[BUG] Validate step fails with inline POLICY_CONFIGURATION

[yftacherzog]

Describe the Bug

The verify-conforma-konflux-ta task fails during the validate step when POLICY_CONFIGURATION is passed as inline JSON (e.g. from a Pipeline parameter). We've seen a policy parse error and a shell quoting error; switching the task to a revision that uses command+args instead of a script fixes the failure.

Steps to Reproduce

1. Run a Pipeline that uses the verify-conforma-konflux-ta task resolved at a revision that includes the script-based validate step (e.g. from main at or after the merge of PR feat: add --attestation-format flag to support multiple VSA output formats #3080, or revision 264a12ef).

2. Pass POLICY_CONFIGURATION as inline JSON. Example we used to reproduce the issue:

   - name: POLICY_CONFIGURATION
     value: '{"description":"Red Hat enterprise requirements","sources":[{"name":"Default","policy":["oci::quay.io/conforma/release-policy:konflux@sha256:573cf3cc289a7f48b8d1dc63fd64aa826c0b6c41c39ad4a2b4308fd81493dee1"],"data":["oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest","github.com/release-engineering/rhtap-ec-policy//data"],"config":{"include":["@slsa3"]}}],"configuration":{"exclude":["cve"],"collections":["minimal"]},"publicKey":"k8s://openshift-pipelines/public-key"}'

3. Trigger the Pipeline and open the logs for the validate step.

4. See either:

   • Parse error: Error: unable to parse EnterpriseContractPolicySpec: error converting YAML to JSON: yaml: line 1: did not find expected ',' or '}'
   • Shell error: unexpected EOF while looking for matching ''' (or similar quoting error in the step log)

Expected Behavior

The validate step runs successfully and ec receives the full POLICY_CONFIGURATION value unchanged. (We confirmed this by using a task revision that still uses command+args instead of the script.)

Actual Behavior

The validate step fails. We've seen a parse error (consistent with the policy value being truncated or corrupted before it reaches ec) and a shell quoting error in the step log.

Screenshots or Terminal Output

Example from a failing PipelineRun (validate step log):

Error: unable to parse EnterpriseContractPolicySpec: error converting YAML to JSON: yaml: line 1: did not find expected ',' or '}'

We've also seen this shell error in the validate step:

unexpected EOF while looking for matching '''

Environment Details

• Operating System: tested in Linux/AMD64.
• ec CLI Version, run ec version --short: Any; the failure is in how the task passes the policy to ec, not in the CLI itself.
• Shell: Bash (the task’s validate step uses a script: that runs in bash).
• Additional context: The behavior seems to be introduced in PR feat: add --attestation-format flag to support multiple VSA output formats #3080 (conforma/cli), which refactored the validate step from command + args to a script that builds arguments and runs ec. With command + args, Tekton passes each arg as a separate process argument and the full policy is preserved. With the script, the policy is substituted into the script inside double quotes, so the shell interprets the value—which can lead to truncation (parse error) or quoting errors.

Possible Solution

Avoid embedding the policy param in script text. For example:

• Revert to command + args for the ec invocation: use command: [ec] and args: with --policy and $(params.POLICY_CONFIGURATION) as separate list items so Tekton passes them as separate argv elements (no shell interpretation). Conditional VSA arguments could be handled by a separate step or by building the args in a way that does not put the policy in a shell-quoted string.
• Or keep the script but pass the policy via a file: write the policy to a file (e.g. from a param or a previous step) and pass --policy /path/to/policy.json so the script never contains the raw policy in a quoted string.