osbuild: update patches with actual commit IDs

Now that osbuild/osbuild#2222 merged
we can update these patches with the actual commit IDs from
the upstream code base.

Author: dustymabe

src/0001-osbuild-util-containers.py-add-container_mount-funct.patch

@@ -1,8 +1,7 @@
-From 701fa40dfce9a70c1dafdee32907a154463a1a44 Mon Sep 17 00:00:00 2001
+From 3c7e393f5442808c776c414c4f9e096cf8790901 Mon Sep 17 00:00:00 2001
 From: Dusty Mabe <[email protected]>
 Date: Thu, 9 Oct 2025 22:05:44 -0400
-Subject: [PATCH 1/5] osbuild/util/containers.py: add container_mount()
- functionality
+Subject: [PATCH 1/5] util/containers.py: add container_mount() functionality
 
 As prep for a later patch this moves the container image mounting code
 from stages/org.osbuild.container-deploy into the containers library.

src/0002-osbuild-util-containers.py-rename-variable.patch

@@ -1,7 +1,7 @@
-From 81b9bd29075c004c48a5de685904328f657f33bd Mon Sep 17 00:00:00 2001
+From dc7d55f20ecc826bcadcb308460687909a6f13e4 Mon Sep 17 00:00:00 2001
 From: Dusty Mabe <[email protected]>
 Date: Fri, 10 Oct 2025 09:04:21 -0400
-Subject: [PATCH 2/5] osbuild/util/containers.py: rename variable
+Subject: [PATCH 2/5] util/containers.py: rename variable
 
 This is really a name and not a tag (it doesn't include :tag) so let's
 rename the variable to be a little more clear.

src/0003-osbuild-util-containers.py-drop-copy-when-using-cont.patch

@@ -1,7 +1,7 @@
-From dd484a371b04bb384d6d189b038d6c7997a3da44 Mon Sep 17 00:00:00 2001
+From b06025a2e69a5a89d2ef63a2f4e7f463c92b396c Mon Sep 17 00:00:00 2001
 From: Dusty Mabe <[email protected]>
 Date: Wed, 15 Oct 2025 15:13:38 -0400
-Subject: [PATCH 3/5] osbuild/util/containers.py: drop copy when using
+Subject: [PATCH 3/5] util/containers.py: drop copy when using
  containers-storage input
 
 If we are just mounting the container then there's really no reason

src/0004-drop-remove_signatures-from-org.osbuild.container-de.patch

@@ -1,4 +1,4 @@
-From 5ff3e403868955cff2bccc0fa7335bda31e47d9e Mon Sep 17 00:00:00 2001
+From f54ca54acd3aa910b63f63bd948b3ec2dc715238 Mon Sep 17 00:00:00 2001
 From: Dusty Mabe <[email protected]>
 Date: Wed, 15 Oct 2025 15:18:43 -0400
 Subject: [PATCH 4/5] drop remove_signatures from org.osbuild.container-deploy

src/0005-tools-osbuild-mpp-support-mpp-resolve-for-org.osbuil.patch

@@ -1,4 +1,4 @@
-From ad65cf287f85729bc19b6d8e8e7f53eade379ea7 Mon Sep 17 00:00:00 2001
+From d2562f3720dc03dc52e0e43c921af64f2c8a5341 Mon Sep 17 00:00:00 2001
 From: Dusty Mabe <[email protected]>
 Date: Wed, 15 Oct 2025 15:49:55 -0400
 Subject: [PATCH 5/5] tools/osbuild-mpp: support mpp-resolve for

