Explanation about sig check task params

simonbaird · simonbaird · commit 94691c770c81 · 2026-03-02T15:01:10.000-05:00
I'm deliberately choosing not to check the correct params are provided bceause I don't want to introduce a layer of bash logic between the task and the command. Explain that for the bots. Ref: https://issues.redhat.com/browse/EC-1652
diff --git a/tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml b/tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml
@@ -261,6 +261,8 @@ spec:
           "--policy" "${POLICY_CONFIGURATION}"
         )
 
+        # To keep bash logic as thin as possible we deliberately don't sanitize
+        # these params. If something is wrong or missing let Conforma handle it.
         if [ -n "${CERTIFICATE_IDENTITY}" ] && [ -n "${CERTIFICATE_OIDC_ISSUER}" ]; then
           cmd_args+=(
             "--certificate-identity" "${CERTIFICATE_IDENTITY}"

Original file line number	Diff line number	Diff line change
`@@ -261,6 +261,8 @@ spec:`
`261`	`261`	`"--policy" "${POLICY_CONFIGURATION}"`
`262`	`262`	`)`
`263`	`263`
	`264`	`+ # To keep bash logic as thin as possible we deliberately don't sanitize`
	`265`	`+ # these params. If something is wrong or missing let Conforma handle it.`
`264`	`266`	`if [ -n "${CERTIFICATE_IDENTITY}" ] && [ -n "${CERTIFICATE_OIDC_ISSUER}" ]; then`
`265`	`267`	`cmd_args+=(`
`266`	`268`	`"--certificate-identity" "${CERTIFICATE_IDENTITY}"`