From c8a6b8c33b037763f7593a354aca86b6109c1bba Mon Sep 17 00:00:00 2001 From: CoreOS Bot Date: Tue, 20 Jan 2026 10:17:36 +0000 Subject: [PATCH] tree: import changes from testing-devel at bac3ef53b6dd513f22d548a14986f7945e33833f --- .tekton/base/base/fedora-coreos.yaml | 4 ++++ .../fedora-coreos-on-pull-request.yaml | 4 ++++ .tekton/base/on-push/fedora-coreos-on-push.yaml | 4 ++++ .../fedora-coreos-branched-on-pull-request.yaml | 4 ++++ .../on-push/fedora-coreos-branched-on-push.yaml | 4 ++++ ...fedora-coreos-next-devel-on-pull-request.yaml | 4 ++++ .../fedora-coreos-next-devel-on-push.yaml | 4 ++++ .../fedora-coreos-next-on-pull-request.yaml | 4 ++++ .../next/on-push/fedora-coreos-next-on-push.yaml | 4 ++++ .../fedora-coreos-rawhide-on-pull-request.yaml | 4 ++++ .../on-push/fedora-coreos-rawhide-on-push.yaml | 4 ++++ .../fedora-coreos-stable-on-pull-request.yaml | 4 ++++ .../on-push/fedora-coreos-stable-on-push.yaml | 4 ++++ ...ora-coreos-testing-devel-on-pull-request.yaml | 4 ++++ .../fedora-coreos-testing-devel-on-push.yaml | 4 ++++ .../fedora-coreos-testing-on-pull-request.yaml | 4 ++++ .../on-push/fedora-coreos-testing-on-push.yaml | 4 ++++ build-rootfs | 16 +++++++++++----- buildroot-prep | 7 +++++-- 19 files changed, 84 insertions(+), 7 deletions(-) diff --git a/.tekton/base/base/fedora-coreos.yaml b/.tekton/base/base/fedora-coreos.yaml index 8f0b4a8f..3255f6ed 100644 --- a/.tekton/base/base/fedora-coreos.yaml +++ b/.tekton/base/base/fedora-coreos.yaml @@ -41,6 +41,10 @@ spec: - linux/ppc64le - name: clone-depth value: 50 + - name: hermetic + value: true + - name: prefetch-input + value: '[{"type": "rpm", "path": "."}]' pipelineRef: params: - name: bundle diff --git a/.tekton/base/on-pull-request/fedora-coreos-on-pull-request.yaml b/.tekton/base/on-pull-request/fedora-coreos-on-pull-request.yaml index a97f752b..c40c1f98 100644 --- a/.tekton/base/on-pull-request/fedora-coreos-on-pull-request.yaml +++ b/.tekton/base/on-pull-request/fedora-coreos-on-pull-request.yaml @@ -41,6 +41,10 @@ spec: - linux/ppc64le - name: clone-depth value: 50 + - name: hermetic + value: true + - name: prefetch-input + value: '[{"type": "rpm", "path": "."}]' - name: image-expires-after value: 5d pipelineRef: diff --git a/.tekton/base/on-push/fedora-coreos-on-push.yaml b/.tekton/base/on-push/fedora-coreos-on-push.yaml index 06d32e61..a5c45be4 100644 --- a/.tekton/base/on-push/fedora-coreos-on-push.yaml +++ b/.tekton/base/on-push/fedora-coreos-on-push.yaml @@ -40,6 +40,10 @@ spec: - linux/ppc64le - name: clone-depth value: 50 + - name: hermetic + value: true + - name: prefetch-input + value: '[{"type": "rpm", "path": "."}]' pipelineRef: params: - name: bundle diff --git a/.tekton/branched/on-pull-request/fedora-coreos-branched-on-pull-request.yaml b/.tekton/branched/on-pull-request/fedora-coreos-branched-on-pull-request.yaml index 0923e98d..e6386a98 100644 --- a/.tekton/branched/on-pull-request/fedora-coreos-branched-on-pull-request.yaml +++ b/.tekton/branched/on-pull-request/fedora-coreos-branched-on-pull-request.yaml @@ -42,6 +42,10 @@ spec: - linux/ppc64le - name: clone-depth value: 50 + - name: hermetic + value: true + - name: prefetch-input + value: '[{"type": "rpm", "path": "."