Bump github.com/styrainc/regal from 0.9.1-0.20230928133047-716a574ee33e to 0.10.0

.regal/config.yaml

@@ -8,3 +8,6 @@ rules:
       level: warning
     line-length:
       max-line-length: 130
+  idiomatic:
+    no-defined-entrypoint:
+      level: ignore

go.mod

@@ -4,8 +4,8 @@ go 1.21
 
 require (
 	github.com/open-policy-agent/conftest v0.46.0
-	github.com/open-policy-agent/opa v0.57.0
-	github.com/styrainc/regal v0.9.1-0.20230928133047-716a574ee33e
+	github.com/open-policy-agent/opa v0.57.1-0.20231003111229-7fa6165c27bb
+	github.com/styrainc/regal v0.10.0
 	github.com/tektoncd/cli v0.32.0
 )
 

go.sum

@@ -2311,8 +2311,8 @@ github.com/onsi/gomega v1.27.4/go.mod h1:riYq/GJKh8hhoM01HN6Vmuy93AarCXCBGpvFDK3
 github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk=
 github.com/open-policy-agent/conftest v0.46.0 h1:91NFzcOh7aDiIdf+pfgdqE9RP7xy7KLZu6m2UWca6ZE=
 github.com/open-policy-agent/conftest v0.46.0/go.mod h1:UiQCjVlXxO850P5glVu1HdQf7eZZz+BSWZVyob+nHUE=
-github.com/open-policy-agent/opa v0.57.0 h1:DftxYfOEHOheXvO2Q6HCIM2ZVdKrvnF4cZlU9C64MIQ=
-github.com/open-policy-agent/opa v0.57.0/go.mod h1:3FY6GNSbUqOhjCdvTXCBJ2rNuh66p/XrIc2owr/hSwo=
+github.com/open-policy-agent/opa v0.57.1-0.20231003111229-7fa6165c27bb h1:D9q7LaCyzkCNAe9xPAG11fumqVnwsG1ih3vwaB3/qMA=
+github.com/open-policy-agent/opa v0.57.1-0.20231003111229-7fa6165c27bb/go.mod h1:3FY6GNSbUqOhjCdvTXCBJ2rNuh66p/XrIc2owr/hSwo=
 github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
 github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
 github.com/opencontainers/go-digest v1.0.0-rc1.0.20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
@@ -2635,8 +2635,8 @@ github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o
 github.com/stretchr/testify v1.8.3/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-github.com/styrainc/regal v0.9.1-0.20230928133047-716a574ee33e h1:RmlswOIugip9VFiPh5xz30UHUta7TYoBVxj9WaOt8aU=
-github.com/styrainc/regal v0.9.1-0.20230928133047-716a574ee33e/go.mod h1:e37Y2X13OAE7uuZra/VgoO1zV+zhPJ99cevYvPAxts4=
+github.com/styrainc/regal v0.10.0 h1:GiJOwwG2ETyWrdDwOGZKZJ5kLxR88myF6hxyQ6AiouI=
+github.com/styrainc/regal v0.10.0/go.mod h1:kUeiROeSdGloHMYlS49gp0t/h+JUoTj+Kch6VYB2pzI=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
 github.com/subosito/gotenv v1.4.1/go.mod h1:ayKnFf/c6rvx/2iiLrJUk1e6plDbT3edrFNGqEflhK0=
 github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=

policy/lib/assertions_test.rego

@@ -42,6 +42,7 @@ test_assert_not_empty {
 	not lib.assert_not_empty(set())
 }
 
+# regal ignore:rule-length
 test_assert_equal_results {
 	# Empty results
 	lib.assert_equal_results(set(), set())

policy/lib/bundles.rego

@@ -52,9 +52,11 @@ unacceptable_task_bundle(tasks) := {task |
 }
 
 # Returns if the required task-bundles data is missing
+default missing_task_bundles_data := false
+
 missing_task_bundles_data {
 	count(data["task-bundles"]) == 0
-} else := false
+}
 
