feat: Enable policy docs link in Tekton tasks#3196
feat: Enable policy docs link in Tekton tasks#3196dheerajodha wants to merge 1 commit intoconforma:mainfrom
Conversation
📝 WalkthroughWalkthroughThree Tekton task YAML files are updated to add the Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~5 minutes 🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
The patch looks okay, but I think there's some messed up snapshot files. Maybe start by putting them all back to how they were, then run |
|
Nitpick: Commit messages sound a little AI-sloppy, especially the part where it says "Your colleague nailed it: " 😁 |
Add --show-policy-docs-link=true to all Tekton validation tasks since they run in production/CI environments where users benefit from having the documentation link when violations occur. Changes: - verify-enterprise-contract: Added flag to validate image command - verify-conforma-konflux-ta: Added flag to validate image command - verify-conforma-konflux-vsa-ta: Added flag to both validate vsa and validate image commands This ensures CI/production users see the policy documentation link while demos remain clean (flag defaults to false). Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
dheerajodha
force-pushed
the
add-policy-docs-link-to-task
branch
from
eb91225 to
1a717bb
Compare
Yes, those came from the commits related to PR for another ticket (EC-1603), and it contained those messy snapshot files (now fixed there). So, I decided to just rebase this branch on top of main branch and merge it once the other PR is merged first.
Woooops 😁 secret's out, my bot and I talk about you. But fr, sorry about that, I need to be more careful with commit messages. I've updated those commits at the source (#3173) |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml`:
- Line 393: The YAML adds the unsupported flag --show-policy-docs-link causing
unknown-flag failures; update the code that builds/assembles validate command
args (see cmd/validate/image.go and the function that constructs format/options
args) to check whether the CLI actually supports the flag before appending it:
use the command's FlagSet lookup (e.g.,
cmd.Flags().Lookup("show-policy-docs-link") or similar) or a dedicated
capability check and only append "--show-policy-docs-link=true" when the lookup
returns non-nil/true, otherwise skip adding it so the task remains compatible
with older CLI builds.
In
`@tasks/verify-conforma-konflux-vsa-ta/0.1/verify-conforma-konflux-vsa-ta.yaml`:
- Line 283: The task YAML includes an unsupported CLI flag
"--show-policy-docs-link=true" passed to the validate commands; remove both
occurrences of that flag from the argument lists for the validate vsa and
validate image commands (the entries invoking the validate vsa and validate
image commands in this task) so the commands only use registered flags; ensure
you delete the exact string "--show-policy-docs-link=true" from both places to
avoid unknown flag runtime errors.
In `@tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml`:
- Line 338: Add a compatibility guard around appending the CLI flag
--show-policy-docs-link to the ec validate image invocation: detect whether the
installed CLI supports that flag (e.g., run ec validate --help or parse
output/version) before adding "--show-policy-docs-link=true" and only append it
when supported; update the logic used where the flag is currently hardcoded (the
place adding "--show-policy-docs-link=true" in the task template) and apply the
same conditional pattern to the other occurrences of "--show-policy-docs-link"
in the verify-conforma-konflux-vsa-ta and verify-conforma-konflux-ta task
templates so the flag is never passed to CLI versions that don't support it.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 0eb50443-2c8b-422f-8da2-41f21ebb9fd1
📒 Files selected for processing (3)
tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yamltasks/verify-conforma-konflux-vsa-ta/0.1/verify-conforma-konflux-vsa-ta.yamltasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml
| --timeout=0 | ||
| --strict=false | ||
| --show-successes=true | ||
| --show-policy-docs-link=true |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
rg -n --fixed-strings 'show-policy-docs-link' \
tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml \
cmd/validateRepository: conforma/cli
Length of output: 167
🏁 Script executed:
# Search for the flag definition anywhere in the codebase
rg -n 'show-policy-docs-link' --type-list | head -20
rg -n 'show-policy-docs-link' -t goRepository: conforma/cli
Length of output: 445
🏁 Script executed:
# Examine the validate image command structure
find . -name "image.go" -path "*/validate/*" -exec wc -l {} \;Repository: conforma/cli
Length of output: 83
🏁 Script executed:
# Look for flag definitions in validate command
fd -e go . cmd/validate | head -20Repository: conforma/cli
Length of output: 341
🏁 Script executed:
# Search for show-policy-docs-link in Go files
rg -t go 'show-policy-docs-link' .Repository: conforma/cli
Length of output: 38
🏁 Script executed:
# Examine image.go structure to find flag definitions
head -100 cmd/validate/image.goRepository: conforma/cli
Length of output: 3574
🏁 Script executed:
# Look for flag registration patterns (common in cobra CLI)
rg -t go 'AddFlag|Flag\(' cmd/validate/image.go | head -30Repository: conforma/cli
Length of output: 38
🏁 Script executed:
# Search for flag registration in image.go more thoroughly
cat -n cmd/validate/image.go | grep -A2 -B2 'Flags\|Flag\|AddCommand' | head -80Repository: conforma/cli
Length of output: 4332
🏁 Script executed:
# Look for all flag definitions (using Flags() method typical in cobra)
rg -t go 'cmd\.Flags\(\)' cmd/validate/image.go -A 3 | head -100Repository: conforma/cli
Length of output: 6227
🏁 Script executed:
# Search for where flags are bound to struct fields
rg -t go 'BindFlags|MarkFlagRequired' cmd/validate/image.go -B 2 -A 2Repository: conforma/cli
Length of output: 206
🏁 Script executed:
# Search for show-policy-docs-link and show-successes flags in the entire file
rg -t go 'show-successes|show-policy-docs-link' cmd/validate/image.go -B 2 -A 2Repository: conforma/cli
Length of output: 425
🏁 Script executed:
# Look at the full flag definitions section around show-successes
sed -n '550,650p' cmd/validate/image.goRepository: conforma/cli
Length of output: 4737
🏁 Script executed:
# Search the entire image.go for where show-successes flag is registered
rg -t go 'show-successes' cmd/validate/image.go -B 5 -A 5Repository: conforma/cli
Length of output: 1141
🏁 Script executed:
# Look for all BoolVar registrations in image.go to see the pattern
rg -t go 'BoolVar' cmd/validate/image.goRepository: conforma/cli
Length of output: 616
🏁 Script executed:
# Check if show-successes and show-warnings are defined elsewhere, maybe in output package
rg -t go 'show-successes|show-warnings' . --max-count 20Repository: conforma/cli
Length of output: 5339
🏁 Script executed:
# Look more carefully - show-successes might be an output format option, not a flag
rg -t go 'show-successes\|show-warnings' cmd/validate/image.go -B 10Repository: conforma/cli
Length of output: 38
🏁 Script executed:
# Check if these are query parameters for output, not CLI flags
sed -n '330,350p' cmd/validate/image.goRepository: conforma/cli
Length of output: 840
🏁 Script executed:
# Check validate.go to see where show-successes and show-warnings are registered
cat -n cmd/validate/validate.go | grep -A 5 -B 5 'show-successes\|show-warnings'Repository: conforma/cli
Length of output: 423
🏁 Script executed:
# Now search for show-policy-docs-link anywhere in the entire codebase
rg 'show-policy-docs-link' --type-list 2>/dev/null | head -1 || rg 'policy-docs-link' .Repository: conforma/cli
Length of output: 38
🏁 Script executed:
# Check git history to see if this flag was recently added
git log --oneline -n 20 -- cmd/validate/image.go 2>/dev/null | head -10Repository: conforma/cli