src/cmd-build-with-buildah.orig

@@ -0,0 +1,246 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+dn=$(dirname "$0")
+# shellcheck source=src/cmdlib.sh
+. "${dn}"/cmdlib.sh
+
+print_help() {
+    cat 1>&2 <<'EOF'
+Usage: coreos-assembler build-with-buildah
+       coreos-assembler build-with-buildah [OPTIONS]...
+
+  Build bootable container (ostree) and image base artifacts using the container runtime (buildah).
+  `cosa build` will pivot to this script when the environment variable `COREOS_ASSEMBLER_BUILD_WITH_BUILDAH` is set.
+
+  The following options are supported:
+  --version=VERSION      Use the given version instead of using versionary.
+  --versionary           Generate non-development version using versionary.
+  --direct               Run buildah directly rather than within supermin.
+  --autolock=VERSION     If no base lockfile used, create one from any arch build of `VERSION`.
+                         Note this is automatically enabled when adding to an existing multi-arch
+                         non-strict build.
+  --skip-prune           Skip pruning previous builds.
+  --strict               Only allow installing locked packages when using lockfiles.
+  --parent-build=VERSION The version that represents the parent to this build. Used for RPM diffs
+                         that get added to the meta.json
+  --force                Import a new build even if inputhash has not changed.
+EOF
+}
+
+FORCE=
+VERSION=
+VERSIONARY=
+DIRECT=
+AUTOLOCK_VERSION=
+SKIP_PRUNE=
+STRICT=
+PARENT_BUILD=
+rc=0
+options=$(getopt --options h,d --longoptions help,version:,versionary,direct,autolock:,skip-prune,parent-build:,force,strict -- "$@") || rc=$?
+[ $rc -eq 0 ] || {
+    print_help
+    exit 1
+}
+eval set -- "$options"
+while true; do
+    case "$1" in
+        -h | --help)
+            print_help
+            exit 0
+            ;;
+        --version)
+            shift
+            VERSION=$1
+            ;;
+        --versionary)
+            VERSIONARY=1
+            ;;
+        -d | --direct)
+            DIRECT=1
+            ;;
+        --autolock)
+            shift
+            AUTOLOCK_VERSION=$1
+            ;;
+        --skip-prune)
+            SKIP_PRUNE=1
+            ;;
+        --strict)
+            STRICT=1
+            ;;
+        --parent-build)
+            shift
+            PARENT_BUILD=$1
+            ;;
+        --force)
+            FORCE=1
+            ;;
+        --)
+            shift
+            break
+            ;;
+        -*)
+            fatal "$0: unrecognized option: $1"
+            ;;
+        *)
+            break
+            ;;
+    esac
+    shift
+done
+
+if [ -z "${VERSION}" ]; then
+    # let error out if file does not exist
+    if [ -z "${VERSIONARY}" ]; then
+        VERSION=$(src/config/versionary --dev)
+    else
+        VERSION=$(src/config/versionary)
+    fi
+fi
+
+build_with_buildah() {
+    echo "Building with container runtime (buildah) with VERSION=${VERSION}..."
+
+    tempdir=$(mktemp -d --tmpdir=tmp "build-with-buildah.XXXXXXXX")
+
+    # the config dir virtiofs mount is mounted ro; copy it to the tempdir
+    cp -r src/config/ "${tempdir}/src"
+    # Make sure there are no setgid/setuid bits in there.
+    # See e.g. https://github.com/coreos/fedora-coreos-tracker/issues/1003.
+    # This is analogous to the chmod we do in cmdlib.sh in the legacy path.
+    chmod -R gu-s "${tempdir}/src"
+
+    initconfig="src/config.json"
+    if [ -f "${initconfig}" ]; then
+        variant="$(jq --raw-output '."coreos-assembler.config-variant"' "${initconfig}")"
+        manifest="src/config/manifest-${variant}.yaml"
+        argsfile=build-args-${variant}.conf
+    else
+        manifest="src/config/manifest.yaml"
+        argsfile=build-args.conf
+    fi
+
+    if [ -e "builds/$VERSION/${arch}" ]; then
+        echo "Build ${VERSION} ($arch) already exists"
+        exit 0
+    fi
+
+    previous_inputhash=
+    if [ -f "builds/latest/${arch}/meta.json" ]; then
+        previous_inputhash=$(jq -r '.["coreos-assembler.oci-imported-labels"]["com.coreos.inputhash"] // ""' \
+                                 "builds/latest/${arch}/meta.json")
+        if [ -n "${previous_inputhash}" ]; then
+            echo "Previous input hash: ${previous_inputhash}"
+        fi
+    fi
+
+    # Apply autolock from another build for this version (or for another version if
+    # explicitly provided via --autolock) if no base lockfile exists.
+    lockfile="manifest-lock.${arch}.json"
+    if [ ! -f "src/config/${lockfile}" ] && { [ -n "${VERSION}" ] || [ -n "${AUTOLOCK_VERSION}" ]; }; then