 # Returns true if the provided bundle reference is acceptable
 is_acceptable(bundle_ref) {

policy/lib/image_test.rego

@@ -3,6 +3,7 @@ package lib.image_test
 import data.lib
 import data.lib.image
 
+# regal ignore:rule-length
 test_parse {
 	repository := "registry.com/re/po"
 	repository_with_port := "registry.com:8443/re/po"

policy/lib/refs.rego

@@ -12,6 +12,7 @@ import future.keywords.in
 # gives precedence to the old-style. Further, Tekton falls back to the local resolver if
 # a bundle is not used in neither format. The "else" usage in this function ensures the
 # same precendence order is honored.
+# regal ignore:rule-length
 task_ref(task) := i {
 	# Handle old-style bundle reference
 	r := _ref(task)

policy/lib/tekton/task.rego

@@ -7,9 +7,11 @@ import future.keywords.in
 import data.lib.refs
 import data.lib.time
 
+default missing_required_tasks_data := false
+
 missing_required_tasks_data if {
 	count(data["required-tasks"]) == 0
-} else := false
+}
 
 # The latest set of required tasks. Tasks here are not required right now
 # but will be required in the future.

policy/lib/tekton/task_test.rego

@@ -31,6 +31,7 @@ test_tasks_from_attestation if {
 	lib.assert_equal(expected, tkn.tasks(attestation))
 }
 
+# regal ignore:rule-length
 test_tasks_from_slsav1_tekton_attestation if {
 	content := json.marshal(slsav1_attestation_local_spec)
 	task := {
@@ -81,6 +82,7 @@ test_tasks_from_slsav1_tekton_attestation if {
 	lib.assert_equal(expected, tkn.tasks(attestation))
 }
 
+# regal ignore:rule-length
 test_tasks_from_slsav1_tekton_mixture_attestation if {
 	task1 := json.marshal(json.patch(slsav1_attestation_local_spec, [{
 		"op": "add",
@@ -254,6 +256,7 @@ test_tasks_from_attestation_with_spam if {
 	lib.assert_equal(expected_names, tkn.tasks_names(attestation))
 }
 
+# regal ignore:rule-length
 test_tasks_from_pipeline_with_spam if {
 	pipeline := {
 		"kind": "Pipeline",

policy/lib/time_test.rego

@@ -35,6 +35,7 @@ test_effective_current_time_ns {
 	) with data.config.policy.when_ns as future_timestamp
 }
 
+# regal ignore:rule-length
 test_most_current {
 	# Ignore future item
 	lib.assert_equal(
@@ -67,6 +68,7 @@ test_most_current {
 	)
 }
 
+# regal ignore:rule-length
 test_future_items {
 	# Ignore items in the past
 	lib.assert_equal(
@@ -108,6 +110,7 @@ test_future_items {
 	)
 }
 
+# regal ignore:rule-length
 test_acceptable_items {
 	# Include future items and most current
 	lib.assert_equal(

policy/release/buildah_build_task_test.rego

@@ -15,6 +15,7 @@ test_good_dockerfile_param if {
 	lib.assert_empty(buildah_build_task.deny) with input.attestations as [slsav1_attestation]
 }
 
+# regal ignore:rule-length
 test_buildah_tasks if {
 	tasks := [
 		{
@@ -113,6 +114,7 @@ test_missing_pipeline_run_attestations if {
 	lib.assert_empty(buildah_build_task.deny) with input.attestations as [slsav1_attestation]
 }
 
+# regal ignore:rule-length
 test_multiple_buildah_tasks if {
 	attestation := {"statement": {"predicate": {
 		"buildType": lib.tekton_pipeline_run,
@@ -165,6 +167,7 @@ test_multiple_buildah_tasks if {
 	lib.assert_empty(buildah_build_task.deny) with input.attestations as [slsav1_attestation]
 }
 
+# regal ignore:rule-length
 test_multiple_buildah_tasks_one_without_params if {
 	attestation := {"statement": {"predicate": {
 		"buildType": lib.tekton_pipeline_run,
@@ -214,6 +217,7 @@ test_multiple_buildah_tasks_one_without_params if {
 	lib.assert_equal_results(expected, buildah_build_task.deny) with input.attestations as [slsav1_attestation]
 }
 
+# regal ignore:rule-length
 test_multiple_buildah_tasks_one_with_external_dockerfile if {
 	attestation := {"statement": {"predicate": {
 		"buildType": lib.tekton_pipeline_run,

policy/release/github_certificate_test.rego

@@ -83,6 +83,7 @@ test_gh_workflow_trigger_mismatch if {
 		with data.rule_data.allowed_gh_workflow_triggers as ["build"]
 }
 
+# regal ignore:rule-length
 test_missing_extensions if {
 	expected := {
 		{

policy/release/hermetic_build_task.rego

@@ -35,8 +35,10 @@ deny contains result if {
 	result := lib.result_helper(rego.metadata.chain(), [])
 }
 
