Use dedicated conforma policies for test assembly EC verification

[ashwindasr]

Summary

• Use conforma-build-stage-test and conforma-build-ec-stage-test policies for test assembly builds instead of the default stage policies
• Base images are not released for test assemblies, so the art-images base image registry rule is permanently excluded in these policies for build-time ITSs to pass
• Policies added in KRD MR 19219
• Block base image releases unconditionally for test assemblies by moving the assembly == "test" check before base_image_release.force in should_trigger_base_image_release()

Changes

• constants.py: Add KONFLUX_TEST_EC_POLICY_CONFIGURATION and KONFLUX_TEST_PREGA_EC_POLICY_CONFIGURATION
• konflux_image_builder.py: Add prega_ec_policy_configuration field to KonfluxImageBuilderConfig so both policies are configurable (builder stays assembly-agnostic)
• images_konflux.py: Select test vs default policy pair based on runtime.assembly == "test"
• konflux_olm_bundler.py: Select test policies when self.assembly == "test" for OLM bundle builds
• test_konflux_ec_verification.py: Add 4 tests verifying policy selection for default, pre-release, test, and test+pre-release scenarios
• image.py: Reorder checks in should_trigger_base_image_release() so test assembly is an unconditional block (not bypassed by force: true)
• test_image.py: Update test to assert force: true + test assembly returns False

Test plan

• All 12 EC verification tests pass (8 existing + 4 new)
• All 34 image builder tests pass
• Base image release gate test passes with new assertion
• Ruff lint passes on all changed files

Summary by CodeRabbit

• New Features
  • Added configurable pre-GA Enterprise Contract policy settings for build verification flexibility.
  • Test assemblies now use dedicated EC and pre-GA EC policy configurations during verification.
  • EC policy selection now adapts to both assembly type and software lifecycle phase.
• Bug Fixes
  • Base image release triggering now correctly blocks the "test" assembly even when force=true is set.
• Tests
  • Added coverage to verify correct EC policy behavior across lifecycle phases and test/default assemblies.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift-eng/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: d411818c-18df-43cd-89ea-eb7e0d02b7b4

📥 Commits

Reviewing files that changed from the base of the PR and between 1ad82dc and abadfaf.

📒 Files selected for processing (7)

• doozer/doozerlib/backend/konflux_image_builder.py
• doozer/doozerlib/backend/konflux_olm_bundler.py
• doozer/doozerlib/cli/images_konflux.py
• doozer/doozerlib/constants.py
• doozer/doozerlib/image.py
• doozer/tests/backend/test_konflux_ec_verification.py
• doozer/tests/test_image.py

🚧 Files skipped from review as they are similar to previous changes (5)

• doozer/doozerlib/constants.py
• doozer/doozerlib/backend/konflux_image_builder.py
• doozer/doozerlib/cli/images_konflux.py
• doozer/doozerlib/backend/konflux_olm_bundler.py
• doozer/tests/backend/test_konflux_ec_verification.py

---

Walkthrough

Adds two new EC policy constants for test assemblies and routes them through KonfluxImageBuilderConfig with a new configurable prega_ec_policy_configuration field. The CLI conditionally selects test-assembly constants when assembly == "test" and passes them to the config. The OLM bundler applies the same two-axis selection logic based on assembly type and test flag. Base image release triggers now check for test assembly before evaluating force overrides.

Changes

Test-assembly EC policy routing and base image release trigger ordering

Layer / File(s)	Summary
Test-assembly EC policy constants doozer/doozerlib/constants.py	Defines KONFLUX_TEST_EC_POLICY_CONFIGURATION ("ocp-art-tenant/conforma-build-stage-test") and KONFLUX_TEST_PREGA_EC_POLICY_CONFIGURATION ("ocp-art-tenant/conforma-build-ec-stage-test") with comments on permanent exclusion behavior for build-time ITS validation.
KonfluxImageBuilderConfig and EC verification doozer/doozerlib/backend/konflux_image_builder.py	KonfluxImageBuilderConfig adds prega_ec_policy_configuration field. During PRE_RELEASE EC verification, ec_policy is read from the config field instead of being hardcoded.
CLI test-assembly policy selection and wiring doozer/doozerlib/cli/images_konflux.py	Conditionally assigns test-assembly constants when runtime.assembly == "test" and passes both ec_policy_configuration and prega_ec_policy_configuration to KonfluxImageBuilderConfig.
OLM bundler test-assembly EC policy selection doozer/doozerlib/backend/konflux_olm_bundler.py	Adds is_test_assembly flag and two-axis conditional selecting among KONFLUX_TEST_PREGA_*, KONFLUX_TEST_EC_*, KONFLUX_PREGA_*, and KONFLUX_DEFAULT_EC_* constants before EC verification calls.
EC policy verification test coverage doozer/tests/backend/test_konflux_ec_verification.py	Adds four async test cases in TestEcVerificationGating asserting correct ec_policy argument values for release, pre-release, test-release, and test-pre-release lifecycle phases.
Base image release trigger precedence ordering doozer/doozerlib/image.py, doozer/tests/test_image.py	should_trigger_base_image_release() now checks runtime.assembly == "test" first, returning False before evaluating base_image_release.force, blocking force overrides for test assemblies. Docstring and test expectations updated.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Suggested labels

lgtm

Suggested reviewers

• vfreex

🚥 Pre-merge checks | ✅ 10 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Ai-Attribution	⚠️ Warning	AI tool (Cursor) was used as stated in PR description, but commits use improper Co-authored-by trailer instead of required Assisted-by or Generated-by for Red Hat attribution.	Replace Co-authored-by: Cursor trailer with appropriate Assisted-by or Generated-by trailer following Red Hat attribution standards.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately describes the main objective: introducing dedicated conforma policies for test assembly EC verification, which aligns with all the changes across multiple files.
Docstring Coverage	✅ Passed	Docstring coverage is 80.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
No-Weak-Crypto	✅ Passed	No weak cryptographic algorithms (MD5, SHA1, DES, RC4, etc.), custom crypto implementations, or non-constant-time secret comparisons were introduced in the PR changes.
Container-Privileges	✅ Passed	Check is not applicable - PR modifies only Python source code, not container/K8s manifests. No insecure container configurations (privileged: true, hostPID, hostNetwork, hostIPC, SYS_ADMIN, allowPr...
No-Sensitive-Data-In-Logs	✅ Passed	The PR introduces policy configuration changes for Konflux builds with a single new logging statement at line 1437 of image.py: "Skipping base image release for test assembly". This statement logs...
No-Hardcoded-Secrets	✅ Passed	No hardcoded secrets, API keys, tokens, passwords, or credentials found. Constants added are policy configuration identifiers referencing Konflux/Conforma policy names, consistent with existing con...
No-Injection-Vectors	✅ Passed	PR contains only configuration management (hardcoded constants, conditional field assignment, simple string equality checks). No SQL injection, shell injection, eval/exec, pickle/yaml, os.system, o...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[ashwindasr]

Testing with: https://art-jenkins.apps.prod-stable-spoke1-dc-iad2.itup.redhat.com/job/aos-cd-builds/job/build%252Focp4-konflux/38226/

[openshift-ci]

@ashwindasr: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/security	abadfaf	link	false	/test security

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[ashwindasr]

/unhold

[ashwindasr]

Tested with openshift-priv/art-konflux-template#158 (comment) works as expected

[fgallott]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fgallott

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [fgallott]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment