ROX-35107: Add verify-pq-crypto-policies

[vladbologa]

This PR extracts the verify-crypto-policies from stackrox/collector#3463 so that it can be reused across stackrox repos. See that PR for details.

[coderabbitai]

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The pull request description is directly related to the changeset. It references extracting a Tekton task for reuse and cites the original PR, which aligns with the file changes adding the verify-crypto-policies task.
Title check	✅ Passed	The title partially relates to the changeset - it mentions adding a verify-pq-crypto-policies component, but uses an abbreviated reference (pq-crypto-policies) that doesn't fully match the actual task name (verify-crypto-policies) and lacks clarity about the core objective of extracting and making the task reusable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch vb/verify-crypto-policies

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@tasks/verify-crypto-policies-task.yaml`:
- Around line 33-34: The grep command checking for `EXPECTED_GROUP` in
`CONFIG_FILE` matches the pattern anywhere in the file, including in
commented-out lines, causing false positives when ML-KEM is disabled but present
as a comment. Modify the grep command to exclude lines that start with optional
whitespace followed by a hash symbol to ensure only active configuration lines
are matched. This can be done by piping the grep output through an additional
grep filter with the -v flag to remove comment lines, or by using a more
specific pattern that only captures enabled configuration entries.
- Around line 33-41: The current logic treats file-not-found and
content-not-found as the same failure case. When the CONFIG_FILE is missing or
unreadable, grep exits immediately due to set -e, and cat may also fail before
reaching your explicit FAIL messages, reducing debuggability. Add an explicit
check using test -f and test -r (or similar) to verify that CONFIG_FILE exists
and is readable before attempting the grep command. Structure the logic to
handle three distinct cases: file missing/unreadable (with appropriate error
message), file exists but EXPECTED_GROUP not found (current FAIL message), and
file exists with EXPECTED_GROUP found (current PASS message). This ensures each
failure mode produces clear, distinct diagnostic output.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 95fb4824-89a6-460b-a1cf-0fd043ce228b

📥 Commits

Reviewing files that changed from the base of the PR and between 854d0fe and 64ce56a.

📒 Files selected for processing (1)

• tasks/verify-crypto-policies-task.yaml

[msugakov]

Looks good!

Please make sure you test that it works as expected in the pipeline. Would be nice if you could share a link.

[vladbologa]

@msugakov here's a run of the pipeline from the Collector repo: https://konflux-ui.apps.stone-prd-rh01.pg1f.p1.openshiftapps.com/ns/rh-acs-tenant/applications/acs/taskruns/collector-on-push-9gmfj-verify-pq-crypto-policies/