Skip to content

fix(bug): updates support for oci refs#595

Open
hbraswelrh wants to merge 2 commits into
complytime:mainfrom
hbraswelrh:opsx/fix-complypack-oci-ref
Open

fix(bug): updates support for oci refs#595
hbraswelrh wants to merge 2 commits into
complytime:mainfrom
hbraswelrh:opsx/fix-complypack-oci-ref

Conversation

@hbraswelrh

@hbraswelrh hbraswelrh commented Jun 18, 2026
edited
Loading

Copy link
Copy Markdown
Member

Summary

This PR updates the ParsePolicyRef to hand off OCI reference parsing to the already-vendored oras-go library. The update now supports :tag and @digest syntax in policy and complypack URLs. No new dependencies. Backwards compatible with existing @version notation.

Related Issues

Review Hints

  • Test in the complyctl .devcontainer / devpod environment.
  • Update the .complytime/complytime.yaml workspace configuration file with
policies:
  - url: quay.io/complytime/policies-ampel-branch-protection:latest
    id: ampel-bp

complypacks:
  - url: quay.io/complytime/complypack-ampel-branch-protection:v0.4.0
    id: ampel-bp-pack

targets:
  - id: complytime-complyctl
    policies:
      - ampel-bp
    variables:
      url: https://github.com/complytime/complyctl
      specs: builtin:github/branch-rules.yaml

Run the commands

  • complyctl get # ensure fetched policies with no errors
  • complyctl generate --policy-id ampel-bp # make sure all 5 requirements were generated
  • complyctl scan --policy-id ampel-bp --format pretty # look at the Markdown result

Reference Results

Compliance Scan Report Results

Compliance Scan Report: complytime/policies-ampel-branch-protection

Generated: 2026-06-18T16:30:02Z

Control: force-push-restriction

  • Result: Passed
  • Message: 1 of 1 repositories passed

block-force-push

  • Confidence: High
  • Result: Passed
  • Message: 1 of 1 repositories passed
  • Steps Executed: 1

Control: approval-requirements

  • Result: Passed
  • Message: 3 of 3 repositories passed

minimum-approvals

  • Confidence: High
  • Result: Passed
  • Message: 3 of 3 repositories passed
  • Steps Executed: 3

Control: admin-bypass-prevention

  • Result: Passed
  • Message: 1 of 1 repositories passed

prevent-admin-bypass

  • Confidence: High
  • Result: Passed
  • Message: 1 of 1 repositories passed
  • Steps Executed: 1

Control: code-owner-enforcement

  • Result: Passed
  • Message: 1 of 1 repositories passed

require-code-owner-review

  • Confidence: High
  • Result: Passed
  • Message: 1 of 1 repositories passed
  • Steps Executed: 1

Control: pull-request-enforcement

  • Result: Passed
  • Message: 1 of 1 repositories passed

require-pull-request

  • Confidence: High
  • Result: Passed
  • Message: 1 of 1 repositories passed
  • Steps Executed: 1

