ROX-35107: Add Konflux pipeline check for post-quantum crypto policy

[vladbologa]

Description

Verify that the built fact image has X25519MLKEM768 in /etc/crypto-policies/back-ends/opensslcnf.config, guarding against regressions of the DEFAULT:PQ crypto-policy setting.

Identical to stackrox/collector#3463
See also stackrox/konflux-tasks#105

Checklist

• Patch has a change log entry OR does not need one.
• Investigated and inspected CI test results
• Updated documentation accordingly

Automated testing

• Added unit tests
• Added integration tests
• Added regression tests

If any of these don't apply, please comment below.

Testing Performed

CI is sufficient

[coderabbitai]

📝 Walkthrough

Walkthrough

A new Tekton pipeline task step verify-pq-crypto-policies is added to .tekton/fact-component-pipeline.yaml. It runs after rpms-signature-scan, is conditional on params.skip-checks being "false", receives IMAGE_URL and IMAGE_DIGEST from tasks.build-image-index, and is positioned before push-dockerfile.

Changes

fact-component-pipeline PQ Crypto Verification

Layer / File(s)	Summary
verify-pq-crypto-policies task insertion .tekton/fact-component-pipeline.yaml	Adds the verify-pq-crypto-policies task step using quay.io/rhacs-eng/konflux-tasks:latest@sha256:4d05c7ad..., wired to tasks.build-image-index outputs for IMAGE_URL and IMAGE_DIGEST, with a when guard on params.skip-checks == "false".

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

A new step hops into the pipeline with care,
Checking PQ crypto with flair,
When skip-checks is false, it leaps into the fray,
Ensuring the image is safe for the day,
🐇 ✨ Secure builds, hooray!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description is mostly complete with clear explanation of changes, but contains discrepancies with the template requirements and incomplete testing documentation.	Clarify the 'Testing Performed' section by replacing 'CI is sufficient' with specific CI test details, and verify all checklist items are accurately marked before merging.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding a Konflux pipeline check for post-quantum crypto policy verification, directly matching the file changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch vb/pq-crypto-policies-test

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 27.96%. Comparing base (571d29f) to head (b72f901).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #855   +/-   ##
=======================================
  Coverage   27.96%   27.96%           
=======================================
  Files          21       21           
  Lines        2596     2596           
  Branches     2596     2596           
=======================================
  Hits          726      726           
  Misses       1867     1867           
  Partials        3        3           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.