Skip to content

feat: Enable policy docs link in Tekton tasks #3196

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dheerajodha wants to merge 1 commit into
base: main
Choose a base branch
from
+4 −0
Open

feat: Enable policy docs link in Tekton tasks #3196

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -390,6 +390,7 @@ spec:
--timeout=0
--strict=false
--show-successes=true
--show-policy-docs-link=true
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

rg -n --fixed-strings 'show-policy-docs-link' \
  tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml \
  cmd/validate

Repository: conforma/cli

Length of output: 167

🏁 Script executed:

# Search for the flag definition anywhere in the codebase
rg -n 'show-policy-docs-link' --type-list | head -20
rg -n 'show-policy-docs-link' -t go

Repository: conforma/cli

Length of output: 445

🏁 Script executed:

# Examine the validate image command structure
find . -name "image.go" -path "*/validate/*" -exec wc -l {} \;

Repository: conforma/cli

Length of output: 83

🏁 Script executed:

# Look for flag definitions in validate command
fd -e go . cmd/validate | head -20

Repository: conforma/cli

Length of output: 341

🏁 Script executed:

# Search for show-policy-docs-link in Go files
rg -t go 'show-policy-docs-link' .

Repository: conforma/cli

Length of output: 38

🏁 Script executed:

# Examine image.go structure to find flag definitions
head -100 cmd/validate/image.go

Repository: conforma/cli

Length of output: 3574

🏁 Script executed:

# Look for flag registration patterns (common in cobra CLI)
rg -t go 'AddFlag|Flag\(' cmd/validate/image.go | head -30

Repository: conforma/cli

Length of output: 38

🏁 Script executed:

# Search for flag registration in image.go more thoroughly
cat -n cmd/validate/image.go | grep -A2 -B2 'Flags\|Flag\|AddCommand' | head -80

Repository: conforma/cli

Length of output: 4332

🏁 Script executed:

# Look for all flag definitions (using Flags() method typical in cobra)
rg -t go 'cmd\.Flags\(\)' cmd/validate/image.go -A 3 | head -100

Repository: conforma/cli

Length of output: 6227

🏁 Script executed:

# Search for where flags are bound to struct fields
rg -t go 'BindFlags|MarkFlagRequired' cmd/validate/image.go -B 2 -A 2

Repository: conforma/cli

Length of output: 206

🏁 Script executed:

# Search for show-policy-docs-link and show-successes flags in the entire file
rg -t go 'show-successes|show-policy-docs-link' cmd/validate/image.go -B 2 -A 2

Repository: conforma/cli

Length of output: 425

🏁 Script executed:

# Look at the full flag definitions section around show-successes
sed -n '550,650p' cmd/validate/image.go

Repository: conforma/cli

Length of output: 4737

🏁 Script executed:

# Search the entire image.go for where show-successes flag is registered
rg -t go 'show-successes' cmd/validate/image.go -B 5 -A 5

Repository: conforma/cli

Length of output: 1141

🏁 Script executed:

# Look for all BoolVar registrations in image.go to see the pattern
rg -t go 'BoolVar' cmd/validate/image.go

Repository: conforma/cli

Length of output: 616

🏁 Script executed:

# Check if show-successes and show-warnings are defined elsewhere, maybe in output package
rg -t go 'show-successes|show-warnings' . --max-count 20

Repository: conforma/cli

Length of output: 5339

🏁 Script executed:

# Look more carefully - show-successes might be an output format option, not a flag
rg -t go 'show-successes\|show-warnings' cmd/validate/image.go -B 10

Repository: conforma/cli

Length of output: 38

🏁 Script executed:

# Check if these are query parameters for output, not CLI flags
sed -n '330,350p' cmd/validate/image.go

Repository: conforma/cli

Length of output: 840

🏁 Script executed:

# Check validate.go to see where show-successes and show-warnings are registered
cat -n cmd/validate/validate.go | grep -A 5 -B 5 'show-successes\|show-warnings'

Repository: conforma/cli

Length of output: 423

🏁 Script executed:

# Now search for show-policy-docs-link anywhere in the entire codebase
rg 'show-policy-docs-link' --type-list 2>/dev/null | head -1 || rg 'policy-docs-link' .

Repository: conforma/cli

Length of output: 38

🏁 Script executed:

# Check git history to see if this flag was recently added
git log --oneline -n 20 -- cmd/validate/image.go 2>/dev/null | head -10

Repository: conforma/cli

Length of output: 110

🏁 Script executed:

# Check the recent commit that mentions policy docs link
git show 1a717bb8 --stat 2>/dev/null | head -30

Repository: conforma/cli

Length of output: 1503

🏁 Script executed:

# Look for policy docs link in the output formatting code
rg -t go 'policy.*doc\|docs.*link' internal/ --max-count 20

Repository: conforma/cli

Length of output: 38

🏁 Script executed:

# Search in internal/format and internal/output for this option
rg -t go 'PolicyDocs\|policyDocs\|policy-docs' . --max-count 20

Repository: conforma/cli

Length of output: 38

🏁 Script executed:

# Get the full diff of the commit
git show 1a717bb8 --no-stat 2>/dev/null | head -200

Repository: conforma/cli

Length of output: 38

🏁 Script executed:

# Check if show-policy-docs-link flag is defined as a registered flag in image.go or elsewhere
rg -t go 'show-policy-docs-link' cmd/validate/

Repository: conforma/cli

Length of output: 38

🏁 Script executed:

# Check internal/format/target.go for output options handling
rg -t go 'show-' internal/format/target.go -B 3 -A 3

Repository: conforma/cli

Length of output: 343

🏁 Script executed:

# Check the exact output of git show to see what was added
git show 1a717bb8 -- tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml 2>/dev/null | grep -A 5 -B 5 'show-policy-docs-link' | head -30

Repository: conforma/cli

Length of output: 905

🏁 Script executed:

# Check if there's a flag definition anywhere with this name by searching all Go files
fd -e go . | xargs grep -l 'show-policy-docs-link' 2>/dev/null

Repository: conforma/cli

Length of output: 40

🏁 Script executed:

# Let's check the Options struct in format package to see what options are supported
cat -n internal/format/target.go | grep -A 30 'type Options'

Repository: conforma/cli

Length of output: 884

🏁 Script executed:

# Final verification: check if flag is registered anywhere in Go code with a broader search
rg -t go 'show.policy.*docs|policy.*docs.*link' .

Repository: conforma/cli

Length of output: 38

🏁 Script executed:

# Confirm there is truly no flag registration or handling for show-policy-docs-link
rg -t go '"show-policy-docs-link"' cmd/

Repository: conforma/cli

Length of output: 38

Guard this flag by CLI capability to avoid unknown flag failures

Line 393 uses a flag that is not implemented in the CLI. The --show-policy-docs-link flag was added to the task file but is not registered in cmd/validate/image.go or handled in the format options. Conditionally append it only when supported.

Compatibility-safe patch 
         cmd_args+=(
           --rekor-url="${REKOR_HOST}"
           --workers="${WORKERS}"
           --info="${INFO}"
           --timeout=0
           --strict=false
           --show-successes=true
-          --show-policy-docs-link=true
           --effective-time="${EFFECTIVE_TIME}"
           --extra-rule-data="${EXTRA_RULE_DATA}"
           --retry-max-wait="${RETRY_MAX_WAIT}"
           --retry-max-retry="${RETRY_MAX_RETRY}"
           --retry-duration="${RETRY_DURATION}"
           --retry-factor="${RETRY_FACTOR}"
           --retry-jitter="${RETRY_JITTER}"
           --output="text=${HOMEDIR}/text-report.txt?show-successes=false"
           --output="json=${HOMEDIR}/report-json.json"
           --output="appstudio=$(results.TEST_OUTPUT.path)"
         )
+
+        if ec validate image --help 2>&1 | grep -q -- '--show-policy-docs-link'; then
+          cmd_args+=(--show-policy-docs-link=true)
+        fi
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml` at line
393, The YAML adds the unsupported flag --show-policy-docs-link causing
unknown-flag failures; update the code that builds/assembles validate command
args (see cmd/validate/image.go and the function that constructs format/options
args) to check whether the CLI actually supports the flag before appending it:
use the command's FlagSet lookup (e.g.,
cmd.Flags().Lookup("show-policy-docs-link") or similar) or a dedicated
capability check and only append "--show-policy-docs-link=true" when the lookup
returns non-nil/true, otherwise skip adding it so the task remains compatible
with older CLI builds.

--effective-time="${EFFECTIVE_TIME}"
--extra-rule-data="${EXTRA_RULE_DATA}"
--retry-max-wait="${RETRY_MAX_WAIT}"
Expand Down
2 changes: 2 additions & 0 deletions tasks/verify-conforma-konflux-vsa-ta/0.1/verify-conforma-konflux-vsa-ta.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -280,6 +280,7 @@ spec:
- "--workers"
- "$(params.WORKERS)"
- "--strict=false"
- "--show-policy-docs-link=true"
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Task usage:"
rg -n --fixed-strings 'show-policy-docs-link' \
  tasks/verify-conforma-konflux-vsa-ta/0.1/verify-conforma-konflux-vsa-ta.yaml

echo
echo "CLI flag registrations (validate commands):"
rg -n --fixed-strings 'show-policy-docs-link' cmd/validate || true

echo
echo "Validate image flags file context:"
sed -n '470,620p' cmd/validate/image.go | rg -n --fixed-strings 'show-policy-docs-link' || true

Repository: conforma/cli

Length of output: 238

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Context around YAML line 283 and 340 ==="
sed -n '275,290p' tasks/verify-conforma-konflux-vsa-ta/0.1/verify-conforma-konflux-vsa-ta.yaml | cat -n
echo
sed -n '332,347p' tasks/verify-conforma-konflux-vsa-ta/0.1/verify-conforma-konflux-vsa-ta.yaml | cat -n

echo
echo "=== Full validate command file structure ==="
find cmd/validate -type f -name "*.go" | sort

echo
echo "=== Check for flag registration patterns in all validate files ==="
rg -n "show.policy|PolicyDocs|policy.*docs" cmd/validate || echo "No matches found"

echo
echo "=== Search for flag registration in full image.go file ==="
wc -l cmd/validate/image.go
rg -n "show-policy" cmd/validate/image.go || echo "Not found in image.go"

echo
echo "=== Check if validate vsa exists ==="
find cmd/validate -name "*vsa*" -o -name "*vsa*.go"

Repository: conforma/cli

Length of output: 2254

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== vsa.go flag registration section ==="
# Look for where flags are registered (typically Flags() section or cmd.Flags().X patterns)
rg -A 20 "func.*Cmd\(\)|PersistentFlags\(\)|Flags\(\)" cmd/validate/vsa.go | head -80

echo
echo "=== image.go flag registration section ==="
rg -A 20 "func.*Cmd\(\)|PersistentFlags\(\)|Flags\(\)" cmd/validate/image.go | head -80

echo
echo "=== Check if flag appears in any other files in repo ==="
rg -l "show-policy-docs-link" --type go --type yaml . 2>/dev/null || echo "Only in YAML task file"

Repository: conforma/cli

Length of output: 8602

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Searching for show-successes in image.go to find where output flags are ==="
rg -n "show-successes" cmd/validate/image.go

echo
echo "=== Searching for all flag definitions containing 'show' in image.go ==="
rg -n 'cmd.Flags.*"show' cmd/validate/image.go

echo
echo "=== Full validation: search entire codebase for --show-policy-docs-link registration ==="
rg -n "show.policy.docs.link|show-policy-docs-link" cmd/ || echo "Not found in cmd/"

Repository: conforma/cli

Length of output: 590

--show-policy-docs-link flag is not registered in either validate image or validate vsa commands

Lines 283 and 340 use this flag, but a comprehensive search of cmd/validate/ confirms it is not defined in either image.go or vsa.go. Both commands will fail with "unknown flag" error at runtime, blocking task execution.

Remove both occurrences until CLI support is available:

Remove unsupported flags 
-        - "--show-policy-docs-link=true"

Apply to both line 283 (validate vsa) and line 340 (validate image).

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- "--show-policy-docs-link=true"
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@tasks/verify-conforma-konflux-vsa-ta/0.1/verify-conforma-konflux-vsa-ta.yaml`
at line 283, The task YAML includes an unsupported CLI flag
"--show-policy-docs-link=true" passed to the validate commands; remove both
occurrences of that flag from the argument lists for the validate vsa and
validate image commands (the entries invoking the validate vsa and validate
image commands in this task) so the commands only use registered flags; ensure
you delete the exact string "--show-policy-docs-link=true" from both places to
avoid unknown flag runtime errors.

- "--fallback-public-key"
- "$(params.PUBLIC_KEY)"
- "--output"
Expand Down Expand Up @@ -336,6 +337,7 @@ spec:
- "--timeout=100h"
- "--strict=false"
- "--show-successes"
- "--show-policy-docs-link=true"
- "--effective-time=$(params.EFFECTIVE_TIME)"
- "--extra-rule-data=pipeline_intention=release"
- "--extra-rule-data=$(params.EXTRA_RULE_DATA)"
Expand Down
1 change: 1 addition & 0 deletions tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -335,6 +335,7 @@ spec:
--timeout=0
--strict=false
--show-successes=true
--show-policy-docs-link=true
--effective-time="${EFFECTIVE_TIME}"
--extra-rule-data="${EXTRA_RULE_DATA}"
--retry-max-wait="${RETRY_MAX_WAIT}"
Expand Down
Loading