}]' - name: image-expires-after value: 5d pipelineRef: diff --git a/.tekton/branched/on-push/fedora-coreos-branched-on-push.yaml b/.tekton/branched/on-push/fedora-coreos-branched-on-push.yaml index ea6d5cc2..5fdcd6e4 100644 --- a/.tekton/branched/on-push/fedora-coreos-branched-on-push.yaml +++ b/.tekton/branched/on-push/fedora-coreos-branched-on-push.yaml @@ -41,6 +41,10 @@ spec: - linux/ppc64le - name: clone-depth value: 50 + - name: hermetic + value: true + - name: prefetch-input + value: '[{"type": "rpm", "path": "."}]' pipelineRef: params: - name: bundle diff --git a/.tekton/next-devel/on-pull-request/fedora-coreos-next-devel-on-pull-request.yaml b/.tekton/next-devel/on-pull-request/fedora-coreos-next-devel-on-pull-request.yaml index 7354d011..ae024fed 100644 --- a/.tekton/next-devel/on-pull-request/fedora-coreos-next-devel-on-pull-request.yaml +++ b/.tekton/next-devel/on-pull-request/fedora-coreos-next-devel-on-pull-request.yaml @@ -42,6 +42,10 @@ spec: - linux/ppc64le - name: clone-depth value: 50 + - name: hermetic + value: true + - name: prefetch-input + value: '[{"type": "rpm", "path": "."}]' - name: image-expires-after value: 5d pipelineRef: diff --git a/.tekton/next-devel/on-push/fedora-coreos-next-devel-on-push.yaml b/.tekton/next-devel/on-push/fedora-coreos-next-devel-on-push.yaml index ef6ac4c6..a23843b2 100644 --- a/.tekton/next-devel/on-push/fedora-coreos-next-devel-on-push.yaml +++ b/.tekton/next-devel/on-push/fedora-coreos-next-devel-on-push.yaml @@ -41,6 +41,10 @@ spec: - linux/ppc64le - name: clone-depth value: 50 + - name: hermetic + value: true + - name: prefetch-input + value: '[{"type": "rpm", "path": "."}]' pipelineRef: params: - name: bundle diff --git a/.tekton/next/on-pull-request/fedora-coreos-next-on-pull-request.yaml b/.tekton/next/on-pull-request/fedora-coreos-next-on-pull-request.yaml index 66266f4a..15a5d43c 100644 --- a/.tekton/next/on-pull-request/fedora-coreos-next-on-pull-request.yaml +++ b/.tekton/next/on-pull-request/fedora-coreos-next-on-pull-request.yaml @@ -42,6 +42,10 @@ spec: - linux/ppc64le - name: clone-depth value: 50 + - name: hermetic + value: true + - name: prefetch-input + value: '[{"type": "rpm", "path": "."}]' - name: image-expires-after value: 5d pipelineRef: diff --git a/.tekton/next/on-push/fedora-coreos-next-on-push.yaml b/.tekton/next/on-push/fedora-coreos-next-on-push.yaml index 05ca0c58..95c94865 100644 --- a/.tekton/next/on-push/fedora-coreos-next-on-push.yaml +++ b/.tekton/next/on-push/fedora-coreos-next-on-push.yaml @@ -41,6 +41,10 @@ spec: - linux/ppc64le - name: clone-depth value: 50 + - name: hermetic + value: true + - name: prefetch-input + value: '[{"type": "rpm", "path": "."