Evaluation Log

metadata:
  id: complytime/policies-ampel-branch-protection
  type: EvaluationLog
  gemara-version: v1.0.0
  description: Compliance scan evaluation log
  author:
    id: complytime
    name: complytime
    type: Software
    uri: https://github.com/complytime/complyctl
result: Passed
evaluations:
- name: force-push-restriction
  result: Passed
  message: 1 of 1 repositories passed
  control:
    reference-id: complytime/policies-ampel-branch-protection
    entry-id: force-push-restriction
  assessment-logs:
  - requirement:
      reference-id: complytime/policies-ampel-branch-protection
      entry-id: block-force-push
    plan:
      reference-id: complytime/policies-ampel-branch-protection
      entry-id: block-force-push
    description: 1 of 1 repositories passed
    result: Passed
    message: 1 of 1 repositories passed
    applicability:
    - default
    steps:
    - "complytime/complypack-ampel-branch-protection@sha256:8856c34cc7bf7d0f7149afd3b0d73027ee704d33057be5dc1a70eaef236e8b8e#complytime/complyctl@main"
    steps-executed: 1
    start: "2026-06-18T16:30:02Z"
    confidence-level: High
- name: approval-requirements
  result: Passed
  message: 3 of 3 repositories passed
  control:
    reference-id: complytime/policies-ampel-branch-protection
    entry-id: approval-requirements
  assessment-logs:
  - requirement:
      reference-id: complytime/policies-ampel-branch-protection
      entry-id: minimum-approvals
    plan:
      reference-id: complytime/policies-ampel-branch-protection
      entry-id: minimum-approvals
    description: 3 of 3 repositories passed
    result: Passed
    message: 3 of 3 repositories passed
    applicability:
    - default
    steps:
    - "complytime/complypack-ampel-branch-protection@sha256:8856c34cc7bf7d0f7149afd3b0d73027ee704d33057be5dc1a70eaef236e8b8e#complytime/complyctl@main"
    - "complytime/complypack-ampel-branch-protection@sha256:8856c34cc7bf7d0f7149afd3b0d73027ee704d33057be5dc1a70eaef236e8b8e#complytime/complyctl@main"
    - "complytime/complypack-ampel-branch-protection@sha256:8856c34cc7bf7d0f7149afd3b0d73027ee704d33057be5dc1a70eaef236e8b8e#complytime/complyctl@main"
    steps-executed: 3
    start: "2026-06-18T16:30:02Z"
    confidence-level: High
- name: admin-bypass-prevention
  result: Passed
  message: 1 of 1 repositories passed
  control:
    reference-id: complytime/policies-ampel-branch-protection
    entry-id: admin-bypass-prevention
  assessment-logs:
  - requirement:
      reference-id: complytime/policies-ampel-branch-protection
      entry-id: prevent-admin-bypass
    plan:
      reference-id: complytime/policies-ampel-branch-protection
      entry-id: prevent-admin-bypass
    description: 1 of 1 repositories passed
    result: Passed
    message: 1 of 1 repositories passed
    applicability:
    - default
    steps:
    - "complytime/complypack-ampel-branch-protection@sha256:8856c34cc7bf7d0f7149afd3b0d73027ee704d33057be5dc1a70eaef236e8b8e#complytime/complyctl@main"
    steps-executed: 1
    start: "2026-06-18T16:30:02Z"
    confidence-level: High
- name: code-owner-enforcement
  result: Passed
  message: 1 of 1 repositories passed
  control:
    reference-id: complytime/policies-ampel-branch-protection
    entry-id: code-owner-enforcement
  assessment-logs:
  - requirement:
      reference-id: complytime/policies-ampel-branch-protection
      entry-id: require-code-owner-review
    plan:
      reference-id: complytime/policies-ampel-branch-protection
      entry-id: require-code-owner-review
    description: 1 of 1 repositories passed
    result: Passed
    message: 1 of 1 repositories passed
    applicability:
    - default
    steps:
    - "complytime/complypack-ampel-branch-protection@sha256:8856c34cc7bf7d0f7149afd3b0d73027ee704d33057be5dc1a70eaef236e8b8e#complytime/complyctl@main"
    steps-executed: 1
    start: "2026-06-18T16:30:02Z"
    confidence-level: High
- name: pull-request-enforcement
  result: Passed
  message: 1 of 1 repositories passed
  control:
    reference-id: complytime/policies-ampel-branch-protection
    entry-id: pull-request-enforcement
  assessment-logs:
  - requirement:
      reference-id: complytime/policies-ampel-branch-protection
      entry-id: require-pull-request
    plan:
      reference-id: complytime/policies-ampel-branch-protection
      entry-id: require-pull-request
    description: 1 of 1 repositories passed
    result: Passed
    message: 1 of 1 repositories passed
    applicability:
    - default
    steps:
    - "complytime/complypack-ampel-branch-protection@sha256:8856c34cc7bf7d0f7149afd3b0d73027ee704d33057be5dc1a70eaef236e8b8e#complytime/complyctl@main"
    steps-executed: 1
    start: "2026-06-18T16:30:02Z"
    confidence-level: High
target:
  id: complytime-complyctl
  name: complytime-complyctl
  type: Software

@hbraswelrh
fix(bug): updates support for oci refs
c0b6060 
Signed-off-by: Hannah Braswell <hbraswel@redhat.com>
@hbraswelrh hbraswelrh force-pushed the opsx/fix-complypack-oci-ref branch from f92a177 to c0b6060 Compare June 18, 2026 15:56
@hbraswelrh
fix(ci): regenerate CRAP baseline and normalize recommended_actions p…
daf86fd 
…aths

Regenerate .gaze/baseline.json to reflect current CRAP scores after
OCI ref parsing changes. The previous baseline was stale, causing 11
false regressions in CI.

Also add .summary.recommended_actions[]? to the jq path-normalization
filter in the crapload-baseline and crapload-check Makefile targets,
preventing absolute paths from leaking into the committed baseline.
@hbraswelrh hbraswelrh marked this pull request as ready for review June 18, 2026 16:17
@hbraswelrh hbraswelrh requested a review from a team as a code owner June 18, 2026 16:17
@hbraswelrh hbraswelrh requested a review from jpower432 June 18, 2026 18:51
@hbraswelrh

hbraswelrh commented Jun 18, 2026

Copy link
Copy Markdown
Member Author

@jpower432 adding you to the reviewers since this bug was identified and discussed in your generation state PR.

@marcusburghardt marcusburghardt mentioned this pull request Jun 19, 2026
Open
9 tasks
marcusburghardt
marcusburghardt approved these changes Jun 19, 2026
View reviewed changes

@marcusburghardt marcusburghardt left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. This PR is fixing the bug and improving the situation. Thanks @hbraswelrh .
During the review I noticed some other improvement opportunities we could work in a follow-up PR: #600

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marcusburghardt marcusburghardt marcusburghardt approved these changes

@gvauter gvauter Awaiting requested review from gvauter

@jpower432 jpower432 Awaiting requested review from jpower432

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hbraswelrh @marcusburghardt