build: rego source policies #23782
build: rego source policies #23782
Conversation
dvdksn
added
the
status/do-not-merge
github-actions
bot
added
area/build
✅ Deploy Preview for docsdocker ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
dvdksn
force-pushed
the
build-input-policy
branch
from
640026d to
b152a76
Compare
dvdksn
force-pushed
the
build-input-policy
branch
2 times, most recently
from
1dcccf6 to
7741d9b
Compare
dvdksn
force-pushed
the
build-input-policy
branch
2 times, most recently
from
9ef9e13 to
04835cd
Compare
dvdksn
force-pushed
the
build-input-policy
branch
from
04835cd to
92feb6f
Compare
| ``` | ||
|
|
||
| When using Sigstore signatures, additional fields are available under | ||
| `input.image.signature` (singular) with details about the signing workflow. |
There was a problem hiding this comment.
Uuh I reckon this was a result of me starting to preemptively doc some fields before I was able to test. Then Claude went and mangled things.
| } | ||
| ``` | ||
|
|
||
| #### `input.git.commitChecksum` |
There was a problem hiding this comment.
There is also checksum isAnnotatedTag.
There was a problem hiding this comment.
Adding these and a couple other fields I noticed were missing. Not adding fullUrl and isSha256 just yet - I noticed they exist but I'm not really able to test those.
dvdksn
force-pushed
the
build-input-policy
branch
from
92feb6f to
2040f30
Compare
dvdksn
force-pushed
the
build-input-policy
branch
from
2040f30 to
d94ec3e
Compare
dvdksn
removed
status/do-not-merge
Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
dvdksn
force-pushed
the
build-input-policy
branch
from
d94ec3e to
d803575
Compare
Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
dvdksn
force-pushed
the
build-input-policy
branch
from
d803575 to
c7656bd
Compare
| @@ -0,0 +1,585 @@ | |||
| --- | |||
| title: Example policies | |||
There was a problem hiding this comment.
I might give this a stronger left nav name, nothing too intense. I would clarify the kind of examples these are, e.g.: "Example policies for beginners" (that's a bad title). Maybe something that indicates who these examples are for, or maybe the environment"Example policies for <development/production>" or something. IDK just adding a little more context to target the exact audience who the examples are for
| @@ -0,0 +1,210 @@ | |||
| --- | |||
| title: Test build policies | |||
There was a problem hiding this comment.
Do we want the doc title to match left nav title for breadcrumbing/context?
|
|
||
| ## Basic example | ||
|
|
||
| Start with a simple policy: |
There was a problem hiding this comment.
Maybe, "start with a simple policy that :" just to provide context scaffolding
| test_alpine_allowed: PASS (allow=true) | ||
| test_ubuntu_denied: PASS (allow=false) | ||
| ``` | ||
|
|
There was a problem hiding this comment.
Do we want to add a short sentence summary that calls out specifically what should happen if the test passes?
| └── src/ | ||
| ``` | ||
|
|
||
| No additional configuration is needed - buildx automatically finds and loads |
There was a problem hiding this comment.
Should we use Buildx with an uppercase B when referring to the CLI tool/client and not the CLI command? I've seen this in a couple of place in the PR. Can we update this?
| $ docker buildx policy test --filename app.Dockerfile . | ||
| ``` | ||
|
|
||
| This loads `app.Dockerfile.rego` and runs `*_test.rego` files against it. |
There was a problem hiding this comment.
Same as above. What is the expected outcome? A short sentence might help wrap up what to expect
|
Left some minor comments @dvdksn. Looks great overall! |
4 participants
Description
Buildx support for rego policies for validating build inputs (local, http, git, image).
Preview: https://deploy-preview-23782--docsdocker.netlify.app/build/policies/
Related issues or tickets