}]' pipelineRef: params: - name: bundle diff --git a/.tekton/rawhide/on-pull-request/fedora-coreos-rawhide-on-pull-request.yaml b/.tekton/rawhide/on-pull-request/fedora-coreos-rawhide-on-pull-request.yaml index 9e261105..2ec30980 100644 --- a/.tekton/rawhide/on-pull-request/fedora-coreos-rawhide-on-pull-request.yaml +++ b/.tekton/rawhide/on-pull-request/fedora-coreos-rawhide-on-pull-request.yaml @@ -42,6 +42,10 @@ spec: - linux/ppc64le - name: clone-depth value: 50 + - name: hermetic + value: true + - name: prefetch-input + value: '[{"type": "rpm", "path": "."}]' - name: image-expires-after value: 5d pipelineRef: diff --git a/.tekton/rawhide/on-push/fedora-coreos-rawhide-on-push.yaml b/.tekton/rawhide/on-push/fedora-coreos-rawhide-on-push.yaml index e54d3ea3..da76d9da 100644 --- a/.tekton/rawhide/on-push/fedora-coreos-rawhide-on-push.yaml +++ b/.tekton/rawhide/on-push/fedora-coreos-rawhide-on-push.yaml @@ -41,6 +41,10 @@ spec: - linux/ppc64le - name: clone-depth value: 50 + - name: hermetic + value: true + - name: prefetch-input + value: '[{"type": "rpm", "path": "."}]' pipelineRef: params: - name: bundle diff --git a/.tekton/stable/on-pull-request/fedora-coreos-stable-on-pull-request.yaml b/.tekton/stable/on-pull-request/fedora-coreos-stable-on-pull-request.yaml index 85989d80..ce2c8f34 100644 --- a/.tekton/stable/on-pull-request/fedora-coreos-stable-on-pull-request.yaml +++ b/.tekton/stable/on-pull-request/fedora-coreos-stable-on-pull-request.yaml @@ -42,6 +42,10 @@ spec: - linux/ppc64le - name: clone-depth value: 50 + - name: hermetic + value: true + - name: prefetch-input + value: '[{"type": "rpm", "path": "."}]' - name: image-expires-after value: 5d pipelineRef: diff --git a/.tekton/stable/on-push/fedora-coreos-stable-on-push.yaml b/.tekton/stable/on-push/fedora-coreos-stable-on-push.yaml index f864a45d..a1e4a911 100644 --- a/.tekton/stable/on-push/fedora-coreos-stable-on-push.yaml +++ b/.tekton/stable/on-push/fedora-coreos-stable-on-push.yaml @@ -41,6 +41,10 @@ spec: - linux/ppc64le - name: clone-depth value: 50 + - name: hermetic + value: true + - name: prefetch-input + value: '[{"type": "rpm", "path": "."}]' pipelineRef: params: - name: bundle diff --git a/.tekton/testing-devel/on-pull-request/fedora-coreos-testing-devel-on-pull-request.yaml b/.tekton/testing-devel/on-pull-request/fedora-coreos-testing-devel-on-pull-request.yaml index 29d0fcf8..e3746576 100644 --- a/.tekton/testing-devel/on-pull-request/fedora-coreos-testing-devel-on-pull-request.yaml +++ b/.tekton/testing-devel/on-pull-request/fedora-coreos-testing-devel-on-pull-request.yaml @@ -42,6 +42,10 @@ spec: - linux/ppc64le - name: clone-depth value: 50 + - name: hermetic + value: true + - name: prefetch-input + value: '[{"type": "rpm", "path": "."}]' - name: image-expires-after value: 5d pipelineRef: diff --git a/.tekton/testing-devel/on-push/fedora-coreos-testing-devel-on-push.yaml b/.tekton/testing-devel/on-push/fedora-coreos-testing-devel-on-push.yaml index 719a382f..1e77ede6 100644 --- a/.tekton/testing-devel/on-push/fedora-coreos-testing-devel-on-push.yaml +++ b/.tekton/testing-devel/on-push/fedora-coreos-testing-devel-on-push.yaml @@ -41,6 +41,10 @@ spec: - linux/ppc64le - name: clone-depth value: 50 + - name: hermetic + value: true + - name: prefetch-input + value: '[{"type": "rpm", "path": "."