Feature request

tektoncd/pipeline now ships with a v1 API. Catlin should support validating them.

Use case

Support the newest api version (and the stable / ga version)

Expected Behavior (tkn CLI)

tkn task sign only mutates the tekton.dev/signature annotation.

Actual Behavior (tkn CLI)

tkn task sign mutates any block scalar field that has lines ending with spaces. These fields are replaced with flow (quoted) scalars.

Steps to Reproduce the Problem

1. Create a task yaml file with a script field using block scalar style. Likely any existing task would do.
2. Add an extra trailing space to any of the script lines.
3. Run tkn task sign ... <task yaml file>

Additional Info

I traced this to known behaviour in YAML serialization libraries (1, 2). Specifically, if trailing whitespace exists in lines of a block scalar, the libraries implicitly change the scalar from "block" to "quoted". Quoted mode is much harder to read for things like script fields.
We 'resolved' this by enforcing YAML style. Specifically, using yamllint, which throws errors on trailing spaces by default.

However, I just wanted to open this bug to see if maybe this could be something catlin does directly, which might be easier to accomplish then modifying the tekton CLI. Though I'm happy to open the issue over there (Tekton CLI) since it would be a more direct bug report.

As of today, lintking a tekton resource in a yaml file, not in a catalog, will fail saying the resource path is wrong.

FILE: ../tmp/task/go-ko-image/go-ko-image.yaml
ERROR: Resource path is invalid; expected path: task/go-ko-image/0.2.1/go-ko-image.yaml

It shouldn't be the case. We should be able to validate the layout of a catalog (task/{name}/{version}/…) and the content of the file independently.

It could be 2 different commands catlin validate-resource path/to/file and catlin validate-catalog path/to/catalog.

As of today, "rules" in catlin are hardcoded in go code. Ideally, we should be able to extend / modify rules based independently of the code. One idea would be to use rego and possibly opa as a library to be able to define rules "dynamically".

• Catlin would ship with a default set of rules (embedded)
• A user could override or add new rules with a configuration (in the repository, or global)

See, for example, https://github.com/enterprise-contract/ec-policies/blob/main/policy/lib/bundles.rego