Remove the ci-specific rhtap rego packages

This does strip out potentially useful Jenkins specific invocation id check, but let's not worry about that for now. Once we have a sensible plan for how to do this, we can bring it back fairly easily. Ref: https://issues.redhat.com/browse/EC-1032
enterprise-contract · Nov 26, 2024 · 224ee3b · 224ee3b
1 parent d24d977
commit 224ee3b
Show file tree

Hide file tree

Showing 8 changed files with 0 additions and 351 deletions.
diff --git a/antora/docs/modules/ROOT/pages/release_policy.adoc b/antora/docs/modules/ROOT/pages/release_policy.adoc
@@ -211,8 +211,6 @@ a| A set of policy rules to validate artifacts built using RHTAP Jenkins pipelin
 
 Rules included:
 
-* xref:release_policy.adoc#rhtap_jenkins__invocation_id_found[RHTAP Jenkins: RHTAP Jenkins SLSA Invocation ID present]
-* xref:release_policy.adoc#rhtap_jenkins__attestation_found[RHTAP Jenkins: RHTAP Jenkins SLSA Provenance Attestation Found]
 * xref:release_policy.adoc#rhtap_multi_ci__attestation_found[RHTAP Multi-CI: RHTAP Multi-CI SLSA Provenance Attestation Found]
 
 | [#slsa3]`slsa3`
@@ -960,75 +958,6 @@ Check the image metadata for the presence of a "quay.expires-after" label. If it
 * Code: `quay_expiration.expires_label`
 * https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/quay_expiration/quay_expiration.rego#L16[Source, window="_blank"]
 
-[#rhtap_github_package]
-== link:#rhtap_github_package[RHTAP GitHub]
-
-Some initial checks for images built using an RHTAP GitHub build pipeline. Note that the RHTAP GitHub pipeline is WIP currently, but will be shipped in an upcoming release of RHTAP. It's expected more useful checks will be added in future. RHTAP GitHub pipelines are defined under https://github.com/redhat-appstudio/tssc-sample-templates/tree/main/skeleton/ci
-
-* Package name: `rhtap_github`
-
-[#rhtap_github__attestation_found]
-=== link:#rhtap_github__attestation_found[RHTAP GitHub SLSA Provenance Attestation Found]
-
-Verify an attestation created by the RHTAP GitHub build pipeline is present.
-
-*Solution*: It appears the build pipeline did not create a SLSA provenance attestation. Check the logs in GitHub for the cosign-sign-attest stage to see if you can find out why.
-
-* Rule type: [rule-type-indicator failure]#FAILURE#
-* FAILURE message: `The expected SLSA v1.0 provenance with build type %s was not found.`
-* Code: `rhtap_github.attestation_found`
-* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/rhtap_github/rhtap_github.rego#L17[Source, window="_blank"]
-
-[#rhtap_gitlab_package]
-== link:#rhtap_gitlab_package[RHTAP GitLab]
-
-Some initial checks for images built using an RHTAP GitLab build pipeline. Note that the RHTAP GitLab pipeline is WIP currently, but will be shipped in an upcoming release of RHTAP. It's expected more useful checks will be added in future. RHTAP GitLab pipelines are defined under https://github.com/redhat-appstudio/tssc-sample-templates/tree/main/skeleton/ci
-
-* Package name: `rhtap_gitlab`
-
-[#rhtap_gitlab__attestation_found]
-=== link:#rhtap_gitlab__attestation_found[RHTAP GitLab SLSA Provenance Attestation Found]
-
-Verify an attestation created by the RHTAP GitLab build pipeline is present.
-
-*Solution*: It appears the build pipeline did not create a SLSA provenance attestation. Check the logs in GitLab for the cosign-sign-attest stage to see if you can find out why.
-
-* Rule type: [rule-type-indicator failure]#FAILURE#
-* FAILURE message: `The expected SLSA v1.0 provenance with build type %s was not found.`
-* Code: `rhtap_gitlab.attestation_found`
-* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/rhtap_gitlab/rhtap_gitlab.rego#L17[Source, window="_blank"]
-
-[#rhtap_jenkins_package]
-== link:#rhtap_jenkins_package[RHTAP Jenkins]
-
-Some initial checks for images built using an RHTAP Jenkins build pipeline. Note that the RHTAP Jenkins pipeline is WIP currently, but will be shipped in an upcoming release of RHTAP. It's expected more useful checks will be added in future. RHTAP Jenkins pipelines are defined under https://github.com/redhat-appstudio/tssc-sample-templates/tree/main/skeleton/ci
-
-* Package name: `rhtap_jenkins`
-
-[#rhtap_jenkins__invocation_id_found]
-=== link:#rhtap_jenkins__invocation_id_found[RHTAP Jenkins SLSA Invocation ID present]
-
-Confirm that an invocation ID was found in the attestation in the expected location.
-
-*Solution*: For some reason the invocation id was missing or empty in the build provenance. It should be located at `predicate.runDetails.metadata.invocationID` in the attestation statement.
-
-* Rule type: [rule-type-indicator failure]#FAILURE#
-* FAILURE message: `The build provenance metadata did not contain an invocation id.`
-* Code: `rhtap_jenkins.invocation_id_found`
-* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/rhtap_jenkins/rhtap_jenkins.rego#L36[Source, window="_blank"]
-
-[#rhtap_jenkins__attestation_found]
-=== link:#rhtap_jenkins__attestation_found[RHTAP Jenkins SLSA Provenance Attestation Found]
-
-Verify an attestation created by the RHTAP Jenkins build pipeline is present.
-
-*Solution*: It appears the build pipeline did not create a SLSA provenance attestation. Check the logs in Jenkins for the cosign-sign-attest stage to see if you can find out why.
-
-* Rule type: [rule-type-indicator failure]#FAILURE#
-* FAILURE message: `The expected SLSA v1.0 provenance with build type %s was not found.`
-* Code: `rhtap_jenkins.attestation_found`
-* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/rhtap_jenkins/rhtap_jenkins.rego#L17[Source, window="_blank"]
-
 [#rhtap_multi_ci_package]
 == link:#rhtap_multi_ci_package[RHTAP Multi-CI]
 