+        autolockfile=$(tmprepo=tmp/repo; workdir=.;
+                       ostree init --repo="${tmprepo}" --mode=archive;
+                       generate_autolock "${AUTOLOCK_VERSION:-${VERSION}}")
+        if [ -n "${autolockfile}" ]; then
+            echo "Injecting autolock-generated ${lockfile}..."
+            cp "${autolockfile}" "${tempdir}/src/${lockfile}"
+        fi
+    fi
+
+    # Here we call prepare_git_artifacts just for its git logic, We don't
+    # actually care about the JSON file; the source of truth is in the labels.
+    prepare_git_artifacts src/config "${tempdir}/coreos-assembler-config-git.json"
+    source=$(jq -r .git.origin "${tempdir}/coreos-assembler-config-git.json")
+    commit=$(jq -r .git.commit "${tempdir}/coreos-assembler-config-git.json")
+    rm -f "${tempdir}/coreos-assembler-config-git.json"
+
+    # For the source: check if there's only one remote, if so use it with get-url
+    # For revision: rev-parse
+    set -- build --security-opt=label=disable --cap-add=all --device /dev/fuse \
+            --pull=newer --layers=true \
+            --build-arg-file "$argsfile" -v "$(realpath "${tempdir}/src")":/run/src \
+            --build-arg VERSION="${VERSION}" \
+            --label org.opencontainers.image.source="${source}" \
+            --label org.opencontainers.image.revision="${commit}"
+
+    # XXX: Temporary hack until we have https://github.com/coreos/rpm-ostree/pull/5454
+    # which would allow us to fold this back into the build process.
+    # shellcheck source=/dev/null
+    stream=$(yaml2json "$manifest" /dev/stdout | jq -r '.variables.stream')
+    if [ "${stream}" != null ]; then
+        set -- "$@" --label fedora-coreos.stream="$stream" \
+                    --annotation fedora-coreos.stream="$stream"
+    fi
+
+    if [ -d "src/yumrepos" ] && [ -e "src/yumrepos/${variant:-}.repo" ]; then
+        set -- "$@" --secret id=yumrepos,src="$(realpath "src/yumrepos/$variant.repo")" \
+                    --secret id=contentsets,src="$(realpath src/yumrepos/content_sets.yaml)" \
+                    -v /etc/pki/ca-trust:/etc/pki/ca-trust:ro
+    fi
+
+    if [ -n "${STRICT}" ]; then
+        set -- "$@" --build-arg STRICT_MODE=1
+    fi
+
+    if [ -d overrides ]; then
+        if [ -d overrides/rpm ]; then
+            # Clean up any previous repo metadata
+            rm -rf overrides/rpm/repodata
+            if [[ -n $(ls overrides/rpm/*.rpm 2> /dev/null) ]]; then
+                # Generate new repo metadata since there are RPMs
+                (cd overrides/rpm && createrepo_c .)
+            fi
+        fi
+        set -- "$@" -v "$(realpath overrides)":/src/overrides
+    fi
+
+    # We'll also copy to an intermediate ociarchive file before
+    # passing that ociarchive to cosa import
+    tmp_oci_archive="oci-archive:$(realpath "${tempdir}/out.ociarchive")"
+
+    # Set the output tag to be something unique
+    osname=$(eval "$(grep 'NAME=' "src/config/${argsfile}")"; echo "${NAME}")
+    final_ref="containers-storage:localhost/${osname}:${VERSION}"
+    # and add the unique tag and context dir to the command
+    set -- "$@" --tag "${final_ref}" .
+
+    echo "Running:" buildah "$@"
+    if [ -n "$DIRECT" ]; then
+        cmd="bash"
+    else
+        cmd="/usr/lib/coreos-assembler/cmd-supermin-run --cache"
+    fi
+    cat <<EOF > "${tempdir}/build-with-buildah-script.sh"
+        set -euxo pipefail
+        env -C ${tempdir}/src TMPDIR=$(realpath cache) buildah $@
+        skopeo copy --quiet "${final_ref}" "${tmp_oci_archive}"
+EOF
+    chmod +x "${tempdir}/build-with-buildah-script.sh"
+    $cmd "${tempdir}/build-with-buildah-script.sh"
+
+    new_inputhash=$(skopeo inspect "${tmp_oci_archive}" | jq -r '.Labels."com.coreos.inputhash"')
+    if [ -n "${previous_inputhash}" ] && [ "$previous_inputhash" = "$new_inputhash" ]; then
+        echo "Input hash unchanged ($new_inputhash)"
+        if [ -z "$FORCE" ]; then
+            skip_import=1
+        else
+            echo "Importing new build anyway (--force)"
+        fi
+    fi
+
+    # Finally import the ociarchive, if we should
+    if [ -z "${skip_import:-}" ]; then
+<<<<<<< HEAD
+        /usr/lib/coreos-assembler/cmd-import "${final_ref}" \
+            ${PARENT_BUILD:+--parent-build=${PARENT_BUILD}} ${SKIP_PRUNE:+--skip-prune}
+=======
+        /usr/lib/coreos-assembler/cmd-import \
+            "${tmp_oci_archive}" ${SKIP_PRUNE:+--skip-prune}
+>>>>>>> 4855c1bd8 (cmd-build-with-buildah: unify more the direct and non-direct paths)
+    fi
+
+    rm -rf "${tempdir}"
+}
+
+build_with_buildah