Several keyless verification task improvements

[simonbaird]

Here's what's included:

• Support for the -regexp versions of the keyless verification params. Prefer the non-regexp param if (for some reason) both are present.
• Make it so we never use --ignore-rekor when doing keyless verification even if IGNORE_REKOR is true. This is because you need a transparency log entry from Rekor to do keyless verification.
• Some minor bash env var handling logic tweaks related to handling of unlikely edge cases. Note that we're still trying not to add a layer of bash logic for param sanitizing as per the comment there.

This could be broken up into multiple commits, and originally it was, but I've been working on a previous version of PR too long and I don't think it's worth the effort right now.

Ref: https://redhat.atlassian.net/browse/EC-1652

Note: These changes were originally in #3171 also.

[qodo-code-review]

Review Summary by Qodo

Add regexp support for keyless verification parameters

✨ Enhancement

Walkthroughs

Description

• Add support for regexp versions of keyless verification parameters
• Implement preference logic for non-regexp params over regexp variants
• Force --ignore-rekor=false for keyless verification workflows
• Add comprehensive test scenarios for regexp-based certificate matching

Diagram

flowchart LR
  A["Keyless Verification Parameters"] --> B["CERTIFICATE_IDENTITY<br/>CERTIFICATE_OIDC_ISSUER"]
  A --> C["CERTIFICATE_IDENTITY_REGEXP<br/>CERTIFICATE_OIDC_ISSUER_REGEXP"]
  B --> D["Preferred if present"]
  C --> E["Fallback option"]
  D --> F["Build command args"]
  E --> F
  F --> G["Force ignore-rekor=false<br/>for keyless flow"]
  H["Traditional Signing"] --> I["Use PUBLIC_KEY<br/>and IGNORE_REKOR param"]

Loading

File Changes

1. docs/modules/ROOT/pages/verify-conforma-konflux-ta.adoc 📝 Documentation +2/-0

Document regexp keyless verification parameters

• Added documentation for two new parameters: CERTIFICATE_IDENTITY_REGEXP and
 CERTIFICATE_OIDC_ISSUER_REGEXP
• Documented that non-regexp versions take precedence when both are present
• Clarified parameter usage for keyless verification workflows

docs/modules/ROOT/pages/verify-conforma-konflux-ta.adoc

---

2. docs/modules/ROOT/pages/verify-enterprise-contract.adoc 📝 Documentation +2/-0

Document regexp keyless verification parameters

• Added documentation for two new parameters: CERTIFICATE_IDENTITY_REGEXP and
 CERTIFICATE_OIDC_ISSUER_REGEXP
• Documented that non-regexp versions take precedence when both are present
• Clarified parameter usage for keyless verification workflows

docs/modules/ROOT/pages/verify-enterprise-contract.adoc

---

3. features/task_validate_image.feature 🧪 Tests +64/-1

Add test scenarios for regexp keyless verification

• Added new test scenario for keyless verification with regexp parameters (cosign v2 style)
• Added new test scenario for keyless verification with regexp parameters (cosign v3 style with
 failure case)
• Removed explicit IGNORE_REKOR parameter from existing keyless test (now handled implicitly)
• Tests verify both successful matching and intentional failure cases with regexp patterns

features/task_validate_image.feature

---

View more (2)

4. tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml ✨ Enhancement +51/-5

Implement regexp keyless verification parameter support

• Added two new task parameters: CERTIFICATE_IDENTITY_REGEXP and CERTIFICATE_OIDC_ISSUER_REGEXP
• Refactored bash logic to check all four keyless parameters and prefer non-regexp over regexp
 variants
• Changed --ignore-rekor handling: force it to false for keyless verification, apply user value
 only for traditional signing
• Passed new regexp parameters to the container environment

tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml

---

5. tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml ✨ Enhancement +51/-5

Implement regexp keyless verification parameter support

• Added two new task parameters: CERTIFICATE_IDENTITY_REGEXP and CERTIFICATE_OIDC_ISSUER_REGEXP
• Refactored bash logic to check all four keyless parameters and prefer non-regexp over regexp
 variants
• Changed --ignore-rekor handling: force it to false for keyless verification, apply user value
 only for traditional signing
• Passed new regexp parameters to the container environment

tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml

---

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d9a07a17-3b53-4064-a488-f4a1cacbe160

📥 Commits

Reviewing files that changed from the base of the PR and between 2917135 and 1b3ecae.

⛔ Files ignored due to path filters (1)

• features/__snapshots__/task_validate_image.snap is excluded by !**/*.snap

📒 Files selected for processing (5)

• docs/modules/ROOT/pages/verify-conforma-konflux-ta.adoc
• docs/modules/ROOT/pages/verify-enterprise-contract.adoc
• features/task_validate_image.feature
• tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml
• tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• docs/modules/ROOT/pages/verify-enterprise-contract.adoc

---

📝 Walkthrough

Walkthrough

Adds regexp-based keyless verification parameters and wiring across docs, tasks, and tests; validation logic now treats keyless mode as active when any certificate exact or regexp param is present, prefers exact params over regexp, and forces Rekor checks for keyless flows.

Changes

Cohort / File(s)	Summary
Documentation docs/modules/ROOT/pages/verify-conforma-konflux-ta.adoc, docs/modules/ROOT/pages/verify-enterprise-contract.adoc	Added CERTIFICATE_IDENTITY_REGEXP and CERTIFICATE_OIDC_ISSUER_REGEXP; updated PUBLIC_KEY and IGNORE_REKOR docs to include regexp params and note IGNORE_REKOR is disregarded when any CERTIFICATE_* keyless params are used.
Task Definitions tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml, tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml	Added CERTIFICATE_IDENTITY_REGEXP and CERTIFICATE_OIDC_ISSUER_REGEXP params and exported them to validate. Validation now enters keyless mode if any certificate exact/regexp param is set; identity/issuer args prefer exact values over regexp counterparts; keyless forces --ignore-rekor=false. Traditional branch keeps --public-key and applies --ignore-rekor="${IGNORE_REKOR}" only in that branch.
Feature Tests features/task_validate_image.feature	Removed explicit IGNORE_REKOR from an existing cosign v2 keyless scenario; added cosign v2 success and cosign v3 failure scenarios exercising the new regexp-based keyless parameters with Rekor/STRICT assertions and snapshot checks.

Sequence Diagram(s)

sequenceDiagram
    participant Task as Task Runner
    participant Validate as Validate Script
    participant Cosign as Cosign
    participant Rekor as Rekor

    Task->>Validate: invoke with params (PUBLIC_KEY, IGNORE_REKOR, CERTIFICATE_IDENTITY, CERTIFICATE_OIDC_ISSUER, CERTIFICATE_IDENTITY_REGEXP, CERTIFICATE_OIDC_ISSUER_REGEXP)
    Validate->>Validate: if any CERTIFICATE_* present -> keyless branch
    alt Keyless branch
        Validate->>Validate: pick identity := CERTIFICATE_IDENTITY or CERTIFICATE_IDENTITY_REGEXP
        Validate->>Validate: pick issuer := CERTIFICATE_OIDC_ISSUER or CERTIFICATE_OIDC_ISSUER_REGEXP
        Validate->>Validate: set --ignore-rekor=false
        Validate->>Cosign: run verification with certificate args (identity, issuer, --ignore-rekor=false)
        Cosign->>Rekor: record/check entry
        Cosign-->>Validate: result
    else Traditional branch
        Validate->>Validate: use --public-key and --ignore-rekor="${IGNORE_REKOR}"
        Validate->>Cosign: run verification with public-key and ignore-rekor flag
        alt IGNORE_REKOR == false
            Cosign->>Rekor: record/check entry
        else
            Note right of Cosign: Rekor checks skipped
        end
        Cosign-->>Validate: result
    end
    Validate-->>Task: final task result

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main changes: adding regexp-based keyless verification parameters and improving keyless verification handling, which aligns with the changeset.
Description check	✅ Passed	The description is directly related to the changeset, detailing the three main improvements: regexp parameter support, IGNORE_REKOR handling for keyless verification, and bash logic tweaks.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (2) 📘 Rule violations (0) 📎 Requirement gaps (0) 📐 Spec deviations (0)

1. PUBLIC_KEY precedence misdocumented 🐞 Bug ⚙ Maintainability

Description

The tasks now treat CERTIFICATE_*_REGEXP params as keyless verification triggers (thereby ignoring
PUBLIC_KEY), but the PUBLIC_KEY parameter text/docs still only mention the non-regexp CERTIFICATE_*
params. This can cause users to unintentionally switch verification modes when using the new regexp
params and hit unexpected task failures.

Code

tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml[R288-292]

+        if [ -n "${CERTIFICATE_IDENTITY}" ] || \
+           [ -n "${CERTIFICATE_OIDC_ISSUER}" ] || \
+           [ -n "${CERTIFICATE_IDENTITY_REGEXP}" ] || \
+           [ -n "${CERTIFICATE_OIDC_ISSUER_REGEXP}" ]; then
+          # If *any* of the above are non-empty assume the intention is to

Evidence

The task’s keyless-mode detection was expanded to include *_REGEXP params, so providing them will
take the keyless path; however, PUBLIC_KEY’s description (and the generated docs) still describes
only CERTIFICATE_IDENTITY / CERTIFICATE_OIDC_ISSUER as causing PUBLIC_KEY to be ignored, which is
now incomplete.

tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml[288-325]
tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml[59-67]
docs/modules/ROOT/pages/verify-enterprise-contract.adoc[35-40]
docs/modules/ROOT/pages/verify-conforma-konflux-ta.adoc[24-29]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The tasks now switch to keyless verification when either exact-match cert params *or* the new regexp cert params are set, but the PUBLIC_KEY parameter description (and generated docs) still only mention the exact-match cert params as the trigger for ignoring PUBLIC_KEY.

### Issue Context
This PR adds CERTIFICATE_IDENTITY_REGEXP / CERTIFICATE_OIDC_ISSUER_REGEXP and updates the bash logic to treat them as keyless triggers. Documentation/spec text should reflect that PUBLIC_KEY is ignored when *any* keyless cert param (exact or regexp) is provided.

### Fix Focus Areas
- tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml[59-67]
- tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml[52-60]
- docs/modules/ROOT/pages/verify-enterprise-contract.adoc[35-40]
- docs/modules/ROOT/pages/verify-conforma-konflux-ta.adoc[24-29]

### Suggested change
Update the PUBLIC_KEY description to say it is ignored if any of CERTIFICATE_IDENTITY, CERTIFICATE_OIDC_ISSUER, CERTIFICATE_IDENTITY_REGEXP, or CERTIFICATE_OIDC_ISSUER_REGEXP are provided (and fix the spelling of “precedence” while updating nearby text).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. Keyless ignores IGNORE_REKOR 🐞 Bug ⚙ Maintainability

Description

In keyless mode, the tasks now forcibly pass --ignore-rekor=false (by design), so IGNORE_REKOR has
no effect when keyless params are used. The task docs/spec still describe IGNORE_REKOR as generally
skipping Rekor checks without noting it’s overridden for keyless verification, which can confuse
users troubleshooting behavior.

Code

tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml[R315-318]

+          # Force --ignore-rekor to false since we need rekor
          cmd_args+=(
-            --certificate-identity="${CERTIFICATE_IDENTITY}"
-            --certificate-oidc-issuer="${CERTIFICATE_OIDC_ISSUER}"
+            --ignore-rekor=false
          )
-        elif [ -n "${PUBLIC_KEY}" ]; then

Evidence

The implementation explicitly forces Rekor transparency log checks on in the keyless branch, while
the docs continue to describe IGNORE_REKOR as a general toggle. The CLI maps ignoreRekor to cosign’s
IgnoreTlog, so this override materially changes behavior in keyless runs and should be documented.

tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml[315-325]
tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml[370-380]
docs/modules/ROOT/pages/verify-enterprise-contract.adoc[41-43]
internal/policy/policy.go[438-509]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The tasks now force `--ignore-rekor=false` when keyless verification is selected, meaning the IGNORE_REKOR task param is intentionally overridden in keyless mode. The docs/spec currently describe IGNORE_REKOR as a general “skip Rekor checks” toggle, which is no longer accurate for keyless flows.

### Issue Context
This is an intentional behavioral constraint (keyless verification requires transparency log checking for this workflow). Users need an explicit note to avoid confusion when IGNORE_REKOR is set but has no effect.

### Fix Focus Areas
- tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml[107-112]
- tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml[288-325]
- tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml[100-104]
- docs/modules/ROOT/pages/verify-enterprise-contract.adoc[41-43]
- docs/modules/ROOT/pages/verify-conforma-konflux-ta.adoc[30-32]

### Suggested change
Adjust IGNORE_REKOR’s description to explicitly state it applies to traditional (public-key) verification only, and that it is forced to `false` when keyless parameters (including *_REGEXP) are used.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@features/task_validate_image.feature`:
- Around line 382-412: Add two assertions to the keyless regexp scenarios: (1)
add a case proving exact params override regexp params by including both an
exact match parameter (e.g., CERTIFICATE_IDENTITY or CERTIFICATE_OIDC_ISSUER)
alongside CERTIFICATE_IDENTITY_REGEXP/CERTIFICATE_OIDC_ISSUER_REGEXP and assert
the task uses the exact values (update the "Keyless signing verification cosign
v2 style with regexp params" scenario and its counterpart around the other
block), and (2) add a scenario or variant that sets IGNORE_REKOR=true and runs
in keyless mode (IMAGES with keyless_v2) and assert Rekor is still used (e.g.,
via REKOR_HOST present in task results/logs) to ensure keyless forces Rekor;
update the step expectations (task success, "report-json" logs, and task results
snapshots) to include these verifications.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1bb57d69-5b2a-497a-98b7-c65b428d8658

📥 Commits

Reviewing files that changed from the base of the PR and between e46c21e and 7302a30.

⛔ Files ignored due to path filters (1)

• features/__snapshots__/task_validate_image.snap is excluded by !**/*.snap

📒 Files selected for processing (5)

• docs/modules/ROOT/pages/verify-conforma-konflux-ta.adoc
• docs/modules/ROOT/pages/verify-enterprise-contract.adoc
• features/task_validate_image.feature
• tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml
• tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag	Coverage Δ
acceptance	55.16% <ø> (-0.01%)	⬇️
generative	17.90% <ø> (ø)
integration	26.63% <ø> (ø)
unit	69.01% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

🧹 Nitpick comments (1)

tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml (1)

86-98: Typo in parameter descriptions: "precendence" → "precedence".

Lines 90 and 97 both have "precendence" instead of "precedence".

📝 Proposed fix

     - name: CERTIFICATE_IDENTITY_REGEXP
       type: string
       description: >-
         Similar to CERTIFICATE_IDENTITY but the value is a regexp that will be matched.
-        Note that CERTIFICATE_IDENTITY takes precendence over this if both are present.
+        Note that CERTIFICATE_IDENTITY takes precedence over this if both are present.
       default: ""

     - name: CERTIFICATE_OIDC_ISSUER_REGEXP
       type: string
       description: >-
         Similar to CERTIFICATE_OIDC_ISSUER but a regexp that will be matched. Note that
-        CERTIFICATE_OIDC_ISSUER takes precendence over this if both are present.
+        CERTIFICATE_OIDC_ISSUER takes precedence over this if both are present.
       default: ""

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml` around
lines 86 - 98, The two parameter descriptions for CERTIFICATE_IDENTITY_REGEXP
and CERTIFICATE_OIDC_ISSUER_REGEXP contain a typo ("precendence"); update both
descriptions to use the correct spelling "precedence" so the text reads "Note
that CERTIFICATE_IDENTITY takes precedence over this..." and "Note that
CERTIFICATE_OIDC_ISSUER takes precedence over this..." respectively; locate the
descriptions by the parameter names CERTIFICATE_IDENTITY_REGEXP and
CERTIFICATE_OIDC_ISSUER_REGEXP and replace the misspelled word.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml`:
- Around line 86-98: The two parameter descriptions for
CERTIFICATE_IDENTITY_REGEXP and CERTIFICATE_OIDC_ISSUER_REGEXP contain a typo
("precendence"); update both descriptions to use the correct spelling
"precedence" so the text reads "Note that CERTIFICATE_IDENTITY takes precedence
over this..." and "Note that CERTIFICATE_OIDC_ISSUER takes precedence over
this..." respectively; locate the descriptions by the parameter names
CERTIFICATE_IDENTITY_REGEXP and CERTIFICATE_OIDC_ISSUER_REGEXP and replace the
misspelled word.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0390ef42-15a1-40b5-9b88-bd0a5b27bf62

📥 Commits

Reviewing files that changed from the base of the PR and between 7302a30 and b7d26cf.

⛔ Files ignored due to path filters (1)

• features/__snapshots__/task_validate_image.snap is excluded by !**/*.snap

📒 Files selected for processing (5)

• docs/modules/ROOT/pages/verify-conforma-konflux-ta.adoc
• docs/modules/ROOT/pages/verify-enterprise-contract.adoc
• features/task_validate_image.feature
• tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml
• tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml

✅ Files skipped from review due to trivial changes (3)

• docs/modules/ROOT/pages/verify-conforma-konflux-ta.adoc
• docs/modules/ROOT/pages/verify-enterprise-contract.adoc
• tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• features/task_validate_image.feature

[st3penta]

LGTM

[robnester-rh]

One small nit, and I'd like to see you address the IGNORE_REKOR documentation and PUBLIC_KEY descriptions identified by the ai reviewers.

[simonbaird]

I guess I'll fix the fresh conflict.

[simonbaird]

Fixed the misleading param docs and the typo as suggested.

[robnester-rh]

LGTM