diff --git a/antora/docs/modules/ROOT/partials/release_policy_nav.adoc b/antora/docs/modules/ROOT/partials/release_policy_nav.adoc
@@ -71,13 +71,6 @@
 **** xref:release_policy.adoc#provenance_materials__git_clone_task_found[Git clone task found]
 *** xref:release_policy.adoc#quay_expiration_package[Quay expiration]
 **** xref:release_policy.adoc#quay_expiration__expires_label[Expires label]
-*** xref:release_policy.adoc#rhtap_github_package[RHTAP GitHub]
-**** xref:release_policy.adoc#rhtap_github__attestation_found[RHTAP GitHub SLSA Provenance Attestation Found]
-*** xref:release_policy.adoc#rhtap_gitlab_package[RHTAP GitLab]
-**** xref:release_policy.adoc#rhtap_gitlab__attestation_found[RHTAP GitLab SLSA Provenance Attestation Found]
-*** xref:release_policy.adoc#rhtap_jenkins_package[RHTAP Jenkins]
-**** xref:release_policy.adoc#rhtap_jenkins__invocation_id_found[RHTAP Jenkins SLSA Invocation ID present]
-**** xref:release_policy.adoc#rhtap_jenkins__attestation_found[RHTAP Jenkins SLSA Provenance Attestation Found]
 *** xref:release_policy.adoc#rhtap_multi_ci_package[RHTAP Multi-CI]
 **** xref:release_policy.adoc#rhtap_multi_ci__attestation_found[RHTAP Multi-CI SLSA Provenance Attestation Found]
 *** xref:release_policy.adoc#rpm_repos_package[RPM Repos]

diff --git a/policy/release/rhtap_github/rhtap_github.rego b/policy/release/rhtap_github/rhtap_github.rego
diff --git a/policy/release/rhtap_github/rhtap_github_test.rego b/policy/release/rhtap_github/rhtap_github_test.rego
diff --git a/policy/release/rhtap_gitlab/rhtap_gitlab.rego b/policy/release/rhtap_gitlab/rhtap_gitlab.rego
diff --git a/policy/release/rhtap_gitlab/rhtap_gitlab_test.rego b/policy/release/rhtap_gitlab/rhtap_gitlab_test.rego
diff --git a/policy/release/rhtap_jenkins/rhtap_jenkins.rego b/policy/release/rhtap_jenkins/rhtap_jenkins.rego
diff --git a/policy/release/rhtap_jenkins/rhtap_jenkins_test.rego b/policy/release/rhtap_jenkins/rhtap_jenkins_test.rego