}]' pipelineRef: params: - name: bundle diff --git a/.tekton/testing/on-pull-request/fedora-coreos-testing-on-pull-request.yaml b/.tekton/testing/on-pull-request/fedora-coreos-testing-on-pull-request.yaml index 3504c7ab..4ae95dd5 100644 --- a/.tekton/testing/on-pull-request/fedora-coreos-testing-on-pull-request.yaml +++ b/.tekton/testing/on-pull-request/fedora-coreos-testing-on-pull-request.yaml @@ -42,6 +42,10 @@ spec: - linux/ppc64le - name: clone-depth value: 50 + - name: hermetic + value: true + - name: prefetch-input + value: '[{"type": "rpm", "path": "."}]' - name: image-expires-after value: 5d pipelineRef: diff --git a/.tekton/testing/on-push/fedora-coreos-testing-on-push.yaml b/.tekton/testing/on-push/fedora-coreos-testing-on-push.yaml index 016a70d5..daeef922 100644 --- a/.tekton/testing/on-push/fedora-coreos-testing-on-push.yaml +++ b/.tekton/testing/on-push/fedora-coreos-testing-on-push.yaml @@ -41,6 +41,10 @@ spec: - linux/ppc64le - name: clone-depth value: 50 + - name: hermetic + value: true + - name: prefetch-input + value: '[{"type": "rpm", "path": "."}]' pipelineRef: params: - name: bundle diff --git a/build-rootfs b/build-rootfs index bde3b8db..4d8b26e5 100755 --- a/build-rootfs +++ b/build-rootfs @@ -21,6 +21,8 @@ import yaml ARCH = os.uname().machine SRCDIR = '/src' INPUTHASH = '/run/inputhash' +HERMETIC_REPO = '/etc/yum.repos.d/cachi2.repo' +IS_HERMETIC = os.path.exists(HERMETIC_REPO) def main(): @@ -51,8 +53,9 @@ def main(): # NEVRAs to appear there. For lack of a generic solution for any repo # there, we only special-case the one place where we know we use this. if lockfile_repos == ['fedora-coreos-pool']: - modify_pool_repo(locked_nevras) - repos += lockfile_repos + if not IS_HERMETIC: + modify_pool_repo(locked_nevras) + repos += lockfile_repos elif len(lockfile_repos) > 0: raise Exception(f"unknown lockfile-repo found in {lockfile_repos}") @@ -110,12 +113,15 @@ def inject_yumrepos(): if os.path.basename(repo) == 'secret.repo': # this is a supported podman secret to inject repo files; see Containerfile continue + if repo == HERMETIC_REPO: + # this is the repo Konflux injects when hermetic build is enabled + continue os.unlink(repo) # and now inject our repos - for repo in glob.glob(f'{SRCDIR}/*.repo'): - shutil.copy(repo, "/etc/yum.repos.d") - + if not IS_HERMETIC: + for repo in glob.glob(f'{SRCDIR}/*.repo'): + shutil.copy(repo, "/etc/yum.repos.d") def build_rootfs( target_rootfs, manifest_path, packages, locked_nevras, diff --git a/buildroot-prep b/buildroot-prep index 132684c0..c61db75f 100755 --- a/buildroot-prep +++ b/buildroot-prep @@ -8,8 +8,11 @@ set -euo pipefail arch=$(uname -m) . /etc/os-release -cp /src/fedora-coreos-continuous.repo /etc/yum.repos.d - +# cachi2 is the repo Konflux injects when hermetic build is enabled and +# is self-sufficient to pull all the required RPMs. +if [ ! -f "/etc/yum.repos.d/cachi2.repo" ]; then + cp /src/fedora-coreos-continuous.repo /etc/yum.repos.d +fi # NOTE: try to remove anything that queries repos here once it's no longer # needed so that we don't unnecessarily pay for repo metadata.