build: rego source policies #23782
Open
build: rego source policies #23782
+3,718
−11
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dvdksn
added
the
status/do-not-merge
github-actions
bot
added
area/build
✅ Deploy Preview for docsdocker ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
dvdksn
force-pushed
the
build-input-policy
branch
from
640026d to
b152a76
Compare
dvdksn
force-pushed
the
build-input-policy
branch
from
b152a76 to
1dcccf6
Compare
Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
dvdksn
force-pushed
the
build-input-policy
branch
from
1dcccf6 to
7741d9b
Compare
dvdksn
force-pushed
the
build-input-policy
branch
2 times, most recently
from
9ef9e13 to
04835cd
Compare
dvdksn
force-pushed
the
build-input-policy
branch
from
04835cd to
92feb6f
Compare
tonistiigi
reviewed
Jan 20, 2026
| ``` | ||
|
|
||
| When using Sigstore signatures, additional fields are available under | ||
| `input.image.signature` (singular) with details about the signing workflow. |
| } | ||
| ``` | ||
|
|
||
| #### `input.git.commitChecksum` |
Member
There was a problem hiding this comment.
There is also checksum isAnnotatedTag.
|
|
||
| ```rego | ||
| allow if { | ||
| input.git.ref == "v0.12.0" |
Member
There was a problem hiding this comment.
this is incorrect I think. Ref would be refs/heads/master or refs/tags/v0.12.0 or refs/pull/123/head
|
|
||
| ## Environment fields | ||
|
|
||
| The `input.env` object provides build context information not specific to a |
Member
There was a problem hiding this comment.
"build configuration information set by user on invoking the build, not spe"
| **Cause:** `policy eval` doesn't fetch sources, so many fields remain | ||
| unresolved. | ||
|
|
||
| **Solution:** Use actual builds with `--progress=plain` to see complete field |
Member
There was a problem hiding this comment.
Solution should be to include --field
Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
dvdksn
force-pushed
the
build-input-policy
branch
from
92feb6f to
2040f30
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Buildx support for rego policies for validating build inputs (local, http, git, image).
Preview: https://deploy-preview-23782--docsdocker.netlify.app/build/policies/
Related issues or tickets