+default hermetic_build := "false"
+
 hermetic_build := value if {
 	some attestation in lib.pipelinerun_attestations
 	task := tkn.build_task(attestation)
 	value := tkn.task_param(task, "HERMETIC")
-} else := "false"
+}

policy/release/labels.rego

@@ -149,7 +149,10 @@ disallowed_inherited_labels := lib.rule_data("disallowed_inherited_labels") if {
 # A file-based catalog (FBC) image is just like a regular binary image, but
 # with a very specific application in the operator framework ecosystem. Here
 # we use heurisitics to determine whether or not the image is an FBC image.
+
+default is_fbc := false
+
 is_fbc if {
 	some label in labels
 	label.name == "operators.operatorframework.io.index.configs.v1"
-} else := false
+}

policy/release/lib/attestations_test.rego

@@ -134,6 +134,7 @@ test_pr_attestations {
 	]
 }
 
+# regal ignore:rule-length
 test_pipelinerun_slsa_provenance_v1 {
 	provenance_with_pr_spec := {"statement": {
 		"predicateType": "https://slsa.dev/provenance/v1",

policy/release/olm_test.rego

@@ -46,6 +46,7 @@ manifest := {
 	"metadata-with-empty-annotations": {"metadata": {"annotations": {}}},
 }
 
+# regal ignore:rule-length
 test_all_image_ref if {
 	lib.assert_equal(
 		[

policy/release/sbom_spdx_test.rego

@@ -27,6 +27,7 @@ test_not_found if {
 		with input.image.ref as "registry.local/spam@sha256:123"
 }
 
+# regal ignore:rule-length
 test_not_valid if {
 	attestations := [
 		# bad name

policy/release/schedule_test.rego

@@ -7,6 +7,7 @@ test_no_restriction_by_default {
 	lib.assert_empty(schedule.deny)
 }
 
+# regal ignore:rule-length
 test_weekday_restriction {
 	disallowed := ["friday", "saturday", "sunday"]
 

policy/release/slsa_source_correlated.rego

@@ -88,50 +88,59 @@ deny contains result if {
 #   - redhat
 #   depends_on:
 #   - attestation_type.known_attestation_type
-#
 deny contains result if {
 	count(_source_references) > 0
 
-	some vcs_type, vcs_info in input.image.source
-
-	# e.g. git+https://github.com/...
-	expected_vcs_uri := sprintf("%s+%s", [vcs_type, vcs_info.url])
-	expected_revision := vcs_info.revision
-	expected_sources := {
-		sprintf("%s@sha1:%s", [expected_vcs_uri, expected_revision]),
-		# tolerate missing .git suffix
-		sprintf("%s.git@sha1:%s", [expected_vcs_uri, expected_revision]),
-		# tolerate extra or missing .git suffix
-		sprintf("%s@sha1:%s", [trim_suffix(expected_vcs_uri, ".git"), expected_revision]),
-		sprintf("%s@gitCommit:%s", [
-			expected_vcs_uri,
-			crypto.sha1(sprintf("commit %d%s%s", [count(expected_revision), nul, expected_revision])),
-		]),
-		# tolerate missing .git suffix
-		sprintf("%s.git@gitCommit:%s", [
-			expected_vcs_uri,
-			crypto.sha1(sprintf("commit %d%s%s", [count(expected_revision), nul, expected_revision])),
-		]),
-		# tolerate extra or missing .git suffix
-		sprintf("%s@gitCommit:%s", [
-			trim_suffix(expected_vcs_uri, ".git"),
-			crypto.sha1(sprintf("commit %d%s%s", [count(expected_revision), nul, expected_revision])),
-		]),
-	}
+	some expected_source in _expected_sources
 
 	# TODO: this is rather loose, this checks that the expected source is
 	# one of the attested sources, thus allowing also the inclusion of
 	# unexpected source
-	count(expected_sources & _source_references) == 0
+	count(expected_source.refs & _source_references) == 0
 
 	some attested_source in _source_references
 
 	result := lib.result_helper_with_term(
 		rego.metadata.chain(),
-		[sprintf("%s@%s", [expected_vcs_uri, expected_revision])], attested_source,
+		[sprintf("%s@%s", [expected_source.expected_vcs_uri, expected_source.expected_revision])], attested_source,
 	)
 }
 
+_refs(expected_vcs_uri, expected_revision) := {
+	sprintf("%s@sha1:%s", [expected_vcs_uri, expected_revision]),
+	# tolerate missing .git suffix
+	sprintf("%s.git@sha1:%s", [expected_vcs_uri, expected_revision]),
+	# tolerate extra or missing .git suffix
+	sprintf("%s@sha1:%s", [trim_suffix(expected_vcs_uri, ".git"), expected_revision]),
+	sprintf("%s@gitCommit:%s", [
+		expected_vcs_uri,
+		crypto.sha1(sprintf("commit %d%s%s", [count(expected_revision), nul, expected_revision])),
+	]),
+	# tolerate missing .git suffix
+	sprintf("%s.git@gitCommit:%s", [
+		expected_vcs_uri,
+		crypto.sha1(sprintf("commit %d%s%s", [count(expected_revision), nul, expected_revision])),
+	]),
+	# tolerate extra or missing .git suffix
+	sprintf("%s@gitCommit:%s", [
+		trim_suffix(expected_vcs_uri, ".git"),
+		crypto.sha1(sprintf("commit %d%s%s", [count(expected_revision), nul, expected_revision])),
+	]),
+}
+
+_expected_sources contains expected_source if {
+	some vcs_type, vcs_info in input.image.source
+
+	# e.g. git+https://github.com/...
+	expected_vcs_uri := sprintf("%s+%s", [vcs_type, vcs_info.url])
+	expected_revision := vcs_info.revision
+	expected_source := {
+		"expected_vcs_uri": expected_vcs_uri,
+		"expected_revision": expected_revision,
+		"refs": _refs(expected_vcs_uri, expected_revision),
+	}
+}
+
 # SLSA Provenance v0.2
 _source_references contains ref if {
 	some att in lib.pipelinerun_attestations

policy/release/slsa_source_correlated_test.rego

@@ -42,6 +42,7 @@ test_deny_material_code_reference {
 		with input.attestations as [_source_resolved_dependencies_attestation("xyz+https://some.repository", "ref")]
 }
 
+# regal ignore:rule-length
 test_deny_expected_source_code_reference_happy_day {
 	# one material matches expected SLSA Provenance v0.2
 	lib.assert_empty(slsa_source_correlated.deny) with input.image as expected
@@ -182,6 +183,7 @@ test_deny_expected_source_code_reference_happy_day {
 		}])]
 }
 
+# regal ignore:rule-length
 test_deny_expected_source_code_reference_v02 {
 	# different scm SLSA Provenance v0.2
 	lib.assert_equal_results(slsa_source_correlated.deny, {{
@@ -232,6 +234,7 @@ test_deny_expected_source_code_reference_v02 {
 		]
 }
 
+# regal ignore:rule-length
 test_deny_expected_source_code_reference_v10 {
 	# different scm SLSA Provenance v1.0
 	lib.assert_equal_results(slsa_source_correlated.deny, {{
@@ -314,6 +317,7 @@ test_slsa_v02_source_references {
 	]
 }
 
+# regal ignore:rule-length
 test_slsa_v10_source_references {
 	att1 = _resolved_dependencies_attestation([])
 	lib.assert_empty(slsa_source_correlated._source_references) with input.attestations as [att1]

policy/release/slsa_source_version_controlled_test.rego

@@ -49,6 +49,7 @@ test_non_git_uri if {
 	) with input.attestations as [_mock_attestation(materials)]
 }
 
+# regal ignore:rule-length
 test_non_git_commit if {
 	materials := [
 		{

policy/release/tasks_test.rego

@@ -22,6 +22,7 @@ test_no_tasks_present if {
 	lib.assert_equal_results(tasks.deny, expected) with input.attestations as _slsav1_attestations_with_tasks([], [])
 }
 
+# regal ignore:rule-length
 test_failed_tasks if {
 	expected := {
 		{
@@ -204,6 +205,7 @@ test_current_equal_latest_also if {
 		with input.attestations as slsav1_attestations
 }
 
+# regal ignore:rule-length
 test_parameterized if {
 	with_wrong_parameter := [
 		{

policy/release/test_test.rego

@@ -123,6 +123,7 @@ test_warning_is_warning {
 	}}) with input.attestations as warning_test
 }
 
+# regal ignore:rule-length
 test_mixed_statuses {
 	test_results := [
 		lib_test.att_mock_helper_ref(lib.task_test_result_name, {"result": "ERROR"}, "error_1", _bundle),