Length of output: 110
🏁 Script executed:
# Check the recent commit that mentions policy docs link
git show 1a717bb8 --stat 2>/dev/null | head -30Repository: conforma/cli
Length of output: 1503
🏁 Script executed:
# Look for policy docs link in the output formatting code
rg -t go 'policy.*doc\|docs.*link' internal/ --max-count 20Repository: conforma/cli
Length of output: 38
🏁 Script executed:
# Search in internal/format and internal/output for this option
rg -t go 'PolicyDocs\|policyDocs\|policy-docs' . --max-count 20Repository: conforma/cli
Length of output: 38
🏁 Script executed:
# Get the full diff of the commit
git show 1a717bb8 --no-stat 2>/dev/null | head -200Repository: conforma/cli
Length of output: 38
🏁 Script executed:
# Check if show-policy-docs-link flag is defined as a registered flag in image.go or elsewhere
rg -t go 'show-policy-docs-link' cmd/validate/Repository: conforma/cli
Length of output: 38
🏁 Script executed:
# Check internal/format/target.go for output options handling
rg -t go 'show-' internal/format/target.go -B 3 -A 3Repository: conforma/cli
Length of output: 343
🏁 Script executed:
# Check the exact output of git show to see what was added
git show 1a717bb8 -- tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml 2>/dev/null | grep -A 5 -B 5 'show-policy-docs-link' | head -30Repository: conforma/cli
Length of output: 905
🏁 Script executed:
# Check if there's a flag definition anywhere with this name by searching all Go files
fd -e go . | xargs grep -l 'show-policy-docs-link' 2>/dev/nullRepository: conforma/cli
Length of output: 40
🏁 Script executed:
# Let's check the Options struct in format package to see what options are supported
cat -n internal/format/target.go | grep -A 30 'type Options'Repository: conforma/cli
Length of output: 884
🏁 Script executed:
# Final verification: check if flag is registered anywhere in Go code with a broader search
rg -t go 'show.policy.*docs|policy.*docs.*link' .Repository: conforma/cli
Length of output: 38
🏁 Script executed:
# Confirm there is truly no flag registration or handling for show-policy-docs-link
rg -t go '"show-policy-docs-link"' cmd/Repository: conforma/cli
Length of output: 38
Guard this flag by CLI capability to avoid unknown flag failures
Line 393 uses a flag that is not implemented in the CLI. The --show-policy-docs-link flag was added to the task file but is not registered in cmd/validate/image.go or handled in the format options. Conditionally append it only when supported.
Compatibility-safe patch
cmd_args+=(
--rekor-url="${REKOR_HOST}"
--workers="${WORKERS}"
--info="${INFO}"
--timeout=0
--strict=false
--show-successes=true
- --show-policy-docs-link=true
--effective-time="${EFFECTIVE_TIME}"
--extra-rule-data="${EXTRA_RULE_DATA}"
--retry-max-wait="${RETRY_MAX_WAIT}"
--retry-max-retry="${RETRY_MAX_RETRY}"
--retry-duration="${RETRY_DURATION}"
--retry-factor="${RETRY_FACTOR}"
--retry-jitter="${RETRY_JITTER}"
--output="text=${HOMEDIR}/text-report.txt?show-successes=false"
--output="json=${HOMEDIR}/report-json.json"
--output="appstudio=$(results.TEST_OUTPUT.path)"
)
+
+ if ec validate image --help 2>&1 | grep -q -- '--show-policy-docs-link'; then
+ cmd_args+=(--show-policy-docs-link=true)
+ fi🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml` at line
393, The YAML adds the unsupported flag --show-policy-docs-link causing
unknown-flag failures; update the code that builds/assembles validate command
args (see cmd/validate/image.go and the function that constructs format/options
args) to check whether the CLI actually supports the flag before appending it:
use the command's FlagSet lookup (e.g.,
cmd.Flags().Lookup("show-policy-docs-link") or similar) or a dedicated
capability check and only append "--show-policy-docs-link=true" when the lookup
returns non-nil/true, otherwise skip adding it so the task remains compatible
with older CLI builds.
