatile-neg:latest_DIGEST}",
"source": {},
"violations": [
{
"msg": "always fail",
"metadata": {
"code": "filtering.always_fail"
}
},
{
"msg": "always fail with collection",
"metadata": {
"code": "filtering.always_fail_with_collection"
}
}
],
"successes": [
{
"msg": "Pass",
"metadata": {
"code": "builtin.attestation.signature_check"
}
},
{
"msg": "Pass",
"metadata": {
"code": "builtin.attestation.syntax_check"
}
},
{
"msg": "Pass",
"metadata": {
"code": "builtin.image.signature_check"
}
},
{
"msg": "Pass",
"metadata": {
"code": "filtering.always_pass"
}
},
{
"msg": "Pass",
"metadata": {
"code": "filtering.always_pass_with_collection"
}
}
],
"success": false,
"signatures": [
{
"keyid": "",
"sig": "${IMAGE_SIGNATURE_acceptance/multi-arch-volatile-neg}"
}
],
"attestations": [
{
"type": "https://in-toto.io/Statement/v0.1",
"predicateType": "https://slsa.dev/provenance/v0.2",
"predicateBuildType": "https://tekton.dev/attestations/chains/pipelinerun@v2",
"signatures": [
{
"keyid": "",
"sig": "${ATTESTATION_SIGNATURE_acceptance/multi-arch-volatile-neg}"
}
]
}
]
}
],
"key": "${known_PUBLIC_KEY_JSON}",
"policy": {
"sources": [
{
"policy": [
"git::${GITHOST}/git/happy-day-policy.git?ref=${LATEST_COMMIT}"
],
"config": {
"include": [
"@stamps",
"filtering.always_pass",
"filtering.always_fail"
]
},
"volatileConfig": {
"exclude": [
{
"value": "filtering.always_fail",
"componentNames": [
"multi-arch-test"
]
},
{
"value": "filtering.always_fail_with_collection",
"componentNames": [
"multi-arch-test"
]
}
]
}
}
],
"publicKey": "${known_PUBLIC_KEY}"
},
"ec-version": "${EC_VERSION}",
"effective-time": "${TIMESTAMP}"
}
---

[TestFeatures/volatile config exclude does not match different multi-arch component:stderr - 1]
Error: success criteria not met

---
101 changes: 101 additions & 0 deletions features/validate_image.feature
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1115,6 +1115,107 @@ Feature: evaluate enterprise contract
Then the exit status should be 0
Then the output should match the snapshot

# EC-1824: verify volatile config componentNames excludes work with

@fullsend-ai-review fullsend-ai-review Bot Jun 8, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[info] test-inadequate

The two scenarios provide good positive/negative coverage for multi-arch expanded component name matching. A potential additional edge case would test a component name containing a sha256-like substring that is NOT a multi-arch expanded name (e.g., without the sha256: prefix pattern), to verify originalComponentName() correctly identifies the expansion boundary rather than doing a simple prefix match.

# multi-arch expanded component names (e.g., "foo-sha256:<digest>-arm64").

Scenario: volatile config exclude matches multi-arch expanded component name
Given a key pair named "known"
Given an image named "acceptance/multi-arch-volatile"
Given a valid image signature of "acceptance/multi-arch-volatile" image signed by the "known" key
Given a valid attestation of "acceptance/multi-arch-volatile" signed by the "known" key
Given a git repository named "happy-day-policy" with
| filtering.rego | examples/filtering.rego |
Given a file named "${TMPDIR}/multi-arch-images.json" containing
"""
{
"components": [
{
"containerImage": "${REGISTRY}/acceptance/multi-arch-volatile",
"name": "multi-arch-test-sha256:a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2-arm64"
}
]
}
"""
Given policy configuration named "ec-policy" with specification
"""
{
"sources": [
{
"volatileConfig": {
"exclude": [
{
"value": "filtering.always_fail",
"componentNames": ["multi-arch-test"]
},
{
"value": "filtering.always_fail_with_collection",
"componentNames": ["multi-arch-test"]
}
]
},
"config": {
"include": ["@stamps", "filtering.always_pass", "filtering.always_fail"]
},
"policy": [
"git::https://${GITHOST}/git/happy-day-policy.git"
]
}
]
}
"""
When ec command is run with "validate image --images ${TMPDIR}/multi-arch-images.json --policy acceptance/ec-policy --public-key ${known_PUBLIC_KEY} --ignore-rekor --show-successes --output json"
Then the exit status should be 0
Then the output should match the snapshot

Scenario: volatile config exclude does not match different multi-arch component
Given a key pair named "known"
Given an image named "acceptance/multi-arch-volatile-neg"
Given a valid image signature of "acceptance/multi-arch-volatile-neg" image signed by the "known" key
Given a valid attestation of "acceptance/multi-arch-volatile-neg" signed by the "known" key
Given a git repository named "happy-day-policy" with
| filtering.rego | examples/filtering.rego |
Given a file named "${TMPDIR}/multi-arch-images-neg.json" containing
"""
{
"components": [
{
"containerImage": "${REGISTRY}/acceptance/multi-arch-volatile-neg",
"name": "other-component-sha256:a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2-amd64"
}
]
}
"""
Given policy configuration named "ec-policy" with specification
"""
{
"sources": [
{
"volatileConfig": {
"exclude": [
{
"value": "filtering.always_fail",
"componentNames": ["multi-arch-test"]
},
{
"value": "filtering.always_fail_with_collection",
"componentNames": ["multi-arch-test"]
}
]
},
"config": {
"include": ["@stamps", "filtering.always_pass", "filtering.always_fail"]
},
"policy": [
"git::https://${GITHOST}/git/happy-day-policy.git"
]
}
]
}
"""
When ec command is run with "validate image --images ${TMPDIR}/multi-arch-images-neg.json --policy acceptance/ec-policy --public-key ${known_PUBLIC_KEY} --ignore-rekor --show-successes --output json"
Then the exit status should be 1
Then the output should match the snapshot

Scenario: Unsupported policies
Given a key pair named "known"
Given an image named "acceptance/image"
Expand Down
Loading