From f18a71776529f29c46e703ada83138756179a607 Mon Sep 17 00:00:00 2001 From: cuipinghuo Date: Thu, 18 Jun 2026 15:46:07 -0400 Subject: [PATCH] Add debug log output to redhat release policy test and remove unnecessary RuleData override The 'verifies redhat products pass the redhat policy rule collection before release' test was missing the step-report-json container log output that the other release policy test cases include. Add the same GetContainerLogs/GinkgoWriter pattern for easier debugging on failure. Also remove the restrict_cve_security_levels RuleData override since the golden image has zero critical/high CVEs and the default policy settings already allow it to pass without overriding. --- tests/contract/contract.go | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/tests/contract/contract.go b/tests/contract/contract.go index 52d5e6b..1d2f473 100644 --- a/tests/contract/contract.go +++ b/tests/contract/contract.go @@ -352,8 +352,16 @@ var _ = framework.ConformaSuiteDescribe("Conforma E2E tests", ginkgo.Label("ec") "-----END PUBLIC KEY-----") gomega.Expect(fwk.AsKubeAdmin.TektonController.CreateOrUpdateSigningSecret(goldenImagePublicKey, secretName, namespace)).To(gomega.Succeed()) generator.PublicKey = fmt.Sprintf("k8s://%s/%s", namespace, secretName) - // Append extra excludes to the default ECP rather than replacing - // the entire config, which would drop its existing excludes. + + // slsa_source_correlated.source_code_reference_provided is excluded + // because the test generator only passes a container image without + // a source code reference (git repo + revision), so the rule would + // always fail. + + // cve.cve_results_found is excluded because the Clair scan report + // artifacts for the golden image can be garbage-collected from + // quay.io, making the CVE data unfetchable even though the + // attestation references it. releasePolicy := *defaultECP.Spec.DeepCopy() for i := range releasePolicy.Sources { releasePolicy.Sources[i].Config.Exclude = append( @@ -361,7 +369,6 @@ var _ = framework.ConformaSuiteDescribe("Conforma E2E tests", ginkgo.Label("ec") "slsa_source_correlated.source_code_reference_provided", "cve.cve_results_found", ) - releasePolicy.Sources[i].RuleData = &apiextensionsv1.JSON{Raw: []byte(`{"restrict_cve_security_levels": ["critical"]}`)} } gomega.Expect(fwk.AsKubeAdmin.TektonController.CreateOrUpdatePolicyConfiguration(namespace, releasePolicy)).To(gomega.Succeed()) @@ -379,6 +386,10 @@ var _ = framework.ConformaSuiteDescribe("Conforma E2E tests", ginkgo.Label("ec") gomega.Expect(tr.Status.Results).ShouldNot(gomega.Or( gomega.ContainElements(tekton.MatchTaskRunResultWithJSONPathValue(constants.TektonTaskTestOutputName, "{$.result}", `["FAILURE"]`)), )) + + reportLog, err := framework.GetContainerLogs(fwk.AsKubeAdmin.CommonController.KubeInterface(), tr.Status.PodName, "step-report-json", namespace) + ginkgo.GinkgoWriter.Printf("*** Logs from pod '%s', container '%s':\n----- START -----%s----- END -----\n", tr.Status.PodName, "step-report-json", reportLog) + gomega.Expect(err).NotTo(gomega.HaveOccurred()) }) ginkgo.It("verifies the release policy: Task are trusted", func() {