| - "--workers" | ||
| - "$(params.WORKERS)" | ||
| - "--strict=false" | ||
| - "--show-policy-docs-link=true" |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "Task usage:"
rg -n --fixed-strings 'show-policy-docs-link' \
tasks/verify-conforma-konflux-vsa-ta/0.1/verify-conforma-konflux-vsa-ta.yaml
echo
echo "CLI flag registrations (validate commands):"
rg -n --fixed-strings 'show-policy-docs-link' cmd/validate || true
echo
echo "Validate image flags file context:"
sed -n '470,620p' cmd/validate/image.go | rg -n --fixed-strings 'show-policy-docs-link' || trueRepository: conforma/cli
Length of output: 238
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== Context around YAML line 283 and 340 ==="
sed -n '275,290p' tasks/verify-conforma-konflux-vsa-ta/0.1/verify-conforma-konflux-vsa-ta.yaml | cat -n
echo
sed -n '332,347p' tasks/verify-conforma-konflux-vsa-ta/0.1/verify-conforma-konflux-vsa-ta.yaml | cat -n
echo
echo "=== Full validate command file structure ==="
find cmd/validate -type f -name "*.go" | sort
echo
echo "=== Check for flag registration patterns in all validate files ==="
rg -n "show.policy|PolicyDocs|policy.*docs" cmd/validate || echo "No matches found"
echo
echo "=== Search for flag registration in full image.go file ==="
wc -l cmd/validate/image.go
rg -n "show-policy" cmd/validate/image.go || echo "Not found in image.go"
echo
echo "=== Check if validate vsa exists ==="
find cmd/validate -name "*vsa*" -o -name "*vsa*.go"Repository: conforma/cli
Length of output: 2254
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== vsa.go flag registration section ==="
# Look for where flags are registered (typically Flags() section or cmd.Flags().X patterns)
rg -A 20 "func.*Cmd\(\)|PersistentFlags\(\)|Flags\(\)" cmd/validate/vsa.go | head -80
echo
echo "=== image.go flag registration section ==="
rg -A 20 "func.*Cmd\(\)|PersistentFlags\(\)|Flags\(\)" cmd/validate/image.go | head -80
echo
echo "=== Check if flag appears in any other files in repo ==="
rg -l "show-policy-docs-link" --type go --type yaml . 2>/dev/null || echo "Only in YAML task file"Repository: conforma/cli
Length of output: 8602
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== Searching for show-successes in image.go to find where output flags are ==="
rg -n "show-successes" cmd/validate/image.go
echo
echo "=== Searching for all flag definitions containing 'show' in image.go ==="
rg -n 'cmd.Flags.*"show' cmd/validate/image.go
echo
echo "=== Full validation: search entire codebase for --show-policy-docs-link registration ==="
rg -n "show.policy.docs.link|show-policy-docs-link" cmd/ || echo "Not found in cmd/"Repository: conforma/cli
Length of output: 590
--show-policy-docs-link flag is not registered in either validate image or validate vsa commands
Lines 283 and 340 use this flag, but a comprehensive search of cmd/validate/ confirms it is not defined in either image.go or vsa.go. Both commands will fail with "unknown flag" error at runtime, blocking task execution.
Remove both occurrences until CLI support is available:
Remove unsupported flags
- - "--show-policy-docs-link=true"Apply to both line 283 (validate vsa) and line 340 (validate image).
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - "--show-policy-docs-link=true" |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@tasks/verify-conforma-konflux-vsa-ta/0.1/verify-conforma-konflux-vsa-ta.yaml`
at line 283, The task YAML includes an unsupported CLI flag
"--show-policy-docs-link=true" passed to the validate commands; remove both
occurrences of that flag from the argument lists for the validate vsa and
validate image commands (the entries invoking the validate vsa and validate
image commands in this task) so the commands only use registered flags; ensure
you delete the exact string "--show-policy-docs-link=true" from both places to
avoid unknown flag runtime errors.
2 participants
Depends on #3173
Add --show-policy-docs-link=true to all Tekton validation tasks for prod envs.
Changes: