Handle more pipeline_intention values

The goal here is to make the schedule rules only apply to production releases. The konflux-ci release pipelines don't yet provide these new pipeline_intention values. I'll follow up in a separate PR with them to provide those.
enterprise-contract · Jan 17, 2025 · dc6fb8b · dc6fb8b
1 parent 0db4493
commit dc6fb8b
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 10 deletions.
diff --git a/policy/release/olm/olm.rego b/policy/release/olm/olm.rego
@@ -438,7 +438,7 @@ _subscription_annotation := "operators.openshift.io/valid-subscription"
 default _release_restrictions_apply := false
 
 _release_restrictions_apply if {
-	lib.rule_data("pipeline_intention") == "release"
+	lib.rule_data("pipeline_intention") == "release" or lib.rule_data("pipeline_intention") == "production" or lib.rule_data("pipeline_intention") == "staging"
 }
 
 # Used by allowed_registries

diff --git a/policy/release/quay_expiration/quay_expiration.rego b/policy/release/quay_expiration/quay_expiration.rego
@@ -18,8 +18,8 @@ import data.lib
 # description: >-
 #   Check the image metadata for the presence of a "quay.expires-after"
 #   label. If it's present then produce a violation. This check is enforced
-#   only for a "release" pipeline, as determined by the value of the
-#   `pipeline_intention` rule data.
+#   only for a "release", "production", or "staging" pipeline, as determined by
+#   the value of the `pipeline_intention` rule data.
 # custom:
 #   short_name: expires_label
 #   failure_msg: The image has a 'quay.expires-after' label set to '%s'
@@ -52,5 +52,5 @@ deny contains result if {
 default _expires_label_check_applies := false
 
 _expires_label_check_applies if {
-	lib.rule_data("pipeline_intention") == "release"
+	lib.rule_data("pipeline_intention") == "release" or lib.rule_data("pipeline_intention") == "production" or lib.rule_data("pipeline_intention") == "staging"
 }
diff --git a/policy/release/schedule/schedule.rego b/policy/release/schedule/schedule.rego
@@ -16,8 +16,8 @@ import data.lib.json as j
 # description: >-
 #   Check if the current weekday is allowed based on the rule data value from the key
 #   `disallowed_weekdays`. By default, the list is empty in which case *any* weekday is
-#   allowed. This check is enforced only for a "release" pipeline, as determined by
-#   the value of the `pipeline_intention` rule data.
+#   allowed. This check is enforced only for a "release" or "production"
+#   pipeline, as determined by the value of the `pipeline_intention` rule data.
 # custom:
 #   short_name: weekday_restriction
 #   failure_msg: '%s is a disallowed weekday: %s'
@@ -39,8 +39,9 @@ deny contains result if {
 # description: >-
 #   Check if the current date is not allowed based on the rule data value
 #   from the key `disallowed_dates`. By default, the list is empty in which
-#   case *any* day is allowed. This check is enforced only for a "release" pipeline,
-#   as determined by the value of the `pipeline_intention` rule data.
+#   case *any* day is allowed. This check is enforced only for a "release" or
+#   "production" pipeline, as determined by the value of the
+#   `pipeline_intention` rule data.
 # custom:
 #   short_name: date_restriction
 #   failure_msg: '%s is a disallowed date: %s'
@@ -76,11 +77,12 @@ deny contains result if {
 }
 
 # We want these checks to apply only if we're doing a release. Detect that by checking
-# the `pipeline_intention` value which is set to "release" for Konflux release pipelines.
+# the `pipeline_intention` value which is set to "release" or "production" for Konflux release pipelines.
+# Notably, the value "staging" is not checked here. The disallowed dates rule doesn't apply to staging releases.
 default _schedule_restrictions_apply := false
 
 _schedule_restrictions_apply if {
-	lib.rule_data("pipeline_intention") == "release"
+	lib.rule_data("pipeline_intention") == "release" or lib.rule_data("pipeline_intention") == "production"
 }
 
 _rule_data_errors contains error if {